what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 73 RSS Feed

Files

Signed Applet Social Engineering Code Exec
Posted Feb 5, 2010
Authored by natron | Site metasploit.com

This exploit dynamically creates an applet via the Msf::Exploit::Java mixin, converts it to a .jar file, then signs the .jar with a dynamically created certificate containing values of your choosing. This is presented to the end user via a web page with an applet tag, loading the signed applet. The user's JVM pops a dialog asking if they trust the signed applet and displays the values chosen. Once the user clicks 'accept', the applet executes with full user permissions. The java payload used in this exploit is derived from Stephen Fewer's and HDM's payload created for the CVE-2008-5353 java deserialization exploit. This Metasploit module requires the rjb rubygem, the JDK, and the $JAVA_HOME variable to be set. If these dependencies are not present, the exploit falls back to a static, signed JAR.

tags | exploit, java, web
SHA-256 | 0a321c211183360c45f28f1eaba94bc547072aaead47439126cfa5aa2eeea4a3

Related Files

JavaScript Static Analysis
Posted Aug 21, 2021
Authored by Abdulrahman Abdullah

Whitepaper discussing JavaScript static analysis. Written in Arabic.

tags | paper, javascript
SHA-256 | 0c4b9e81a57d57072c3bbf3c49892a9de6b7ea347238264d3d6ce9e7068c1996
Java System Solutions SSO Plugin For BMC MyIT 4.0.13.1 Cross Site Scripting
Posted Aug 20, 2018
Authored by Marco Murch

Java System Solutions SSO plugin for BMC MyIT version 4.0.13.1 suffers from a cross site scripting vulnerability.

tags | exploit, java, xss
advisories | CVE-2018-15528
SHA-256 | dc1139a3e435f0009cc81e57d55e45a0ccf9ecb5879c567ef9b84bbdb53292c6
Java / Python FTP URL Handling XXE / SSRF
Posted Feb 24, 2017
Authored by Timothy D. Morgan

Java and Python both have URL handling code that can be leveraged for XML external entity (XXE) injection and SSRF attacks.

tags | advisory, java, python, xxe
SHA-256 | 9f2a5aa311b233621706991238e47f4e31fc0b190ca89a1f42a16cfca5d09c4c
Java SE Mission Control 5.5 Insecure Transport / Man-In-The-Middle
Posted Jan 19, 2017
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Java SE Mission Control version 5.5 suffers from an insecure transport vulnerability that allows for man-in-the-middle attacks.

tags | exploit, java
advisories | CVE-2016-8328
SHA-256 | 666d4e476d75865bd8d260250f6a5a9be84ead33da845b571adc222926b6fdcb
Java.com Cross Site Scripting
Posted Apr 1, 2015
Authored by Yann CAM

Java.com suffered from multiple cross site scripting vulnerabilities.

tags | exploit, java, vulnerability, xss
SHA-256 | f43f2c501c3edc319bb1b75fa7176fd0ea09edceb2d1d23e7062ae9c772ff818
Java JMX Server Insecure Configuration Java Code Execution
Posted Feb 17, 2015
Authored by Braden Thomas, juan vazquez | Site metasploit.com

This Metasploit module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while interfaces with authentication enabled will be vulnerable only if a weak configuration is deployed (allowing to use javax.management.loading.MLet, having a security manager allowing to load a ClassLoader MBean, etc.).

tags | exploit, java, remote, web
SHA-256 | 613d2a6ea0710e79632bd00382a3b337e054c8c877f492ee49389de90972e239
Java Debug Wire Protocol Remote Code Execution
Posted Jun 16, 2014
Authored by Michael Schierl, Christophe Alladoum, Julian Vilas | Site metasploit.com

This Metasploit module abuses exposed Java Debug Wire Protocol services in order to execute arbitrary Java code remotely. It just abuses the protocol features, since no authentication is required if the service is enabled.

tags | exploit, java, arbitrary, protocol
advisories | OSVDB-96066
SHA-256 | 1e8b55ac023effc278ba81e4b21d999d5de6a928c79485271727ac75c78a4964
Java storeImageArray() Invalid Array Indexing
Posted Aug 16, 2013
Authored by sinn3r, juan vazquez, temp66 | Site metasploit.com

This Metasploit module abuses an Invalid Array Indexing Vulnerability on the static function storeImageArray() function in order to produce a memory corruption and finally escape the Java Sandbox. The vulnerability affects Java version 7u21 and earlier. The module, which doesn't bypass click2play, has been tested successfully on Java 7u21 on Windows and Linux systems. This was created based upon the Packet Storm Bug Bounty release for this issue.

tags | exploit, java, bug bounty, packet storm
systems | linux, windows
advisories | CVE-2013-2465, OSVDB-96269
SHA-256 | 0c05dd015762db29445b83c9149e17cf5ae97454169c165283cc6da07609a5dd
Java Applet ProviderSkeleton Insecure Invoke Method
Posted Jun 27, 2013
Authored by Adam Gowdiak, Matthias Kaiser | Site metasploit.com

This Metasploit module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2013-2460, OSVDB-94346
SHA-256 | 4c7f2d07b2fb9904b25b6805e68094ce81bd292f4e93feb4b36e0f249b1ace06
Sun Java Web Start Double Quote Injection
Posted Jun 13, 2013
Authored by Rh0 | Site metasploit.com

This Metasploit module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively an UNC path containing a jvm.dll can be specified with an own SMB server.

tags | exploit, java, remote, web, arbitrary, root
advisories | CVE-2012-1533, OSVDB-86348
SHA-256 | 03e81d85cf7b77c63f98b9875e24d7c92e3dd03261f33f78773cc25fedd945f5
Java Applet Driver Manager Privileged toString() Remote Code Execution
Posted Jun 10, 2013
Authored by juan vazquez, James Forshaw | Site metasploit.com

