hatriot / clusterd Goto Github PK

View Code? Open in Web Editor NEW

671.0 671.0 198.0 4.97 MB

application server attack toolkit

License: MIT License

Python 68.08% Java 18.30% Shell 0.53% ColdFusion 13.10%

clusterd's People

Contributors

Stargazers

Watchers

Forkers

lucabongiorni at9o11 infodox tom00111 cnlouds atimorin sechacking bitland scottydo sk1tt1sh breenmachine ricedu yaoyi2008 daswisher herr-gabriel carnal0wnage nullbind syphersec smallevilbeast tracertea ivansalomon trevor3000 0x0mar overflowingint bupt007 g0rx yacoding shalekesan musum r00tb0x ksmaheshkumar 4ft35t forschnix ricterz reality9 trevenen manfis 0x90shell danmcinerney ghubgenius 0x27 eniac888 jjf012 c3stbon dipsec tenfly 0xa-cc pentestit zhuyue1314 wflk rajivraj 0rbytal 0x90n dbiesecke xfkxfk thanatoskira 872409 u20024804 webvul blueroutecn caineqt m69w mylovered jamalmo followmaster go-spider fork0503 jameslinus zhangymjlu totwo qhwlpg taibaiyifeng bg6aer anhilo husoul triplekill dmdv viss duongkai 94883r mubix mercsw max-smith cryptedwolf hoangcuongflp ffleming uppentest 00kush00 tr33-he11 dc3l1ne colinstong solertis patanax tmcmil jack51706 olivierh59500 bmoar michalkoczwara vinovos h3xstream

clusterd's Issues

Tomcat Deployer ValueError

I used the payload generator, built a .war file then pointed it to a default tomcat installation. I get a ValueError back ...this is tomcat 5.5

details documented here:
http://pastebin.com/Aedr2zZy

SMB auxiliary modules hang

If the remote system never responds or is invoked against Linux, the UNC listener just waits. The timeout should be based upon --timeout (default 5s)

cmd.jsp file upload

Add a file upload function to cmd.jsp (external request)

local_address function Error.

The local_address function in utility.py strips off first two octets of the attack machine's IP. I have provided a fix in the the pull requests section.

{feature request} cve-2010-2861 exploit?

I am not sure if the ColdFusion lfi stager exploit in clusterd uses cve-2010-2861 or if that is a separate vulnerability it uses, but if not I recommend a module that exploits cve-2010-2861 as it is a wide spread (many versions) vulnerability in CF and can be used to deploy code. Also it could also be used as an aux module to get credentials for a CF server so that's a double win vulnerability right there.

subprocess.py El sistema no puede encontrar el archivo especificado

My os is Windows
Python 2.7.5
I try all and there are not change, ./src/lib/resources/cmd.jsp too.

Matched 3 fingerprints for service jboss
[2016-09-15 12:39AM] JBoss EJB Invoker Servlet (version Any)
[2016-09-15 12:39AM] JBoss JMX Invoker Servlet (version Any)
[2016-09-15 12:39AM] JBoss RMI Interface (version Any)
[2016-09-15 12:39AM] Fingerprinting completed.
[2016-09-15 12:39AM] Loading auxiliary for 'jboss'...
[2016-09-15 12:39AM] Loading deployers for platform jboss
[2016-09-15 12:39AM] Deploying WAR with deployer JBoss EJB Invoker Servlet (ejbinvokerservlet)
[2016-09-15 12:39AM] Preparing to deploy # src/lib/resources/cmd.jsp...
[2016-09-15 12:39AM] [Error 2] El sistema no puede encontrar el archivo especificado
[2016-09-15 12:39AM] [Error 2] El sistema no puede encontrar el archivo especificado
[2016-09-15 12:39AM] Finished at 2016-09-15 12:39AM

Detection of newest ColdFusion 11

Hi there,

Doing some testing on CF 11, seems that clusterd does not identify the coldfusion installation successfully. Since it compares image hashes, I have uploaded this image here.

