Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has its own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.

* When should I use evilgrade?
This framework comes into play when the attacker is able to make hostname redirections (manipulation of victim’s dns traffic), and such thing can be done on 2 scenarios:

Internal scenery:

  • Internal DNS access
  • ARP spoofing
  • DNS Cache Poisoning
  • DHCP spoofing
  • TCP hijacking
  • Wi-Fi Access Point impersonation

External scenery:

  • Internal DNS access
  • DNS Cache Poisoning

* How does it work?

Evilgrade works with modules, in each module there’s an implemented structure which is needed to emulate a fake update for an specific application/system.

* What OS are supported?

ISR-Evilgrade is cross platform, it only depends of having an appropriate payload for the right target platform to be exploited.

Implemented modules:

  • Freerip 3.30
  • Jet photo 4.7.2
  • Teamviewer 5.1.9385
  • ISOpen 4.5.0
  • Istat.
  • Gom 2.1.25.5015
  • Atube catcher 1.0.300
  • Vidbox 7.5
  • Ccleaner 2.30.1130
  • Fcleaner 1.2.9.409
  • Allmynotes 1.26
  • Notepad++ 5.8.2
  • Java 1.6.0_22 winxp/win7
  • aMSN 0.98.3
  • Appleupdate <= 2.1.1.116 ( Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)
  • Mirc 7.14
  • Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)
  • Dap 9.5.0.3
  • Winscp 4.2.9
  • AutoIt Script 3.3.6.1
  • Clamwin 0.96.0.1
  • AppTapp Installer 3.11 (Iphone/Itunes)
  • getjar (facebook.com)
  • Google Analytics Javascript injection
  • Speedbit Optimizer 3.0 / Video Acceleration 2.2.1.8
  • Winamp 5.581
  • TechTracker (cnet) 1.3.1 (Build 55)
  • Nokiasoftware firmware update 2.4.8es – (Windows software)
  • Nokia firmware v20.2.011
  • BSplayer 2.53.1034
  • Apt ( < Ubuntu 10.04 LTS)
  • Ubertwitter 4.6 (0.971)
  • Blackberry Facebook 1.7.0.22 | Twitter 1.0.0.45
  • Cpan 1.9402
  • VirtualBox (3.2.8 )
  • Express talk
  • Filezilla
  • Flashget
  • Miranda
  • Orbit
  • Photoscape.
  • Panda Antirootkit
  • Skype
  • Sunbelt
  • Superantispyware
  • Trillian <= 5.0.0.26
  • Adium 1.3.10 (Sparkle Framework)
  • VMware
  • more…
  • /docs/CHANGES

MAIN USAGE

It works similar to an IOS console

List implemented modules

Configure a specified module

Show all Virtual Hosts.

VirtualHost field contains the domains that our web server is going to emulate for us.

Show options of current module.

Agent: This is our fake update binary, we have to set the path to where it’s located or implement a dynamic fake update binary generation (see ADVANCED).

Start services (DNS Server and WebServer)

Show status and victims logs

DEEP USAGE

Commands

configure / conf – Configure

Example:

Example:

ADVANCED

  • Modules Options: Each module has special options, but the “agent” field is always present. The agent is our fake update binary, we have to set the path to where it’s located or implement a dynamic fake update binary generation.

[Dynamic fake update binary] allows the execution of an external command to generate our binary, for example using msfpayload of metasploit framework. With this feature we can generate any payload of metasploit or use an external interface to create the binary.

Example 1:

In this case for every required update binary we generate a fake update binary with the payload “windows/shell_reverse_tcp” using a reverse shell to connect at address 192.168.233.2 port 4141. The label <%OUT%><%OUT> is a special tag to detect where the output binary is going to be generated. Evilgrade detects the usage of “dynamic fake update binary feature” due to having a sentence between squared brackets ‘[]’ Inside that brackets we have a string that is also between brackets “” that is compiled using perl.

For example if we use:

then every time we get a binary request, evilgrade will compile the line and execute the final string “./generatebin -o /tmp/update(random).exe” generating different agents.
An easy alternative, but not dynamically, could be to generate the payload directly from msfpayload on a terminal and assign it manually to the configuration of the module.

Example 2:
(Outside evilgrade)

(Inside evilgrade)

After our payload was generated, we leave a multi handler listening on the previously assigned LHOST.
(Outside evilgrade)

MODULE DEVELOPMENT

Module development is very simple. Since evilgrade is based on modules, you just have to use a package .pm (perl module). In this case we are going to describe the sunjava update module (comments with #):

.:: [TIPS] ::.

  1. Don’t forget to run evilgrade with an user that has privileges to create listening sockets, otherwise you won’t be able to use evilgrade’s Services.
  2. Everytime you modify a module with evilgrade running don’t forget to ‘reload’ them.
  3. Set the binary ‘agents’ before starting services because there are some fields that evilgrade will fill out for you (agentmd5, agentsha256, and agentsize) that can’t be done with them already running.
  4. If you’re using a dynamic response with variables such as: <%AGENTSIZE%>, <%AGENTMD5%>, <%URL_FILE%>, <%URL_FILE_EXT%>, or custom ones defined at the options section, don’t forget to set parse on 1.
  5. Same goes for injecting an agent, you must enable de bin flag on 1.
  6. If you want to make plaintext responses using HTTP use the cheader flag. Example below:

REQUIREMENTS

Perl Modules

INSTALL

MORE INFORMATION

This framework was presented in the following security conferences:

AUTHOR
Francisco Amato famato+at+infobytesec+dot+com

Download Evilgrade