home *** CD-ROM | disk | FTP | other *** search
-
- /===========================================================================\
- | PSW Presents.. |
- | |
- | H A C K I N G R E N E G A D E 0 7 - 1 7 |
- | |
- | Written by Tokyo |
- | |
- |---------------------------------------------------------------------------|
- | This and other excellent files can be found at PSW HQ, the Dimensions |
- | bulletin board in sunny Miami, Florida: (305) 383-2950 |
- \===========================================================================/
-
-
- The author grants you permission to reproduce, distribute, quote,
- etcetera etcetera this document in any form you like but please keep
- deletions, changes, mutilations, and so forth to a minimum.
-
-
- Introduction
- ============
-
- So you want to leech hundreds of megs of files or get back at some
- lamer sysop who kicked you off his system? Well, if it's a Renegade 07-17
- system, you're in luck. Since there are a good number of these systems
- out there, it is more than likely that you have several in your local
- calling area alone, and plenty to play with if you're willing to dial
- LD or phreak your way to one, whatever suits your fancy.
- The Renegade BBS software has many many holes just waiting to be
- exploited by the hacker. Only a small number of these are discussed here but
- with a little exploration and (perhaps) a bit of ingenuity, you should be
- able to uncover some of the others on your own.
-
-
- About Renegade Security
- =======================
-
- In the most popular setup, the user is greeted either by the
- echomail handler or by the sysop's clever ANSI drawing. The system then
- prompts you for a user name or number and a password. Most systems also
- ask that you enter the last four digits of your phone number. The software
- can be set to prompt you to enter your birthdate every N logins just as an
- extra precaution. If you are attempting to login as the sysop (#1) or as
- any user that has some level of sysop access, you will be prompted to enter
- the system password which happens very typically to be identical to the
- sysop's own password.
- The routines which handle user login, prompting for and verifying
- passwords, phone numbers, birthdates, etc... are located in a file called
- RENEGADE.OVR. These routines are loaded into memory and executed as
- needed. Happily, it is comprised of nice compiler object code -- no
- self-modifications, encryption, and so forth. With just a couple of changes
- to this key file, the Renegade software becomes extremely friendly to
- hackers or, as a matter of fact, to anybody else who happens along.
- Bundled with this file should be two programs, FIXRG and UNFIXRG.
- These are just a couple stupid little assembly language programs I wrote
- that NOP out a few bytes in RENEGADE.OVR. With just these few alterations,
- however, the system will recognize any password and telephone number
- entered at login as valid. It does NOT clear you through the occasional
- birthdate check nor does it clear you through the sysop password prompt.
- UNFIXRG simply replaces the original code, for use in covering up your
- tracks once you've completed your handywork.
- By this point, anybody with half a brain should realize that this fix
- will only work on version 07-17 of Renegade. The good news is that this code
- is unlikely to dramatically change in future versions of Renegade. Locating
- the code that needs to be changed in future versions is a trivial debugging
- exercise and should only require a couple of changes to the fix programs.
-
-
- What To Do
- ==========
-
- First, verify that the target system is operating version 07-17.
- This is very easy to do as the program displays a copyright notice
- showing the version just before transmitting the ANSI greeting.
- Once you know that you've got a workable system you need to be
- able to get the fix program into the system. This, of course, involves
- having an account on the system. Either login as a new user with fake
- information or, far more preferably, use information gleaned from hacking
- other systems to use somebody else's account. Very very often, people
- either reuse the same passwords or use passwords with a recognizable
- pattern. This part generally does not present a problem.
- On more security-conscious systems, you will not be immediately
- greeted with a username prompt but will first have to get through the
- "shuttle login" screen. This simply asks you to enter a BBS password or
- a newuser password before granting you access to the main system. BBS
- passwords are generally either well known or can be easily found. Many
- users enter BBS passwords in the 'reference' field of their newuser
- applications. Again, information gathered from successfully hacking other
- systems can be extremely helpful in this regard.
- The real trick to this specific approach is getting the fix to
- be run on the machine with Renegade on it. There are numerous ways of going
- about this. The best way of doing this is embedding either this specific
- fix code or some other equivalent code into some game or utility and
- uploading it to the system. Choose something that is likely to be run
- on the target machine. The demonstration code enclosed in this package
- attempts to open RENEGADE.OVR in the '\renegade', '\bbs', and '\rene'
- directories of the drive as these are the directories where the file is
- most likely to be found. When preparing your little trojan you may want
- to put some more effort into the altering code, perhaps having it search
- through every directory in the drive or ensuring that the -r attribute
- is off.
- You can use this in conjunction with any other holes you may be
- aware of such as those found in those ever-popular doors or external
- protocols. Be creative.
-
-
- Once You're In
- ==============
-
-
- Once the fix is implemented, you're in business. You can log in as
- any ordinary user of the system, download files, leave obscene automessages,
- change passwords, get personal information (perhaps for hacking other
- systems), and so on. Keep in mind that anybody that happens to call a
- system with an altered RENEGADE.OVR will be able to do the same thing. How
- long do you suppose it would take somebody else to realize that all the
- accounts have been unlocked?
- One particularly nice feature of Renegade is that you don't need
- sysop access to have it. All you need to be able to do is execute an
- absolute download, '/D'. Co/remote-sysops typically do not have sysop
- access but are still able to use this feature. What this command allows
- you to do is download any file in any path in the system. And what files
- are you interested in? Well, a good place to start is
- '\renegade\renegade.dat'. This file has all of the system passwords in it.
- Next move on to the user database, 'users.dat'. Once you have this, just
- view it with your favorite hex editor (Norton or any one of the eight
- million viewers out there will do). In one shot you've got all of the user
- information at your disposal. There's no encryption or anything like that
- and all of the text strings are in Pascal format where the first byte in
- each sequence tells you the number of characters that follow.
- User account information can also be viewed and altered online from
- the sysop menu although this is considerably slower than downloading the
- user database. If you've only got your hands on a cosysop account
- (security level s250), just go to the system setup area and lower the
- minimum security level settings for whatever command functions you
- wish to perform.
-
- Happy hacking!
-
- ****************************************************************************
- Call the Dimensions BBS at (305) 383-2950
- ****************************************************************************
-
