isr-evilgrade

Evilgrade enables penetration testers to exploit vulnerabilities in software update mechanisms by serving malicious fake updates. The tool comes pre-configured with agents (binaries) and supports easy customization for new scenarios. It is designed for fast deployment in testing environments, leveraging its built-in servers to deliver payloads to victims who request legitimate updates.

Use cases include simulating update attacks during red team engagements, assessing the security of client-side update processes, and demonstrating risks of unverified update sources. The framework loads numerous modules for popular applications, allowing targeted exploitation based on the victim's software stack.

With over 60-80 modules available depending on the version, Evilgrade supports a wide range of software like Skype, browsers, media players, and system tools. It requires minimal setup, making it suitable for quick assessments.

Evilgrade operates by loading Perl-based modules (e.g., modules/skype.pm) that define fake update behaviors for specific applications. Upon configuration (e.g., 'config skype'), it starts an integrated WebServer and DNSServer to intercept and redirect update requests to malicious payloads. The servers wait for victim connections, serving agent binaries disguised as legitimate updates. Autoconfiguration handles new agents, while DEBUG logs show module loading and server status.