Wednesday, July 20, 2011

JavaPayload project

This is not one to be missed! It is very impressive, Michael (Mihi) has clearly worked hard on this, kudos to him!

http://javapayload.sourceforge.net/

Monday, July 18, 2011

Insecure coding examples

A really useful list of test cases are available on the DHS National Cyber Security Division:

http://samate.nist.gov/SRD/view.php

Saturday, July 16, 2011

Java RMI Server Insecure Default Configuration Java Code Execution

Now this is interesting, a Java RMI remote code execution due to a default method being exposed by the distributed garbage collector. It is going to be a fun one to test!

http://www.exploit-db.com/exploits/17535/

The Metasploit page can be found here:

http://www.metasploit.com/modules/exploit/multi/misc/java_rmi_server

Update: Confirmed as working. It does rely on the RMI service being tunneled over HTTP. This particular exploit won't work directly with the typical JRMP services, but I am sure a similar vulnerability will exist. Warrants further digging....