‘Curiosity is lying in wait for every secret’. – Ralph Waldo Emerson
At the beginning of this week just hours before the news of Hector Monsegur’s arrest broke, many of you will have noticed that my twitter profile pic changed from the usual ‘Jester Mask’ to a QR-Code. The timing of this subtle change could not have been more favorable, as interest peaked with the news of @anonymousabu’s demise visits to my twitter profile rocketed. For posterity here’s a grab of said QR-Code:
Up until 30 minutes ago, anyone who scanned the QR-Code using their mobile device was taken to a jolly little greeting via their devices default browser hosted on some free webspace (I have since replaced all QR-Codes in the interests of opsec to point to the end of the internet website). The greeting featured my original profile pic and the word ‘BOO!‘ directly below it as per the screen grab below:
So whats up with that?
Well, the thing about QR-Codes is 99% of the time they will be accessed via a mobile device, and 99% of those will be iPhone or Android devices. This gives me a known and narrow vector to exploit.
Now before you all start freaking out it was a highly targeted and precise attack, against known bad guys, randoms were left totally unscathed. Allow me to explain further……
I was going to leave it like this for a full week, however a keen eyed tweep going by the moniker @rootdial spotted the embedded code and asked about it via twitter (he wasn’t being malicious, just wondered if I knew about it.)
Webkit is an SDK component part used in both Safari for iPhone and also Chrome for Android.
Here’s the encrypted version of the source code of the ‘BOO’ webpage:
and here is the raw shellcode (slightly modified so anons can’t re-use it)
So in a nutshell when anyone scanned the original QR-Code using an iPhone or Android device, their device would silently make a TCP Shell connection back to my remote server. (like a phone call if you like).
Now for the really clever bit….
With Netcat listening at the other end for incoming connections, you can configure it to execute it’s own script when it receives a connection for example to send a Message of the Day to the connecting device, you would runnetcat like this on your server:
nc -v -l -p 37337 -e “/bin/cat /etc/motd”
That’s just an example, in this instance I had a script run that essentially checked to see:
- if any of the major mobile twitter clients were installed on the remote connecting device.
- if so read the twitter username associated with the device (just the username!). Don’t you love OAUTH.
I also had a list of ‘targets’ – twitter usernames I was interested in, these were comprised of usernames of:
- Islamic Extremists
- Al Qaeda Supporters
- Anonymous Members
- Lulz/Antisec Members
Here’s a very SMALL sample of the much longer list:
to name but a few……. now then if the devices twitter client was not associated with a twitter account, or it was but the account WAS NOT on the ‘shit list’ the connection was immediately terminated by the server and re-initialized into listening mode – waiting for the next visitor.
If the pre-requisite conditions outlined above were met and the devices twitter client WAS associated with an account on the ‘shit list’ things got very interesting. Another script fired elevating permissions and raping the SMS logs, call logs, & phonebooks and (as long as the user was using the default out of the box email client) emails stored within.
Creepy? Only if you are naughty.
In all this ‘curiosity pwned the cat’ sting went on for 5 days un-noticed.
Here’s some facts and figures on how it went:
- Over 1200 curious netizens scanned the QR-Code.
- ^ Of those over 500 devices reverse shelled back to the listening server.
- ^^ Of those, a significant number were on the ‘shit-list’ and as such treated as valid targets.
EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world.
I do not feel sorry for them.
In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How’s that for ‘lulz’?
There’s an unequal amount of good and bad in most things, the trick is to work out the ratio and act accordingly.
Here endeth the lesson.