I found a really neat tool, that surprisingly I couldn't find any posts about on this forum. The tool is irs-evilgrade and can be found here:
and is documented here:
with video tutorial here:
It allows an attacker to create a fake update server for some popular windows applications like winzip, java, itunes, notepadplus and more. Using arp or dns cache poisoning you can get the victim to download the payload that comes with evilgrade or one you created with msfpayload and is run automatically in the update process. I thought this was pretty cool and don't think too many people know about this tool.
When hungry, eat your rice; when tired, close your eyes. Fools may laugh at me, but wise men will know what I mean. -- Lin-Chi
- - - - - - - -
I slept once, it was a Tuesday.
Very Impressive, just watched the video tutorial. Might have to give it a bash!
A quick look at the presentation slides on evilgrade says that the concept isn't new. This method has been well known for ages, but it's the centralization of all the different update implementations that's new - and the idea is great. Worth checking out, at least :)
DNS Spoofing + evilgrade is pure evil.
As the Metasploit blog puts it: Evilgrade Will Destroy Us All :b
I mean think about it, this type of attack is probably the easiest way to root a box and really makes you think!
Thank you so much for the link. I know what I'm doing once I get home .
Hmm, or maybe I should just run ettercap -T -q -p dnsspoof -M ARP // // with java.sun.com spoofed to my ip with evilgrin running with a reverse shell payload at my school with 50 other students in my subnet, end oout creating a massive dos (evilgrin)
- Poul Wittig
For some weird reason my laptop which is playing the "victim" answers with "You already have the latest Java(TM) Platform on this system". nslookup shows that java.sun.com is 192.168.1.99, wireshark on the victim shows no packets going any other ways other than the "attacker". So the problem is not there.
but something is going wrong. I'll get back if I find the solution.Code:evilgrade(sunjava)> [20/10/2008:14:25:18] - [WEBSERVER] - [modules::sunjava] - [192.168.1.98] - Request: "^/update/[.\\d]+/map\\-[.\\d]+.xml"
Edit: Something about the response from the attacker is not right. The code has to be changed but I unfortunately have no experience in perl.
I also tried downgrading the java so genuine updates are truly available, but still the "You already have the latest blah blah".
Anyone here at our forums got some perl experience and up for an easy task (: ?
I've been skimming through a lot of the code in general, and it is pretty simple so shouldn't be that hard to fix.
- Poul Wittig
- Poul Wittig