This tool can be used to exploit vulnerable versions of RichFaces. It has payloads for 4 vulnerabilities that have been identified, which can lead to remote code execution via java deserialization and EL injection.
648af6bc429ca530648d01005b86d127e64fe5a21538da847835939211cb2f63
Red Hat Security Advisory 2013-1044-01 - The JBoss Seam 2 framework is an application framework for building web applications in Java. The RichFaces component is an open source framework that adds Ajax capability into existing JavaServer Faces applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.
d18a74069a96a4aaa1652df273b226c9ec81f840a9d532e9124b8e2d2d808e2a
Red Hat Security Advisory 2013-1045-01 - RichFaces is an open source framework that adds Ajax capability into existing JavaServer Faces applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces.
81c3cfee3b426df3d700d82b46210967ca52f443a2ad2a47a35bc2782f988cac
Red Hat Security Advisory 2013-1043-01 - RichFaces is an open source framework that adds Ajax capability into existing JavaServer Faces applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces.
3f195710e9356b035cbdd3ab0f3ee82522528a883a4fa741abf131813d48cd52
Red Hat Security Advisory 2013-1042-01 - RichFaces is an open source framework that adds Ajax capability into existing JavaServer Faces applications. A flaw was found in the way RichFaces ResourceBuilderImpl handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes. The fix for this issue introduces a whitelist to limit classes that can be deserialized by RichFaces.
8d99bfdf74e800ed985ade651322e5980dd02d516df4c0faefe2493afad24b8a
Red Hat Security Advisory 2013-1041-01 - Red Hat JBoss Web Framework Kit combines popular open source web frameworks into a single solution for Java applications. This release serves as a replacement for Red Hat JBoss Web Framework Kit 2.2.0, and includes bug fixes and enhancements.
01a332930e3b54aa66e37d38faf5261be617f0a2b3b9a9b5193cf5c0fd7a030f