On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC, and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here, and apply the latest update to pick up the exploit.


Java zero-day vulnerability exploit in Metasploit


The above example is a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.  We have also tested the module against the following environments:

  • Mozilla Firefox on Ubuntu Linux 10.04
  • Internet Explorer / Mozilla Firefox / Chrome on Windows XP
  • Internet Explorer / Mozilla Firefox on Windows Vista
  • Internet Explorer / Mozilla Firefox on Windows 7
  • Safari on OS X 10.7.4


As a user, you should take this problem seriously, because there is currently no patch from Oracle.  For now, our recommendation is to completely disable Java until a fix is available.  NOTE: A fix is now available (Java 7 Update 7), please patch your system ASAP!


To try out this exploit: Get your free Metasploit download now, or update your existing installation.  Meanwhile, we will keep this blog updated when more progress has been made.



Aug 28 2012: This vulnerability has been assigned as CVE-2012-4681.

Aug 30 2012: Oracle has released Java 7 Update 7