Rapid7 Vulnerability & Exploit Database

Java MixerSequencer Object GM_Song Structure Handling Vulnerability

Back to Search

Java MixerSequencer Object GM_Song Structure Handling Vulnerability



This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates.


  • Peter Vreugdenhil
  • juan vazquez <juan.vazquez@metasploit.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/java_mixer_sequencer
msf exploit(java_mixer_sequencer) > show targets
msf exploit(java_mixer_sequencer) > set TARGET < target-id >
msf exploit(java_mixer_sequencer) > show options
    ...show and set options...
msf exploit(java_mixer_sequencer) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security