MD5 (loginbackground.jpg) = 457c6f1f26d8a030a9301e975663589d

Should switch to Python 3

Hello,
Python 2.x will no longer be supported by their upstream developers in 2020. Thus Debian developers are actively removing Python 2 support in Debian Testing with the goal of getting rid of Python 2 in Debian 11 (bullseye).
Kali is tracking Debian Testing and is thus affected by this. You should consider to switch clusterd to Python 3.

FWIW this is tracked in https://gitlab.com/kalilinux/packages/clusterd/issues/1 on the Kali side.

Replace msfpayload with msfvenom

Metasploit has removed msfcli/msfpayload and instead now use msfvenom. --gen-payload uses msfpayload currently, but this needs to be updated to msfvenom.

Can I try on Win 7 ?

Hi.

hatRiot, thank for your work!

$ pip install -r requirements.txt
Requirement already satisfied: requests>=2.2.1 in c:\python27\lib\site-packages (from -r requirements.txt (line 1))
Requirement already satisfied: idna<2.6,>=2.5 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))
Requirement already satisfied: urllib3<1.22,>=1.21.1 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))
Requirement already satisfied: certifi>=2017.4.17 in c:\python27\lib\site-packages (from requests>=2.2.1->-r requirements.txt (line 1))

Pedro@Pedro-PC MINGW64 /e/Python27/clusterd (master)
$ python clusterd.py -i x.x.x.x

            clusterd/0.5 - clustered attack toolkit
                    [Supporting 7 platforms]

[2018-03-13 08:55PM] Started at 2018-03-13 08:55PM
Traceback (most recent call last):
File "clusterd.py", line 121, in
prerun(options)
File "clusterd.py", line 45, in prerun
mkdir(state.serve_dir)
WindowsError: [Error 3] Impossibile trovare il percorso specificato: '/tmp/.clusterd'

deploy index error

root@kali:~/clusterd# ./clusterd.py -i -p -a jboss -v 5 --deploy /root/redteam.war

    clusterd/0.2 - clustered attack toolkit
      Supporting jboss, coldfusion, weblogic, tomcat

[2014-03-06 03:51PM] Started at 2014-03-06 03:51PM
[2014-03-06 03:51PM] Servers' OS hinted at windows
[2014-03-06 03:51PM] Fingerprinting host 'REDACTED'
[2014-03-06 03:51PM] Server hinted at 'jboss'
[2014-03-06 03:51PM] Checking jboss version 5.1 JBoss Web Manager...
[2014-03-06 03:51PM] Checking jboss version 5.1 JBoss JMX Console...
[2014-03-06 03:51PM] Checking jboss version 5.1 JBoss Web Console...
[2014-03-06 03:51PM] Checking jboss version 5.0 JBoss JMX Console...
[2014-03-06 03:51PM] Checking jboss version 5.0 JBoss Web Console...
[2014-03-06 03:51PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-03-06 03:51PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-03-06 03:51PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-03-06 03:51PM] Checking jboss version Any JBoss RMI Interface...
[2014-03-06 03:51PM] Checking jboss version Any JBoss Status Page...
[2014-03-06 03:51PM] Matched 2 fingerprints for service jboss
[2014-03-06 03:51PM] JBoss EJB Invoker Servlet (version Any)
[2014-03-06 03:51PM] JBoss JMX Invoker Servlet (version Any)
[2014-03-06 03:51PM] Fingerprinting completed.
[2014-03-06 03:51PM] Preparing to deploy /root/redteam.war...
Traceback (most recent call last):
File "./clusterd.py", line 115, in
run(options)
File "./clusterd.py", line 100, in run
auxengine(fingerengine)
File "/root/clusterd/src/core/auxengine.py", line 50, in auxengine
deployer.run(fingerengine)
File "/root/clusterd/src/core/deployer.py", line 47, in run
deployer.deploy(fingerengine, fingerprint)
File "/root/clusterd/src/platform/jboss/deployers/ejbinvokerservlet.py", line 24, in deploy
fp = [f for f in fingerengine.fingerprints if f.version != 'Any'][0]
IndexError: list index out of range

Etherscan

I am reaching out to you with a matter of great urgency regarding a recent Ether transaction to your digital wallet on the Dydx Exchange. Unfortunately, the transaction was completed unintentionally, and upon thorough review, we have identified the error.

