There is a lot of issues that don't make sense and problems with his write up. I asked him about it and he couldn't say much about it besides a single admission of one of my points I outlined about usage of netcat. My talk with him regarding the issues I noticed in his blog post here http://pastebin.com/XbUTmjsp .
Rather then re-posting all my thoughts on it, you can find it here: http://reapersec.wordpress.com/2012/03/13/th3j35t3r-and-qr-exploits-exposed/ Basic summary as follows: He is using a 2 year old exploit with apparently no compensation for iOS or Android shellcodes. He then goes on to explain that he used netcat which is a very inefficient tool to use for mass exploitation. Then there is the issue of how he extracted the data off the phones using a reverse shell, which I point out should optimally have been done with a native executable. I am honestly not that familiar with what exactly is installed on iOS and Androids but I would imagine it would require the 'strings' command at the very least. If any other information comes to light or he responds to any criticisms so far reasonably I would say it's a complete fabrication. I, of course, can admit if I am wrong but so far I just don't see anything validating what he claimed to have done. On Tue, Mar 13, 2012 at 6:14 AM, Fatherlaptop <[email protected]> wrote: > So, anyone read the jesters "exploit" usage with QR code and netcat to catch > bad guys? > > From: Randy > > It's an iPhone Thang! > Was learning cursive necessary? > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
