[36885] in bugtraq
MonkeyShell: using XML-RPC for access to a remote shell
daemon@ATHENA.MIT.EDU (Abe Usher)
Tue Oct 12 12:32:47 2004
Message-ID: <4169DA05.4050205@sharp-ideas.net>
Date: Sun, 10 Oct 2004 20:55:33 -0400
From: Abe Usher <securitylist@sharp-ideas.net>
MIME-Version: 1.0
To: BUGTRAQ@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Security pundits have been warning about the dangers implicit with Web
services for years. A good starting point for understanding the security
issues related to Web services can be found at:
http://searchwebservices.techtarget.com/originalContent/0,289142,sid26_gci872720,00.html
Of course to really understand the security risks posed by Web services,
you need to understand the basics of Web services. Enter an application
I wrote called "Monkey Shell."
MonkeyShell is a simple open source Python application that uses
extensible markup language remote procedure calls (XML-RPC) to execute
commands through a remote system shell.
I kept the code terse (less than 100 lines total) so that it can be
studied easily. It is similar to netcat except instead of "shell
shoveling" data through a raw TCP connection, it wraps data in XML and
transports it over HTTP.
MonkeyShell is freely available at:
http://www.sharp-ideas.net/
Cheers,
Abe Usher, CISSP