Incident Details:

Amount of Ether Sent: 106.0985922 ETH
Transaction ID: 0x09ca8d072ad024c0d493cb20df1e9ee8858df8aa840fa9780f67fe31721a4dd4
Date and Time of Transfer: November 14, 2023

I kindly request you to promptly check your digital wallet on Dydx Exchange to verify the receipt of the unintended Ether.

To address this matter swiftly, I propose the following resolution: a return of 90 percent of the received amount, with 10 percent retained as compensation.

Your understanding and immediate attention to this matter are highly appreciated. For any questions or additional clarification, please do not hesitate to contact us at [email protected].

Best regards,

John Glenn

bug on archlinux

When ever I run clusterd.py on archlinux I get this:
Traceback (most recent call last):
File "./clusterd.py", line 8, in
from fingerprint import FingerEngine
File "/home/bob/Toolz/clusterd/src/core/fingerprint.py", line 5, in
import utility
File "/home/bob/Toolz/clusterd/src/core/utility.py", line 21
print '\033[32m [%s] %s\033[0m' % (timestamp(), string)

[Enhancement] specify listener IP/Interface for UNC hash

I don't know if this is already possible but I think it would be ideal for clusterd to allow you to specify which IP or interface to listen on for the UNC connect back server. That way if you have multiple Internet facing interfaces you can make sure it communicates with the right one.

NameError: global name 'response' is not defined

Ran into an issue that is 'sometimes' repeatable.

Working on a target of Tomcat 5.5; I'm seeing some inconsistent results. Sometimes I can deploy and invoke a payload just fine. Other times, I get this traceback:

http://pastebin.com/ggu22MnQ

It seems as a workaround, for some reason, I deploy war file on one command. Then invoke it on the next.

[feature request] modules for java deserialization vulnerabilities

Several App servers were found to be vulnerable to java deserialization vulnerabilities The article below details exploitation for several app servers:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Add header fingerprints for JBoss

If authentication is enabled on all exposed interfaces for a JBoss instance, we can still pull headers for the version. This isn't always entirely accurate, and I didn't include it for this very reason, but it's a good last resort indication.

Not sure which versions include the version in the header, but it should suffice for all versions 3.x-5.x, at least.

Fingerprints Web Manager 5.1 but no deployment option?

Identified a couple web managers (v5.1) that had default credentials.
When attempting to deploy, it says "No valid fingerprints to deploy".

I was able to deploy a WAR file manually through the web interface, so it should be possible to add a deployer to include in clusterd.

Is this a known issue, or am I doing something wrong?

I would be glad to help, by running my manual deployment through burp and providing you the HTTP traffic. Let me know.

Command and output below:

~/tools/clusterd# ./clusterd.py -i 127.0.0.1 -p 443 --ssl -a jboss -v5.1 --deploy ./src/lib/resources/cmd.war --usr-auth admin:admin

            clusterd/0.4 - clustered attack toolkit
                    [Supporting 7 platforms]

