So I've been playing around with karmetasploit for a while and have gotten it to give me some really good results, even gotten it to work transparently. (until it gets overwhelmed and crashes my crappy laptop)

Anyway, yesterdays project was evilgrade which I was able to get to work using ettercaps dns spoofing, That is all well and good, but what if you simply cant crack that pesky WPA key but you still want to get your backdoor onto that juicy client that keeps popping up in airodump?

Well my question is would it be possible to use a fake Karma ap to spoof the DNS of the upgrade server and get them to evilgrade their ICQ/OSX/etc? Imagine this scenario:

You could use aireplay deauths for an extended DOS attack on the client, and as we all know "Joe Wifiusr" must get his daily dose of pr0n so he connects to that brand new "Free Public Wifi" AP that just happened to pop up.
After he is done with that he may decide to do some instant messaging, but ohh wait! A critical update is available, better grab that before he gets hacked! Next thing he knows ive jacked his mouse pointer and am drawing a pretty picture for him in MS paint.

I plan on trying this out tomarrow on my testbed, but would like any feedback if anyone has tried this before or if it is even possible.

PS, would Evilgrade work with airpwn too? I cant test this because airpwn simply refuses to work with my current hardware but perhaps someone could give it a try, would make for a nasty surprise if it did work.