what you don't know can hurt you
Showing 1 - 9 of 9 RSS Feed

Files from Matthias Kaiser

First Active2010-08-24
Last Active2020-12-24
Apache Struts 2 Forced Multi OGNL Evaluation
Posted Dec 24, 2020
Authored by Matthias Kaiser, Spencer McIntyre, Alvaro Munoz, ka1n4t | Site metasploit.com

The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.

tags | exploit, remote, code execution
advisories | CVE-2019-0230, CVE-2020-17530
SHA-256 | 3cfe28296a3b91c815100d9996280537326adc728304ac8036ea7dcb8ca37586
Jenkins CLI HTTP Java Deserialization
Posted May 16, 2018
Authored by Matthias Kaiser, Alisa Esage, YSOSerial, Ivan | Site metasploit.com

This Metasploit module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not required to exploit this vulnerability.

tags | exploit, remote, web, arbitrary, code execution
advisories | CVE-2016-9299
SHA-256 | e113d2fe31f57558b68a1a915f47f25319abff18ad6045ed75023442be7953d9
Apache Qpid Untrusted Input Deserialization
Posted Jul 2, 2016
Authored by Matthias Kaiser

When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the application classpath that might be vulnerable to exploitation. Apache Qpid AMQP 0-x JMS client versions 6.0.3 and earlier and Qpid JMS (AMQP 1.0) client versions 0.9.0 and earlier are affected.

tags | advisory
advisories | CVE-2016-4974
SHA-256 | a334cb653669fa548ee6ab3108c37becded85013ee84bdec62a00650922edf5e
Apache Flex BlazeDS 4.7.0 XML Entity Expansion
Posted Aug 22, 2015
Authored by Matthias Kaiser

When receiving XML encoded AMF messages containing DTD entities, the default XML parser configurations allows expanding of entities to local resources. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected.

tags | advisory, local
advisories | CVE-2015-3269
SHA-256 | 69d5afa3639558f66a8f98807a33cbb05547e69350539f5291a75ad6c03267b4
IPass Control Pipe Remote Command Execution
Posted Mar 13, 2015
Authored by Matthias Kaiser | Site metasploit.com

This Metasploit module exploits a vulnerability in the IPass Client service. This service provides a named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused to force the service to load a DLL from a SMB share.

tags | exploit
advisories | CVE-2015-0925
SHA-256 | b5d8f54940bc4ede44feb2e40c9032e54af84e76987e017af72d9a90a42d3fda
Java Applet ProviderSkeleton Insecure Invoke Method
Posted Jun 27, 2013
Authored by Adam Gowdiak, Matthias Kaiser | Site metasploit.com

This Metasploit module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2013-2460, OSVDB-94346
SHA-256 | 4c7f2d07b2fb9904b25b6805e68094ce81bd292f4e93feb4b36e0f249b1ace06
Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit
Posted Nov 23, 2010
Authored by egypt, Matthias Kaiser | Site metasploit.com

This Metasploit module exploits a vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javaws call within the BasicServiceImpl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is "Downloading application."

tags | exploit, java
systems | windows
advisories | CVE-2010-3563, OSVDB-69043
SHA-256 | 95a6ce2feeddcd7ac16a36831ad97b34175db9043e870498f26e364464e1800e
Java RMIConnectionImpl Deserialization Privilege Escalation Exploit
Posted Sep 9, 2010
Authored by egypt, Matthias Kaiser, Sami Koivu | Site metasploit.com

This Metasploit module exploits a vulnerability in the Java Runtime Environment that allows to deserialize a MarshalledObject containing a custom classloader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

tags | exploit, java
advisories | CVE-2010-0094
SHA-256 | 794bc0df6a31b6015ac507f6ae51c92a8feb0bd854850ae26fc69aa5ce976097
Java Statement.invoke() Trusted Method Chain Exploit
Posted Aug 24, 2010
Authored by egypt, Matthias Kaiser, Sami Koivu | Site metasploit.com

This Metasploit module exploits a vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.

tags | exploit, java
advisories | CVE-2010-0840
SHA-256 | d70326c1bf38b8c797b6f540f14b84d6bbf3dc1e21b408f1a5f1d4f8408a19f6
Page 1 of 1
Back1Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close