May 23, 2010

Hacking Software Updates with EvilGrade




Evilgrade is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim dns traffic and uses either of DNS cache poisoning, ARP spoofing, DHCP spoofing or Internal DNS access to accomplish this. Once EvilGrade has inserted itself as the man-in-the-middle it intercepts automatic update requests for the softwares it supports and injects the malicious payload as the "update". This payload can be configured to whichever binary the hacker wants. Once the victim downloads this malicious "update" and runs it, the hacker has full control of his system
Currently, EvilGrade Supports the interception of the following upgrade mechanisms:

- Java plugin
- OpenOffices
- iTunes
- Linkedin Toolbar
- DAP [Download Accelerator]
- notepad++
- speedbit



We had covered EvilGrade a while back. In this demo, g0tmi1k shows us a demo of EvilGrade using Notepad Plus. The underlying hack uses an ARP MITM and DNS Poisoning to redirect all software upgrade request checks to the attacker's server. This server serves a metasploit payload to Notepad Plus instead of the actual payload. Once the update gets exectuted a reverse connect shell provides full access to the victim's computer.


# ITS™
# 2009 - 2010

No comments:

Post a Comment