The DefaultActionMapper class in Apache Struts2 supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:". The information contained in these prefixes is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server.



This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework.

An error in the way that Java implements dynamic binding can be abused to overwrite public final fields. This flaw allows an unprivileged Java applet to escape the sandbox and execute arbitrary code on the target machine with the privileges of the current user.



This update adds the CVE number to the exploit.

This module exploits a vulnerability in Oracle Java taking advantages of the java.sql.DriverManager class. The specific flaw exists within the usage of java.sql.DriverManager. The issue lies in an implicit call to toString() that is made within a doPrivileged block. This flaw allows an unprivileged Java applet to escape the sandbox and execute arbitrary code on the target machine with the privileges of the current user.



This vulnerability was one of the 2013's Pwn2Own challenges.

This module exploits a vulnerability in the Mac OS X DirectoryService by sending a specially crafted packet to the 625/TCP port.

An error in the way that Java implements dynamic binding can be abused to overwrite public final fields.

This flaw allows an unprivileged Java applet to escape the sandbox and execute arbitrary code on the target machine with the privileges of the current user.



WARNING: This is an early release module. This is not the final version of this module. It is a pre-released version in order to deliver a module as quickly as possible to our customers that may be useful in some situations. Since this module is not the final version it may contain bugs or have limited functionality and may not have complete or accurate documentation.

This module exploits a vulnerability in Mac OS X Samba server.



When a specially crafted call to "NetWkstaTransportEnum" RPC function is processed by the Samba server, it produces a heap overflow.

The default Java security properties configuration does not restrict access to certain objects in the com.sun.jmx.mbeanserver packages. This flaw allows an unprivileged Java applet to escape the sandbox and execute arbitrary code on the target machine with the privileges of the current user.

The setuid-set ViscosityHelper binary insecurely executes certain scripts and can be exploited to gain escalated privileges via symlink attacks.

This module exploits a vulnerability in Mac OS X Directory Service Proxy by sending a crafted packet to port TCP 625, causing a denial of service effect.

A unrestricted file upload vulnerability exists in includes/inline_image_upload.php within AutoSec Tools V-CMS 1.0. This allows remote attackers to execute arbitrary code by uploading a file with an executable extension and then accessing it via a direct request to the file in temp.