module
Java MixerSequencer Object GM_Song Structure Handling Vulnerability
| Disclosed | Created |
|---|---|
| 2010-03-30 | 2018-05-30 |
Disclosed
2010-03-30
Created
2018-05-30
Description
This module exploits a flaw within the handling of MixerSequencer objects
in Java 6u18 and before.
Exploitation id done by supplying a specially crafted MIDI file within an RMF
File. When the MixerSequencer objects is used to play the file, the GM_Song
structure is populated with a function pointer provided by a SONG block in the
RMF. A Midi block that contains a MIDI with a specially crafted controller event
is used to trigger the vulnerability.
When triggering the vulnerability "ebx" points to a fake event in the MIDI file
which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the
exploit reliable over java updates.
in Java 6u18 and before.
Exploitation id done by supplying a specially crafted MIDI file within an RMF
File. When the MixerSequencer objects is used to play the file, the GM_Song
structure is populated with a function pointer provided by a SONG block in the
RMF. A Midi block that contains a MIDI with a specially crafted controller event
is used to trigger the vulnerability.
When triggering the vulnerability "ebx" points to a fake event in the MIDI file
which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the
exploit reliable over java updates.
Authors
Peter Vreugdenhil
juan vazquez juan.vazquez@metasploit.com
juan vazquez juan.vazquez@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.