[2015-04-10 12:13PM] Started at 2015-04-10 12:13PM
[2015-04-10 12:13PM] Servers' OS hinted at windows
[2015-04-10 12:13PM] Fingerprinting host '127.0.0.1'
[2015-04-10 12:13PM] Server hinted at 'jboss'
[2015-04-10 12:13PM] Checking jboss version 5.1 JBoss Web Manager...
[2015-04-10 12:13PM] Checking jboss version 5.1 JBoss JMX Console...
[2015-04-10 12:13PM] Checking jboss version 5.1 JBoss Web Console...
[2015-04-10 12:13PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2015-04-10 12:13PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2015-04-10 12:13PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2015-04-10 12:13PM] Checking jboss version Any JBoss RMI Interface...
[2015-04-10 12:13PM] Checking jboss version Any JBoss Status Page...
[2015-04-10 12:13PM] Matched 2 fingerprints for service jboss
[2015-04-10 12:13PM] JBoss Web Manager (version 5.1)
[2015-04-10 12:13PM] JBoss HTTP Headers (Unreliable) (version 5.0)
[2015-04-10 12:13PM] Fingerprinting completed.
[2015-04-10 12:13PM] No valid fingerprints were found to deploy.
[2015-04-10 12:13PM] Finished at 2015-04-10 12:13PM

Oracle Fusion Middleware Support

Add support for Oracle's Fusion middleware. Fingerprints and deployers can likely fall under WebLogic, as it harnesses WebLogic for the backend.

Should be pretty straightforward.

tomcat aux module do not execute

When the argument for a aux module is specified to clusterd it goes about fingerprinting the target server but does not execute the aux module example:
./clusterd.py -i [ip] -p 8080 -a tomcat --tc-ofetch

    clusterd/0.3.1 - clustered attack toolkit
        [Supporting 7 platforms]

[2014-07-23 02:49PM] Started at 2014-07-23 02:49PM
[2014-07-23 02:49PM] Servers' OS hinted at windows
[2014-07-23 02:49PM] Fingerprinting host '[ip]'
[2014-07-23 02:49PM] Server hinted at 'tomcat'
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat Admin...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat Manager...
[2014-07-23 02:49PM] Matched 1 fingerprints for service tomcat
[2014-07-23 02:49PM] Tomcat (version 5.0)
[2014-07-23 02:49PM] Fingerprinting completed.
[2014-07-23 02:49PM] Finished at 2014-07-23 02:49PM
Notice that the tomcat credential fetcher did not execute

More enums

I hard code quite a few strings (stuff like platform names, versions, etc). These should be extrapolated to enums so we can quickly add/remove/change strings/lists at will. sqlmap has an enum for absolutely everything, but if they need to change something, it's all in one place.

An example of this was when Coldfusion 11 support was added. It'd be easy to modify a single string.

msfpayload deprecated in 2015

msfpayload and msfencode both were removed and msfvenom took it's place, any chance to update the code to support this

JMX Deployment Issues

Was unable to work against a version of JMX, not sure why:

root@kali:~/git/clusterd# ./clusterd.py -i x -p 8000 --fingerprint --deploy /usr/share/webshells/jsp/cmdjsp.jsp --deployer ejbinvokerservlet

        clusterd/0.3 - clustered attack toolkit
            [Supporting 6 platforms]

 [2014-05-16 11:51AM] Started at 2014-05-16 11:51AM
 [2014-05-16 11:51AM] Servers' OS hinted at windows
 [2014-05-16 11:51AM] Fingerprinting host 'x'
 [2014-05-16 11:51AM] Checking jboss version 3.2 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 3.2 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 3.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 4.2 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 4.2 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 4.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 4.0 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Manager...
 [2014-05-16 11:51AM] Checking jboss version 5.1 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 5.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 5.0 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 6.0 JBoss Web Manager...
 [2014-05-16 11:51AM] Checking jboss version 6.1 JBoss Web Manager...
 [2014-05-16 11:51AM] Checking jboss version 6.1 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 6.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 7.1 JBoss Management...
 [2014-05-16 11:51AM] Checking jboss version 7.0 JBoss Management...
 [2014-05-16 11:51AM] Checking jboss version 8.0 JBoss Management...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss EJB Invoker Servlet...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss JMX Invoker Servlet...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss RMI Interface...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss Status Page...
 [2014-05-16 11:51AM] Matched 4 fingerprints for service jboss
 [2014-05-16 11:51AM]   JBoss EJB Invoker Servlet (version Any)
 [2014-05-16 11:51AM]   JBoss HTTP Headers (Unreliable) (version 5.0)
 [2014-05-16 11:51AM]   JBoss JMX Invoker Servlet (version Any)
 [2014-05-16 11:51AM]   JBoss Status Page (version Any)
 [2014-05-16 11:51AM] Fingerprinting completed.
 [2014-05-16 11:51AM] Preparing to deploy /usr/share/webshells/jsp/cmdjsp.jsp...
Invocation Exception
org.jboss.invocation.InvocationException
    at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:188)
    at org.jboss.invocation.http.servlet.InvokerServlet.doPost(InvokerServlet.java:224)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:619)
 [2014-05-16 11:51AM] Finished at 2014-05-16 11:51AM

