head tampering

[cnilsecure]

I saw you mention an option called --verb-tamper in order to bypass jboss 4.X auth
but in the help itself there is no mentioning how to use this option.
can you please give more details regarding on how to use it?

[breenmachine]

It's an auxiliary module and doesn't show up in the main list of options, however if you use the flag --aux-list you will see it.

It should be as simple as appending --verb-tamper to the options supplied.

[hatRiot]

Hey @cnilsecure

This issue prompted me to look into the module, and I discovered a few bugs. These have been patched up and added to the dev branch, so please check that out.

I've also added an example in the JBoss wiki for clarification. An example of the module is as follows:

$ ./clusterd.py -i localhost -a jboss -v4.0 --verb-tamper ./src/lib/resources/cmd.jsp 

        clusterd/0.4 - clustered attack toolkit
            [Supporting 7 platforms]

[2015-01-25 12:24PM] Started at 2015-01-25 12:24PM
[2015-01-25 12:24PM] Servers' OS hinted at windows
[2015-01-25 12:24PM] Fingerprinting host '192.168.1.138'
[2015-01-25 12:24PM] Server hinted at 'jboss'
[2015-01-25 12:24PM] Checking jboss version 4.0 JBoss JMX Console...
[2015-01-25 12:24PM] Checking jboss version 4.0 JBoss Web Console...
[2015-01-25 12:24PM] Checking jboss version Any JBoss EJB Invoker Servlet...
[2015-01-25 12:24PM] Checking jboss version Any JBoss HTTP Headers (Unreliable)...
[2015-01-25 12:24PM] Checking jboss version Any JBoss JMX Invoker Servlet...
[2015-01-25 12:24PM] Checking jboss version Any JBoss RMI Interface...
[2015-01-25 12:24PM] Checking jboss version Any JBoss Status Page...
[2015-01-25 12:24PM] Matched 7 fingerprints for service jboss
[2015-01-25 12:24PM]    JBoss JMX Console (version 4.0)
[2015-01-25 12:24PM]    JBoss Web Console (version 4.0)
[2015-01-25 12:24PM]    JBoss EJB Invoker Servlet (version Any)
[2015-01-25 12:24PM]    JBoss HTTP Headers (Unreliable) (version 4.0)
[2015-01-25 12:24PM]    JBoss JMX Invoker Servlet (version Any)
[2015-01-25 12:24PM]    JBoss RMI Interface (version Any)
[2015-01-25 12:24PM]    JBoss Status Page (version Any)
[2015-01-25 12:24PM] Fingerprinting completed.
[2015-01-25 12:24PM] Vulnerable to verb tampering, attempting to deploy...
[2015-01-25 12:24PM] Successfully deployed /home/bryan/tools/clusterd/src/lib/resources/cmd.jsp
[2015-01-25 12:24PM] Finished at 2015-01-25 12:24PM

Let me know if you have any other questions, and thanks for the report!

[cnilsecure]

Sorry to bother you again..
but looks to me that you designed the verb tampering just for jmx-console
I would suggest to apply it to any of the jboss "deployers" since they all expose to the same bug of HEAD (alot of the cases /jmx-console is missing or removed unlike invoker for example or web-console)
just my 2 cents anyhow

[hatRiot]

Good point; I'll have to think about its implementation, but I agree it should support all interfaces.