Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Cool/Bad linux tool

  1. #1
    Member imported_pynstrom's Avatar
    Join Date
    May 2008
    Posts
    143

    Default Cool/Bad linux tool

    I found a really neat tool, that surprisingly I couldn't find any posts about on this forum. The tool is irs-evilgrade and can be found here:
    http://www.infobyte.com.ar/developments.html
    and is documented here:
    http://www.infobyte.com.ar/down/isr-...ade-Readme.txt
    with video tutorial here:
    http://vimeo.com/1575771
    It allows an attacker to create a fake update server for some popular windows applications like winzip, java, itunes, notepadplus and more. Using arp or dns cache poisoning you can get the victim to download the payload that comes with evilgrade or one you created with msfpayload and is run automatically in the update process. I thought this was pretty cool and don't think too many people know about this tool.
    When hungry, eat your rice; when tired, close your eyes. Fools may laugh at me, but wise men will know what I mean. -- Lin-Chi
    - - - - - - - -
    I slept once, it was a Tuesday.

  2. #2
    Junior Member
    Join Date
    Sep 2008
    Posts
    42

    Default

    Quote Originally Posted by pynstrom View Post
    I found a really neat tool, that surprisingly I couldn't find any posts about on this forum. The tool is irs-evilgrade and can be found here:
    http://www.infobyte.com.ar/developments.html
    and is documented here:
    http://www.infobyte.com.ar/down/isr-...ade-Readme.txt
    with video tutorial here:
    http://vimeo.com/1575771
    It allows an attacker to create a fake update server for some popular windows applications like winzip, java, itunes, notepadplus and more. Using arp or dns cache poisoning you can get the victim to download the payload that comes with evilgrade or one you created with msfpayload and is run automatically in the update process. I thought this was pretty cool and don't think too many people know about this tool.
    Hey I never have heard of the tool but it sounds really freakin awesome....
    There is no spoon.

  3. #3
    Just burned his ISO kraven666's Avatar
    Join Date
    Sep 2008
    Posts
    19

    Default

    Very Impressive, just watched the video tutorial. Might have to give it a bash!

    Kraven666

  4. #4
    Junior Member
    Join Date
    Oct 2008
    Posts
    33

    Default well used method, new wrapping

    A quick look at the presentation slides on evilgrade says that the concept isn't new. This method has been well known for ages, but it's the centralization of all the different update implementations that's new - and the idea is great. Worth checking out, at least :)

  5. #5
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    DNS Spoofing + evilgrade is pure evil.
    As the Metasploit blog puts it: Evilgrade Will Destroy Us All :b
    I mean think about it, this type of attack is probably the easiest way to root a box and really makes you think!
    Thank you so much for the link. I know what I'm doing once I get home .

    Hmm, or maybe I should just run ettercap -T -q -p dnsspoof -M ARP // // with java.sun.com spoofed to my ip with evilgrin running with a reverse shell payload at my school with 50 other students in my subnet, end oout creating a massive dos (evilgrin)
    (((joke)))
    - Poul Wittig

  6. #6
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    For some weird reason my laptop which is playing the "victim" answers with "You already have the latest Java(TM) Platform on this system". nslookup shows that java.sun.com is 192.168.1.99, wireshark on the victim shows no packets going any other ways other than the "attacker". So the problem is not there.
    Evilgrade reports:
    Code:
    evilgrade(sunjava)>
    [20/10/2008:14:25:18] - [WEBSERVER] - [modules::sunjava] - [192.168.1.98] - Request: "^/update/[.\\d]+/map\\-[.\\d]+.xml"
    but something is going wrong. I'll get back if I find the solution.
    Edit: Something about the response from the attacker is not right. The code has to be changed but I unfortunately have no experience in perl.
    I also tried downgrading the java so genuine updates are truly available, but still the "You already have the latest blah blah".
    Anyone here at our forums got some perl experience and up for an easy task (: ?
    I've been skimming through a lot of the code in general, and it is pretty simple so shouldn't be that hard to fix.
    - Poul Wittig

  7. #7
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by Deathray View Post
    For some weird reason my laptop which is playing the "victim" answers with "You already have the latest Java(TM) Platform on this system". nslookup shows that java.sun.com is 192.168.1.99, wireshark on the victim shows no packets going any other ways other than the "attacker". So the problem is not there.
    Evilgrade reports:
    Code:
    evilgrade(sunjava)>
    [20/10/2008:14:25:18] - [WEBSERVER] - [modules::sunjava] - [192.168.1.98] - Request: "^/update/[.\\d]+/map\\-[.\\d]+.xml"
    but something is going wrong. I'll get back if I find the solution.
    Edit: Something about the response from the attacker is not right. The code has to be changed but I unfortunately have no experience in perl.
    I also tried downgrading the java so genuine updates are truly available, but still the "You already have the latest blah blah".
    Anyone here at our forums got some perl experience and up for an easy task (: ?
    I've been skimming through a lot of the code in general, and it is pretty simple so shouldn't be that hard to fix.
    I've got perl under my belt, what've you got?



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  8. #8
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381
    - Poul Wittig

  9. #9
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by Deathray View Post
    lol, I love brainfsck, but I meant what do you need help with, dork



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  10. #10
    Junior Member
    Join Date
    Oct 2008
    Posts
    33

    Default

    Quote Originally Posted by ShadowKill View Post
    I've got perl under my belt, what've you got?
    There's a chance I can help out as well. Haven't touched perl in a year or so, though :)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •