The Jester's QR-Code Pwns Targets with WebKit Exploit

Friday, March 09, 2012



Update:  The Jester Posts PGP Data File from Webkit Exploit Op

The Jester posted a link to data exfiltrated during last week's Webkit exploit aimed at mobile device users who scanned the QR-code posted as an avatar on his Twitter account and then were cross-referenced with a database of targeted jihadi and Anonymous operatives...

*   *   *

Anti-jihadi hacker and Anonymous/AntiSec/LulzSec nemesis The Jester (th3j35t3r) claims to have pulled a fast one on some undesirables, taking advantage of the target's curious nature and a known smartphone exploit.

"It was a highly targeted and precise attack, against known bad guys, randoms were left totally unscathed," The Jester blogged.

The operation was intended to snare unsuspecting targets The Jester had previously identified and aggregated in a database, while supposedly leaving non-targets unscathed.

"At the beginning of this week just hours before the news of Hector Monsegur’s arrest broke, many of you will have noticed that my twitter profile pic changed from the usual ‘Jester Mask’ to a QR-Code. The timing of this subtle change could not have been more favorable," Jester wrote.

Those who scanned the QR-Code with any Android or iPhone mobile device were automatically directed to a website that displayed The Jester's oft used avatar and the message "BOO!".

"Embedded inside the webpage with the ‘BOO’ greeting was some UTF encrypted javascript, (I used this site to encrypt it) inside which was some code execution shellcode. When anyone hit the page the shellcode executed. The shellcode was a modified and updated version of the use-after-free remote code execution CVE-2010-1807, a known exploit for Webkit, which facilitated a reverse TCP shell connection to a ‘remote server’ which had an instance of netcat listening on port 37337... Webkit is an SDK component part used in both Safari for iPhone and also Chrome for Android," Jester explains.

"So in a nutshell when anyone scanned the original QR-Code using an iPhone or Android device, their device would silently make a TCP Shell connection back to my remote server... With Netcat listening at the other end for incoming connections, you can configure it to execute it’s own script when it receives a connection," he continued.

Those who scanned the QR-Code were then cross-referenced with Jester's database of known targets, and those targets were subsequently pwned, having their address books, texts and emails exfiltrated.

"If the pre-requisite conditions outlined above were met and the devices twitter client WAS associated with an account on the ‘shit list’ things got very interesting. Another script fired elevating permissions and raping the SMS logs, call logs, & phonebooks and (as long as the user was using the default out of the box email client) emails stored within. Creepy? Only if you are naughty," Jester tauted.

The Jester states that the QR-Code was scanned as many as 1200 times, with more than 500 of those scans referring users back to the server. The operation then identified and undisclosed number which corresponded with the target database.

The operation was intended to go on for a few more days, but The Jester cut it short after a keen-eyed Twitter follower noticed the embedded code and inquired about it.

"In the interests of convenience I will be taking the liberty of uploading the captured bad-guy data in a signed PGP encrypted file to a suitable location very soon. How’s that for ‘lulz’?" Jester said.

Needless to say, there are probably more than a few jihadists and scriptkiddies who are in a near-pucker with this disclosure.

The full write up on the exploit along with screenshots and exploit code samples can be found here:


Possibly Related Articles:
PDAs/Smart Phones
iPhone Attack Jester Android th3j35t3r Anonymous Targeted Attacks Lulzsec jihadist AntiSec Exfiltration exploit QR-Code shellcode
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.