Curiosity Pwned the Cat

‘Curiosity is lying in wait for every secret’. Ralph Waldo Emerson


At the beginning of this week just hours before the news of Hector Monsegur’s arrest broke, many of you will have noticed that my twitter profile pic changed from the usual ‘Jester Mask’ to a QR-Code. The timing of this subtle change could not have been more favorable, as interest peaked with the news of @anonymousabu’s demise visits to my twitter profile rocketed.


For posterity here’s a grab of said QR-Code:



Up until 30 minutes ago, anyone who scanned the QR-Code using their mobile device was taken to a jolly little greetingvia their devices default browser hosted on some free webspace (I have since replaced all QR-Codes in the interests of opsec to point to the end of the internet website). The greeting featured my original profile pic and the word ‘BOO!‘ directly below it.


So whats up with that?


Well, the thing about QR-Codes is 99% of the time they will be accessed via a mobile device, and 99% of those will be iPhone or Android devices. This gives me a known and narrow vector to exploit.



Now before you all start freaking out it was a highly targeted and precise attack, against known bad guys, randoms were left totally unscathed. Allow me to explain further……



Embedded inside the webpage with the ‘BOO’ greeting was some UTF encoded javascript, (I used this site to encode it) inside which was some code execution shellcode. When anyone hit the page the shellcode executed. The shellcode was a modified and updated version of the use-after-free remote code execution CVE-2010-1807, a known exploit for Webkit, which facilitated a reverse TCP shell connection to a ‘remote server’ which had an instance of netcat listening on port 37337.



I was going to leave it like this for a full week, however a keen eyed tweep going by the moniker @rootdial spotted the embedded code and asked about it via twitter (he wasn’t being malicious, just wondered if I knew about it.)



Webkit is an SDK component part used in both Safari for iPhone and also Chrome for Android.



UPDATE: after multiple reports of this blog post triggering AVG Threat Detection I have opted to remove the source code  and use screendumps instead.





and here is the raw shellcode (slightly modified so #anonymous can’t re-use it on YOU!)


So in a nutshell when anyone scanned the original QR-Code using an iPhone or Android device, their device would silently make a TCP Shell connection back to my remote server. (like a phone call if you like).


Now for the really clever bit….



With Netcat listening at the other end for incoming connections, you can configure it to execute it’s own script when it receives a connection for example to send a Message of the Day to the connecting device, you would run netcat like this on your server:


nc -v -l -p 37337 -e “/bin/cat /etc/motd”


That’s just an example, in this instance I had a script run that essentially checked to see:



  • if any of the major mobile twitter clients were installed on the remote connecting device.
  • if so read twitter username associated with device (just the username!). Don’t you love OAUTH.


I also had a list of ‘targets’ – twitter usernames I was interested in, these were comprised of usernames of:



  • Islamic Extremists
  • Al Qaeda Supporters
  • Anonymous Members
  • Lulz/Antisec Members


Here’s a very SMALL sample of the much longer list: @alemarahweb,@HSMPress @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol, @DiscordiAnon etc etc etc



to name but a few……. now then if the devices twitter client was not associated with a twitter account, or it was but the account WAS NOT on the ‘shit list’ the connection was immediately terminated by the server and re-initialized into listening mode – waiting for the next visitor.






If the pre-requisite conditions outlined above were met and the devices twitter client WAS associated with an account on the ‘shit list’ things got very interesting. Another script fired elevating permissions and raping the SMS logs, call logs, & phonebooks and (as long as the user was using the default out of the box email client) emails stored within.



Creepy? Only if you are naughty.



In all this ‘curiosity pwned the cat’ sting went on for 5 days un-noticed.



Here’s some facts and figures on how it went:


  • Over 1200 curious netizens scanned the QR-Code.
  • ^ Of those over 500 devices reverse shelled back to the listening server.
  • ^^ Of those, a significant number were on the ‘shit-list’ and as such treated as valid targets.



EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world.


I do not feel sorry for them.


In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How’s that for ‘lulz’?


Here endeth the lesson.



UPDATE 03/12/2012

The resulting raw dump of the verbose output log from this exercise can be downloaded using the link below – although it’s encrypted with my PGP Public key. Have fun with that.

There’s an unequal amount of good and bad in most things, the trick is to work out the ratio and act accordingly.