Back to search

Java MixerSequencer Object GM_Song Structure Handling Vulnerability

This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/windows/browser/java_mixer_sequencer

Authors

  • Peter Vreugdenhil
  • juan vazquez <juan.vazquez [at] metasploit.com>

References

Targets

  • Windows / Java 6 <=u18

Platforms

  • windows

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/java_mixer_sequencer msf exploit(java_mixer_sequencer) > show targets ...targets... msf exploit(java_mixer_sequencer) > set TARGET <target-id> msf exploit(java_mixer_sequencer) > show options ...show and set options... msf exploit(java_mixer_sequencer) > exploit

Related Vulnerabilities