/===========================================================================\
| PSW Presents.. |
| |
| H A C K I N G R E N E G A D E 0 7 - 1 7 |
| |
| Written by Tokyo |
| |
|---------------------------------------------------------------------------|
| This and other excellent files can be found at PSW HQ, the Dimensions |
| bulletin board in sunny Miami, Florida: (305) 383-2950 |
\===========================================================================/
The author grants you permission to reproduce, distribute, quote,
etcetera etcetera this document in any form you like but please keep
deletions, changes, mutilations, and so forth to a minimum.
Introduction
============
So you want to leech hundreds of megs of files or get back at some
lamer sysop who kicked you off his system? Well, if it's a Renegade 07-17
system, you're in luck. Since there are a good number of these systems
out there, it is more than likely that you have several in your local
calling area alone, and plenty to play with if you're willing to dial
LD or phreak your way to one, whatever suits your fancy.
The Renegade BBS software has many many holes just waiting to be
exploited by the hacker. Only a small number of these are discussed here but
with a little exploration and (perhaps) a bit of ingenuity, you should be
able to uncover some of the others on your own.
About Renegade Security
=======================
In the most popular setup, the user is greeted either by the
echomail handler or by the sysop's clever ANSI drawing. The system then
prompts you for a user name or number and a password. Most systems also
ask that you enter the last four digits of your phone number. The software
can be set to prompt you to enter your birthdate every N logins just as an
extra precaution. If you are attempting to login as the sysop (#1) or as
any user that has some level of sysop access, you will be prompted to enter
the system password which happens very typically to be identical to the
sysop's own password.
The routines which handle user login, prompting for and verifying
passwords, phone numbers, birthdates, etc... are located in a file called
RENEGADE.OVR. These routines are loaded into memory and executed as
needed. Happily, it is comprised of nice compiler object code -- no
self-modifications, encryption, and so forth. With just a couple of changes
to this key file, the Renegade software becomes extremely friendly to
hackers or, as a matter of fact, to anybody else who happens along.
Bundled with this file should be two programs, FIXRG and UNFIXRG.
These are just a couple stupid little assembly language programs I wrote
that NOP out a few bytes in RENEGADE.OVR. With just these few alterations,
however, the system will recognize any password and telephone number
entered at login as valid. It does NOT clear you through the occasional
birthdate check nor does it clear you through the sysop password prompt.
UNFIXRG simply replaces the original code, for use in covering up your
tracks once you've completed your handywork.
By this point, anybody with half a brain should realize that this fix
will only work on version 07-17 of Renegade. The good news is that this code
is unlikely to dramatically change in future versions of Renegade. Locating
the code that needs to be changed in future versions is a trivial debugging
exercise and should only require a couple of changes to the fix programs.
What To Do
==========
First, verify that the target system is operating version 07-17.
This is very easy to do as the program displays a copyright notice
showing the version just before transmitting the ANSI greeting.
Once you know that you've got a workable system you need to be
able to get the fix program into the system. This, of course, involves
having an account on the system. Either login as a new user with fake
information or, far more preferably, use information gleaned from hacking
other systems to use somebody else's account. Very very often, people
either reuse the same passwords or use passwords with a recognizable
pattern. This part generally does not present a problem.
On more security-conscious systems, you will not be immediately
greeted with a username prompt but will first have to get through the
"shuttle login" screen. This simply asks you to enter a BBS password or
a newuser password before granting you access to the main system. BBS
passwords are generally either well known or can be easily found. Many
users enter BBS passwords in the 'reference' field of their newuser
applications. Again, information gathered from successfully hacking other
systems can be extremely helpful in this regard.
The real trick to this specific approach is getting the fix to
be run on the machine with Renegade on it. There are numerous ways of going
about this. The best way of doing this is embedding either this specific
fix code or some other equivalent code into some game or utility and
uploading it to the system. Choose something that is likely to be run
on the target machine. The demonstration code enclosed in this package
attempts to open RENEGADE.OVR in the '\renegade', '\bbs', and '\rene'
directories of the drive as these are the directories where the file is
most likely to be found. When preparing your little trojan you may want
to put some more effort into the altering code, perhaps having it search
through every directory in the drive or ensuring that the -r attribute
is off.
You can use this in conjunction with any other holes you may be
aware of such as those found in those ever-popular doors or external
protocols. Be creative.
Once You're In
==============
Once the fix is implemented, you're in business. You can log in as
any ordinary user of the system, download files, leave obscene automessages,
change passwords, get personal information (perhaps for hacking other
systems), and so on. Keep in mind that anybody that happens to call a
system with an altered RENEGADE.OVR will be able to do the same thing. How
long do you suppose it would take somebody else to realize that all the
accounts have been unlocked?
One particularly nice feature of Renegade is that you don't need
sysop access to have it. All you need to be able to do is execute an
absolute download, '/D'. Co/remote-sysops typically do not have sysop
access but are still able to use this feature. What this command allows
you to do is download any file in any path in the system. And what files
are you interested in? Well, a good place to start is
'\renegade\renegade.dat'. This file has all of the system passwords in it.
Next move on to the user database, 'users.dat'. Once you have this, just
view it with your favorite hex editor (Norton or any one of the eight
million viewers out there will do). In one shot you've got all of the user
information at your disposal. There's no encryption or anything like that
and all of the text strings are in Pascal format where the first byte in
each sequence tells you the number of characters that follow.
User account information can also be viewed and altered online from
the sysop menu although this is considerably slower than downloading the
user database. If you've only got your hands on a cosysop account
(security level s250), just go to the system setup area and lower the
minimum security level settings for whatever command functions you
wish to perform.
Happy hacking!
****************************************************************************
Call the Dimensions BBS at (305) 383-2950
****************************************************************************