This Metasploit module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes, from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on IE throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

tags | exploit, java, web, activex
advisories | CVE-2013-1488, OSVDB-91472
SHA-256 | 1b4db1b27c17aab0b21ca54b384927fd35c2a31fb00fd5b3dfb2d240422f385f
Sun Java Web Start Double Quote Injection
Posted Jun 10, 2013
Authored by Rh0 | Site metasploit.com

This Metasploit module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters intial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. Alternatively an UNC path containing a jvm.dll can be specified with an own SMB server.

tags | exploit, java, remote, web, arbitrary, root
advisories | CVE-2012-1533
SHA-256 | 7c4106b8276c9c6b588b2cdcba693eefaab7d0e2605a82a0728828840ed79442
Java Applet Reflection Type Confusion Remote Code Execution
Posted Apr 23, 2013
Authored by juan vazquez, Jeroen Frijters | Site metasploit.com

This Metasploit module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

tags | exploit, java
SHA-256 | bb2929226a8a08e2945d6536acc0a7c67d0777ced5120b0ffa098ac076125760
Java CMM Remote Code Execution
Posted Mar 28, 2013
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

tags | exploit, java, arbitrary
systems | windows
advisories | CVE-2013-1493, OSVDB-90737
SHA-256 | 257e7dc02cc758e02ddfc07622def557b152de2354df0f2e8e6ddd5a95045d43
Java Applet JMX Remote Code Execution
Posted Feb 25, 2013
Authored by Adam Gowdiak, juan vazquez, SecurityObscurity | Site metasploit.com

This Metasploit module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.

tags | exploit, java, arbitrary
advisories | CVE-2013-0431, OSVDB-89613
SHA-256 | 0abc5276937c182f0640b79c2c4ed49a2a0bde2a1aa762e63cc17c0ddad5fe4f
Java Applet AverageRangeStatisticImpl Remote Code Execution
Posted Jan 23, 2013
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2012-5076, OSVDB-86363
SHA-256 | d60e88d1c35ce2c590ccaca3bb69232e1fa72e0dc95b7d237cae3e89eaf0668a
Java Applet Method Handle Remote Code Execution
Posted Jan 23, 2013
Authored by juan vazquez, temp66 | Site metasploit.com

This Metasploit module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2012-5088
SHA-256 | 56cdda70d19b81c54b81eafca0cce9a0e594a89c837b327c0ae866038e17e745
Java Applet JMX Remote Code Execution
Posted Jan 11, 2013
Authored by unknown, egypt, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2013-0422
SHA-256 | 4a0fb8aa0b393da39aa32b84a93368c9393fd500aac21eeb9e7f26dc757220b7
Java Applet JAX-WS Remote Code Execution
Posted Nov 13, 2012
Authored by unknown, juan vazquez | Site metasploit.com

This Metasploit module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

tags | exploit, java, arbitrary
advisories | CVE-2012-5076, OSVDB-86363
SHA-256 | 84f8085a7aae3cc5d26830a695a8c574d4ef5c13dfc3a77061731b06b87041f1
Java 7 Applet Remote Code Execution
Posted Aug 28, 2012
Authored by jduck, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. The vulnerability seems to be related to the use of the newly introduced ClassFinder#resolveClass in Java 7, which allows the sun.awt.SunToolkit class to be loaded and modified. Please note this flaw is also being exploited in the wild, and there is no patch from Oracle at this point. Our module has been successfully tested on multiple setups, including: IE, Firefox, Chrome and Safari on Windows, Linux and OS X, etc.

tags | exploit, java, arbitrary
systems | linux, windows, apple, osx
SHA-256 | 5ad9244a813015246c4b0e8bd5e77b71df43a8026083619c5950c1be4875177c
Java Applet Field Bytecode Verifier Cache Remote Code Execution
Posted Jul 10, 2012
Authored by Stefan Cornelius, sinn3r, juan vazquez, littlelightlittlefire, mihi | Site metasploit.com

This Metasploit module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

tags | exploit
advisories | CVE-2012-1723, OSVDB-82877
SHA-256 | d0f87e2217146b16aef1f52fdc1199e419212c967c36b2332599cb9bbc44e022
JavaScript Deobfuscation
Posted Apr 16, 2012
Authored by Sudeep Singh

Whitepaper called JavaScript Deobfuscation - A Manual Approach.

tags | paper, javascript
SHA-256 | f62eacd0b6de91f97b5724b5c6970f9e9ca83dcf56688802e7c335036028d5a8
Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution
Posted Apr 11, 2012
Site metasploit.com

This exploit dynamically creates a .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page with. The victim's Firefox browser will pop a dialog asking if they trust the addon. Once the user clicks "install", the addon is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the addon is marked to be "bootstrapped". As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed.

tags | exploit, web
SHA-256 | fe11f9476eec443ec8ee1c993de10588be44723dae4fb783e6c16d3dee18a219
Java AtomicReferenceArray Type Violation
Posted Mar 30, 2012
Authored by egypt, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.

tags | exploit
advisories | CVE-2012-0507, OSVDB-80724
SHA-256 | f3f101f5489c7554b50702229d0f0d209cf48a2f373093551088f3e07904f138
JavaBB 0.99 Cross Site Scripting
Posted Mar 18, 2012
Authored by Sony

JavaBB version 0.99 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 9d3f4e197fdb611a64e2565d512b167c8155e89954779a00710c772eeb0ebf88
Page 1 of 3
Back123Next

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    7 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close