Now this is interesting, a Java RMI remote code execution due to a default method being exposed by the distributed garbage collector. It is going to be a fun one to test!
http://www.exploit-db.com/exploits/17535/
The Metasploit page can be found here:
http://www.metasploit.com/modules/exploit/multi/misc/java_rmi_server
Update: Confirmed as working. It does rely on the RMI service being tunneled over HTTP. This particular exploit won't work directly with the typical JRMP services, but I am sure a similar vulnerability will exist. Warrants further digging....
No comments:
Post a Comment