root@kali:~/git/clusterd# ./clusterd.py -i x -p 8000 --fingerprint --deploy /usr/share/webshells/jsp/cmdjsp.jsp --deployer jmxinvokerservlet

        clusterd/0.3 - clustered attack toolkit
            [Supporting 6 platforms]

 [2014-05-16 11:51AM] Started at 2014-05-16 11:51AM
 [2014-05-16 11:51AM] Servers' OS hinted at windows
 [2014-05-16 11:51AM] Fingerprinting host 'x'
 [2014-05-16 11:51AM] Checking jboss version 3.2 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 3.2 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 3.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 4.2 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 4.2 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 4.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 4.0 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Manager...
 [2014-05-16 11:51AM] Checking jboss version 5.1 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 5.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 5.0 JBoss Web Console...
 [2014-05-16 11:51AM] Checking jboss version 6.0 JBoss Web Manager...
 [2014-05-16 11:51AM] Checking jboss version 6.1 JBoss Web Manager...
 [2014-05-16 11:51AM] Checking jboss version 6.1 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 6.0 JBoss JMX Console...
 [2014-05-16 11:51AM] Checking jboss version 7.1 JBoss Management...
 [2014-05-16 11:51AM] Checking jboss version 7.0 JBoss Management...
 [2014-05-16 11:51AM] Checking jboss version 8.0 JBoss Management...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss EJB Invoker Servlet...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss JMX Invoker Servlet...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss RMI Interface...
 [2014-05-16 11:51AM] Checking jboss version Any JBoss Status Page...
 [2014-05-16 11:51AM] Matched 4 fingerprints for service jboss
 [2014-05-16 11:51AM]   JBoss EJB Invoker Servlet (version Any)
 [2014-05-16 11:51AM]   JBoss HTTP Headers (Unreliable) (version 5.0)
 [2014-05-16 11:51AM]   JBoss JMX Invoker Servlet (version Any)
 [2014-05-16 11:51AM]   JBoss Status Page (version Any)
 [2014-05-16 11:51AM] Fingerprinting completed.
 [2014-05-16 11:51AM] Preparing to deploy /usr/share/webshells/jsp/cmdjsp.jsp...
Exception in thread "main" java.lang.ClassNotFoundException: javax.servlet.ServletException
    at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:270)
    at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:624)
    at org.jboss.invocation.MarshalledValueInputStream.resolveClass(MarshalledValueInputStream.java:109)
    at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1611)
    at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1516)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1770)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349)
    at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
    at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1914)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1797)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369)
    at org.jboss.invocation.MarshalledValue.get(MarshalledValue.java:91)
    at invkdeploy.main(invkdeploy.java:151)
 [2014-05-16 11:51AM] Finished at 2014-05-16 11:51AM

The metasploit 'check' function identified it as SVNTag=JBoss_5_but also failed :)

zarp

wrong repo- see hatRiot/zarp#26

pen15 bug

Doesn't conform to programming standards -- please camel case and resubmit.

