Rapid7 Vulnerability & Exploit Database

Sun Java Calendar Deserialization Privilege Escalation

Back to Search

Sun Java Calendar Deserialization Privilege Escalation



This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).


  • sf <stephen_fewer@harmonysecurity.com>
  • hdm <x@hdm.io>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/browser/java_calendar_deserialize
msf exploit(java_calendar_deserialize) > show targets
msf exploit(java_calendar_deserialize) > set TARGET < target-id >
msf exploit(java_calendar_deserialize) > show options
    ...show and set options...
msf exploit(java_calendar_deserialize) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security