Vulnerability & Exploit Database

Back to search

Java MixerSequencer Object GM_Song Structure Handling Vulnerability

This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • Peter Vreugdenhil
  • juan vazquez <juan.vazquez [at]>



  • Windows / Java 6 <=u18


  • windows



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/java_mixer_sequencer msf exploit(java_mixer_sequencer) > show targets ...targets... msf exploit(java_mixer_sequencer) > set TARGET <target-id> msf exploit(java_mixer_sequencer) > show options and set options... msf exploit(java_mixer_sequencer) > exploit

Related Vulnerabilities