th3j35t3r and QR exploits exposed
Greetings my children, I have been watching this but it appears no one has commented on the grand th3j35t3r’s epic fails and mistakes in his blog post “claiming” he pwned terrorists. Now, I would like you to refer to this image while we embark on a magickal train ride of fail.
So, you start out with this “highly targeted and precise attack, against known bad guys, randoms were left totally unscathed.” which is rather laughable at best. It appears only terrorists use QR codes and no innocents at all would ever out of curiosity scan it and look? You go one to claim using the “CVE-2010-1807 “ exploit and this is where the epic fail just starts. CVE advisories are numbered first by the obvious CVE prefix, the year, and the exploit number for that given year. So without even checking the advisory, you are telling me you are using a 2 year old, well known by now, and patched exploit? Do you have that such a low opinion and under-estimation of “terrorists” that they are using such outdated software and/or firmware on their “devices”? Should I mention Android devices have the ability to do updates the same as iPhones (newer versions of both can do auto updates)?
Now you claim “iPhone or Android devices” as your “known and narrow vector to exploit”. You do realize that shellcode is OS dependent AND device specific? Right…? This is like trying to force an execution of a windows program on a Tandy TRS-80, it just isn’t going to work. From your post you mention no such device detection is in place, there is nothing in the POC for this, and it just seems frankly, to be made up combination of technical terms with minimalistic grasp.
“Now for the really clever bit…” I almost peed myself at what was next, this is just pure fail on levels I am personally unable to express in words, but we shall try, oh we shall try. Netcat is unable to handle multiple simultaneous connections and it is not in any way a automated tool. Honestly, it would be more believable if you coded your own automated tool to download the phone’s data than this story. Netcat is far from an optimal tool to pull this rather outlandish story that smells rather bad off. So this is the magic command the shell code runs “nc -v -l -p 37337 -e “/bin/cat /etc/motd””. He implies he has a super secret script running in place of printing the motd command. This, as he gives as an example, but he obviously did not read his manual. This would require a “-L” for a persistent connection, assuming he didn’t do “while  do jester_elite_netcat_command done”, which he does seem to imply he used. This also assumes that he will not take too long downloading his data from the devices possibly missing some other probably innocent persons cell phone data. I am not knowledgeable as to how such data is stored on such devices, but I have doubts over coding such a script to do the performed functions. This would require extensive research into all the major twitter clients and associated software, not to mention the the email clients, etc.
There is also the issue of the information possibly being stored in binary data and the availability of text processing commands on a embedded device. Then there is how do you extract data from binary data on a restricted/embedded system… The only optimal solution is a native executable installed to the device to do the dirty work, and multiple versions for compatibility/architecture. Either way you look at it, this is a very non-optimized method, and is prone to intelligence being lost.
“EVERYONE else without exception was left totally ‘untouched’ so to speak. This was a Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world. “
I don’t really see the proof of concept taking a 2 year old CVE advisory, and exploiting people in mass with it. This rather reminds me of doing the same things the guys you claim fight would do, hypocritical much? How do you define the “bad guys”? How do you know they are “bad”? You seem to imply by listing “Anonymous Members” in the bunch that all anonymous people or related to “leak YOUR information , steal YOUR CC nums, and engage in terror plots around the world”. Are you that bigoted and single minded to classify all anons as credit card stealing terrorists? Granted I am not a fan or support anonymous but I not that full of blind bigoted hate.