Wednesday, July 20, 2011

JavaPayload project

This is not one to be missed! It is very impressive, Michael (Mihi) has clearly worked hard on this, kudos to him!

Monday, July 18, 2011

Insecure coding examples

A really useful list of test cases are available on the DHS National Cyber Security Division:

Saturday, July 16, 2011

Java RMI Server Insecure Default Configuration Java Code Execution

Now this is interesting, a Java RMI remote code execution due to a default method being exposed by the distributed garbage collector. It is going to be a fun one to test!

The Metasploit page can be found here:

Update: Confirmed as working. It does rely on the RMI service being tunneled over HTTP. This particular exploit won't work directly with the typical JRMP services, but I am sure a similar vulnerability will exist. Warrants further digging....