[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] MonkeyShell: using XML-RPC for access to a remote shell

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] MonkeyShell: using XML-RPC for access to a remote shell
From: Abe Usher <securitylist@xxxxxxxxxxxxxxx>
Date: Sun, 10 Oct 2004 20:57:09 -0400

Security pundits have been warning about the dangers implicit with Web
services for years. A good starting point for understanding the security
issues related to Web services can be found at:
http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci872720,00.html

Of course to really understand the security risks posed by Web services,
you need to understand the basics of Web services. Enter an application
I wrote called "Monkey Shell."

MonkeyShell is a simple open source Python application that uses
extensible markup language remote procedure calls (XML-RPC) to execute
commands through a remote system shell.

I kept the code terse (less than 100 lines total) so that it can be
studied easily.  It is similar to netcat except instead of "shell
shoveling" data through a raw TCP connection, it wraps data in XML and
transports it over HTTP.

MonkeyShell is freely available at:
http://www.sharp-ideas.net/

Cheers,
Abe Usher, CISSP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Techniques to identify pop3 banners
Next by Date: Re: [Full-Disclosure] mysql password cracking
Previous by thread: Re: [Full-Disclosure] Techniques to identify pop3 banners
Next by thread: [Full-Disclosure] CJOverkill 4.0.3 XSS Proof of Concept
Index(es):
- Date
- Thread