invoke command does not invoke on jboss 4.2.2.GA

I have tried both:
./clusterd.py -i 192.168.56.102 -p 8080 --deployer dfs_deploy --deploy ~/test.war --invoke which gives the following output and deploys the jsp command shell but does not invoke or deploy my war file
[2014-06-27 05:42PM] Started at 2014-06-27 05:42PM
[2014-06-27 05:42PM] Servers' OS hinted at windows
[2014-06-27 05:42PM] Fingerprinting host '192.168.56.102'
[2014-06-27 05:42PM] Checking jboss version 3.2 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 3.2 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 3.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 4.2 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 4.2 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 4.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 4.0 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 5.1 JBoss Web Manager...
[2014-06-27 05:42PM] Checking jboss version 5.1 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 5.1 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 5.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 5.0 JBoss Web Console...
[2014-06-27 05:42PM] Checking jboss version 6.0 JBoss Web Manager...
[2014-06-27 05:42PM] Checking jboss version 6.1 JBoss Web Manager...
[2014-06-27 05:42PM] Checking jboss version 6.1 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 6.0 JBoss JMX Console...
[2014-06-27 05:42PM] Checking jboss version 7.1 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version 7.0 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version 8.1 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version 8.0 JBoss Management...
[2014-06-27 05:42PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-06-27 05:42PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-06-27 05:42PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-06-27 05:42PM] Checking jboss version Any JBoss RMI Interface...
[2014-06-27 05:42PM] Checking jboss version Any JBoss Status Page...
[2014-06-27 05:42PM] Matched 7 fingerprints for service jboss
[2014-06-27 05:42PM] JBoss JMX Console (version 4.2)
[2014-06-27 05:42PM] JBoss Web Console (version 4.2)
[2014-06-27 05:42PM] JBoss EJB Invoker Servlet (version Any)
[2014-06-27 05:42PM] JBoss HTTP Headers (Unreliable) (version 4.2)
[2014-06-27 05:42PM] JBoss JMX Invoker Servlet (version Any)
[2014-06-27 05:42PM] JBoss RMI Interface (version Any)
[2014-06-27 05:42PM] JBoss Status Page (version Any)
[2014-06-27 05:42PM] Fingerprinting completed.
[2014-06-27 05:42PM] This deployer requires a JSP, default to cmd.jsp? [Y/n] > y
[2014-06-27 05:42PM] Preparing to deploy cmd...
[2014-06-27 05:42PM] Successfully deployed '/cmd/cmd.jsp'
[2014-06-27 05:42PM] Finished at 2014-06-27 05:42PM

I also tried using EJB: ./clusterd.py -i 192.168.56.102 -p 8080 --deployer ejbinvokerservlet --deploy ~/test.war --invoke

    clusterd/0.3.1 - clustered attack toolkit
        [Supporting 6 platforms]

