Home / News / Curiosity Pwned the Cat

Curiosity Pwned the Cat

Curiosity Pwned the Cat - th3j35t3r
Curiosity Pwned the Cat - th3j35t3r

th3 j35t3r


‘Curiosity is lying in wait for every secret’.  – Ralph Waldo Emerson

At the beginning of this week just hours before the news of Hector Monsegur’s arrest broke, many of you will have noticed that my twitter profile pic changed from the usual ‘Jester Mask’ to a QR-Code. The timing of this subtle change could not have been more favorable, as interest peaked with the news of @anonymousabu’s demise visits to my twitter profile rocketed. For posterity here’s a grab of said QR-Code:


th3j35t3r QR-Code Exploit
th3j35t3r QR-Code Exploit

Up until 30 minutes ago, anyone who scanned the QR-Code using their mobile device was taken to a jolly little greeting via their devices default browser hosted on some free webspace (I have since replaced all QR-Codes in the interests of opsec to point to the end of the internet website). The greeting featured my original profile pic and the word ‘BOO!‘ directly below it as per the screen grab below:

th3j35t3r Javascript Exploit Page
th3j35t3r Javascript Exploit Page


So whats up with that?

Well, the thing about QR-Codes is 99% of the time they will be accessed via a mobile device, and 99% of those will be iPhone or Android devicesThis gives me a known and narrow vector to exploit.

Now before you all start freaking out it was a highly targeted and precise attack, against known bad guys, randoms were left totally unscathed. Allow me to explain further……

Embedded inside the webpage with the ‘BOO’ greeting was some UTF encrypted javascript, (I used this site to encrypt it) inside which was some code execution shellcode. When anyone hit the page the shellcode executed. The shellcode was a modified and updated version of the use-after-free remote code execution CVE-2010-1807, a known exploit for Webkit, which facilitated a reverse TCP shell connection to a ‘remote server’ which had an instance of netcat listening on port 37337.

I was going to leave it like this for a full week, however a keen eyed tweep going by the moniker @rootdial spotted the embedded code and asked about it via twitter (he wasn’t being malicious, just wondered if I knew about it.)

Webkit is an SDK component part used in both Safari for iPhone and also Chrome for Android.

Here’s the encrypted version of the source code of the ‘BOO’ webpage:

Source code for th3je5ter's ‘BOO’ Webpage


and here is the raw shellcode (slightly modified so anons can’t re-use it)


th3je5ter's Raw Shellcode


So in a nutshell when anyone scanned the original QR-Code using an iPhone or Android device, their device would silently make a TCP Shell connection back to my remote server. (like a phone call if you like).

Now for the really clever bit….

With Netcat listening at the other end for incoming connections, you can configure it to execute it’s own script when it receives a connection for example to send a Message of the Day to the connecting device, you would runnetcat like this on your server:

nc -v -l -p 37337 -e “/bin/cat /etc/motd”

That’s just an example, in this instance I had a script run that essentially checked to see:

  • if any of the major mobile twitter clients were installed on the remote connecting device.
  • if so read the twitter username associated with the device (just the username!). Don’t you love OAUTH.

I also had a list of ‘targets’ – twitter usernames I was interested in, these were comprised of usernames of:

  • Islamic Extremists
  • Al Qaeda Supporters
  • Anonymous Members
  • Lulz/Antisec Members

Here’s a very SMALL sample of the much longer list:

@alemarahweb,@HSMPress @AnonymousIRC@wikileaks,@anonyops@barretbrownlol@DiscordiAnon

to name but a few……. now then if the devices twitter client was not associated with a twitter account, or it was but the account WAS NOT on the ‘shit list’ the connection was immediately terminated by the server and re-initialized into listening mode – waiting for the next visitor.


If the pre-requisite conditions outlined above were met and the devices twitter client WAS associated with an account on the ‘shit list’ things got very interesting. Another script fired elevating permissions and raping the SMS logs, call logs, & phonebooks and (as long as the user was using the default out of the box email client) emails stored within.

Creepy? Only if you are naughty.

In all this ‘curiosity pwned the cat’ sting went on for 5 days un-noticed.

Here’s some facts and figures on how it went:

  • Over 1200 curious netizens scanned the QR-Code.
  • ^ Of those over 500 devices reverse shelled back to the listening server.
  • ^^ Of those, a significant number were on the ‘shit-list’ and as such treated as valid targets.


EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world.

I do not feel sorry for them.

In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How’s that for ‘lulz’?

There’s an unequal amount of good and bad in most things, the trick is to work out the ratio and act accordingly.

Here endeth the lesson.

Check Also

Angry Birds Website Hacked Following NSA Leak

Angry Birds Website Hacked Following NSA Leaks

  Originally Posted on RT   “Spying Birds” Defacement Result of Angry Birds NSA Leaks Hackers briefly …


  1. I have watched th3j35t3r for a couple of years now…first time I have seen something like this from him, although he never fails to surprise me 🙂 It just goes to show, don’t get th3j35t3r on your bad side or it’s “TANGO DOWN” for you too!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.