• Close
  • Back to search

    Java MixerSequencer Object GM_Song Structure Handling Vulnerability

    This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates.

    Free Metasploit Download

    Get your copy of the world's leading penetration testing tool

     Download Now

    Module Name



    • Peter Vreugdenhil
    • juan vazquez <juan.vazquez [at] metasploit.com>



    • Windows / Java 6 <=u18


    • windows



    Module Options

    To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

    msf > use exploit/windows/browser/java_mixer_sequencer msf exploit(java_mixer_sequencer) > show targets ...targets... msf exploit(java_mixer_sequencer) > set TARGET <target-id> msf exploit(java_mixer_sequencer) > show options ...show and set options... msf exploit(java_mixer_sequencer) > exploit

    Related Vulnerabilities