[2014-06-27 05:36PM] Started at 2014-06-27 05:36PM
[2014-06-27 05:36PM] Servers' OS hinted at windows
[2014-06-27 05:36PM] Fingerprinting host '192.168.56.102'
[2014-06-27 05:36PM] Checking jboss version 3.2 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 3.2 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 3.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 4.2 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 4.2 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 4.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 4.0 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 5.1 JBoss Web Manager...
[2014-06-27 05:36PM] Checking jboss version 5.1 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 5.1 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 5.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 5.0 JBoss Web Console...
[2014-06-27 05:36PM] Checking jboss version 6.0 JBoss Web Manager...
[2014-06-27 05:36PM] Checking jboss version 6.1 JBoss Web Manager...
[2014-06-27 05:36PM] Checking jboss version 6.1 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 6.0 JBoss JMX Console...
[2014-06-27 05:36PM] Checking jboss version 7.1 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version 7.0 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version 8.1 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version 8.0 JBoss Management...
[2014-06-27 05:36PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-06-27 05:36PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-06-27 05:36PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-06-27 05:36PM] Checking jboss version Any JBoss RMI Interface...
[2014-06-27 05:36PM] Checking jboss version Any JBoss Status Page...
[2014-06-27 05:36PM] Matched 7 fingerprints for service jboss
[2014-06-27 05:36PM] JBoss JMX Console (version 4.2)
[2014-06-27 05:36PM] JBoss Web Console (version 4.2)
[2014-06-27 05:36PM] JBoss EJB Invoker Servlet (version Any)
[2014-06-27 05:36PM] JBoss HTTP Headers (Unreliable) (version 4.2)
[2014-06-27 05:36PM] JBoss JMX Invoker Servlet (version Any)
[2014-06-27 05:36PM] JBoss RMI Interface (version Any)
[2014-06-27 05:36PM] JBoss Status Page (version Any)
[2014-06-27 05:36PM] Fingerprinting completed.
[2014-06-27 05:36PM] Preparing to deploy /home/bob/test.war...
[2014-06-27 05:36PM] This deployer requires a JSP, default to cmd.jsp? [Y/n] > y
[2014-06-27 05:36PM] cmd deployed to 192.168.56.102 (/cmd160)
[2014-06-27 05:36PM] Finished at 2014-06-27 05:36PM
Neither works in executing the war file.

Windows Support

It would be wicked to see some Windows love.

After installing requests, I get an initial traceback:

C:\Tools\clusterd>python clusterd.py
←[32m
                clusterd/0.3.1 - clustered attack toolkit←[0m
                        ←[33m[Supporting 6 platforms]←[0m

Traceback (most recent call last):
  File "clusterd.py", line 108, in <module>
    options = parse(sys.argv[1:])
  File "C:\Tools\clusterd/src/core/parse_cmd.py", line 92, in parse
    group = build_platform_flags(platform, group)
  File "C:\Tools\clusterd/src/core/auxengine.py", line 65, in build_platform_flags
    mod = auxiliary[0].find_module(auxiliary[1]).load_module(auxiliary[1])
  File "C:\Python27\lib\pkgutil.py", line 246, in load_module
    mod = imp.load_module(fullname, self.file, self.filename, self.etc)
  File "C:\Tools\clusterd\src\platform\jboss\auxiliary\smb_hashes.py", line 8, in <module>
    from os import getuid
ImportError: cannot import name getuid

head tampering

I saw you mention an option called --verb-tamper in order to bypass jboss 4.X auth
but in the help itself there is no mentioning how to use this option.
can you please give more details regarding on how to use it?

Unsuccessful deployment

Hi,

First of all, congrats for the awesome tool.

I'm doing an internal pentest at the moment, and I've found a JBoss 5.1.0 GA which in theory is vulnerable to the invoker/JMXInvokerServlet and invoker/EJBInvokerServlet vulnerability. At first I tried to exploit it using the metasploit module, and then a similar PHP exploit I found on EDB, but both were failing for some reason. As I'm already domain admin, I could log to the box and see the logs, it turns out it was complaining about the remote .war file I was trying to upload and deploy, as it was hosted on my own web server. After doing some research I found this article: http://breenmachine.blogspot.co.uk/2014/02/jboss-jbxinvoker-servlet-update.html which comes to say that JBoss >= has a bug/feature that stops remote objects from being deployed. I read his post, compiled the Java exploit and ran it. It did upload my .war file to the folder /management (...management/cmd.war), but for some reason it seems as if it doesn't deploy it!!.

After that, I found this project, gave it a go, and the result is the same, your tool does upload the .war file, but it is never deployed for some reason I can't understand!.

Any ideas?

[2014-07-23 02:49PM] Started at 2014-07-23 02:49PM
[2014-07-23 02:49PM] Servers' OS hinted at windows
[2014-07-23 02:49PM] Fingerprinting host '[ip]'
[2014-07-23 02:49PM] Server hinted at 'tomcat'
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 3.3 Tomcat Admin...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 4.1 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 4.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 5.5 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 5.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 6.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 7.0 Tomcat Manager...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat...
[2014-07-23 02:49PM] Checking tomcat version 8.0 Tomcat Manager...
[2014-07-23 02:49PM] Matched 1 fingerprints for service tomcat
[2014-07-23 02:49PM] Tomcat (version 5.0)
[2014-07-23 02:49PM] Available Modules:
[2014-07-23 02:49PM] X...
[2014-07-23 02:49PM] Y...
[2014-07-23 02:49PM] Z...
[2014-07-23 02:49PM] Fingerprinting completed.
[2014-07-23 02:49PM] Finished at 2014-07-23 02:49PM

{feature request} CVE-2014-4278/oracle support?

A pretty severe RCE vulnerability was disclosed in Oracle's Forms 10g server that looks like it would be trivial to implement in clusterd (https://www.netspi.com/blog/entryid/243/advisory-oracle-forms-10g-unauthenticated-remote-code-execution-cve-2014-4278). Also I would think this would be a good time to take a look at what other modules related to Oracle application servers that could be implemented in clusterd (SMB hash aux modules, other exploits, etc).

Stack trace in fingerprint.py

clusterd/0.3 - clustered attack toolkit
            [Supporting 6 platforms]

 [2014-05-16 11:40AM] Started at 2014-05-16 11:40AM
 [2014-05-16 11:40AM] Servers' OS hinted at windows
 [2014-05-16 11:40AM] Fingerprinting host 'x'
 [2014-05-16 11:40AM] Checking jboss version 3.2 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 3.2 JBoss Web Console...
 [2014-05-16 11:40AM] Checking jboss version 3.0 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 4.2 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 4.2 JBoss Web Console...
 [2014-05-16 11:40AM] Checking jboss version 4.0 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 4.0 JBoss Web Console...
 [2014-05-16 11:40AM] Checking jboss version 5.1 JBoss Web Manager...
 [2014-05-16 11:40AM] Checking jboss version 5.1 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 5.1 JBoss Web Console...
 [2014-05-16 11:40AM] Checking jboss version 5.0 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 5.0 JBoss Web Console...
 [2014-05-16 11:40AM] Checking jboss version 6.0 JBoss Web Manager...
 [2014-05-16 11:40AM] Checking jboss version 6.1 JBoss Web Manager...
 [2014-05-16 11:40AM] Checking jboss version 6.1 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 6.0 JBoss JMX Console...
 [2014-05-16 11:40AM] Checking jboss version 7.1 JBoss Management...
 [2014-05-16 11:40AM] Checking jboss version 7.0 JBoss Management...
 [2014-05-16 11:40AM] Checking jboss version 8.0 JBoss Management...
 [2014-05-16 11:40AM] Checking jboss version Any JBoss EJB Invoker Servlet...
 [2014-05-16 11:40AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
Traceback (most recent call last):
  File "./clusterd.py", line 119, in <module>
    run(options)
  File "./clusterd.py", line 92, in run
    fingerengine.run()
  File "/root/git/clusterd/src/core/fingerprint.py", line 97, in run
    matched_fps = self.check_service(service)
  File "/root/git/clusterd/src/core/fingerprint.py", line 59, in check_service
    matched_fingerprints = self.definitions(self.options.ip, self.options.port, service)
  File "/root/git/clusterd/src/core/fingerprint.py", line 32, in definitions
    fp = fp.FPrint()
  File "/root/git/clusterd/src/platform/jboss/fingerprints/JBossInvoker.py", line 13, in __init__
AttributeError: class JINTERFACES has no attribute 'IN'

Add serialize bugs

Title. Serialize bugs should be added as modules.

ability to pass vhost

right now it doesnt seem possible to pass a vhost parameter. would be handy to do that where i haven an IP but it requires the host variable to talk with the application