/===========================================================================\ | PSW Presents.. | | | | H A C K I N G R E N E G A D E 0 7 - 1 7 | | | | Written by Tokyo | | | |---------------------------------------------------------------------------| | This and other excellent files can be found at PSW HQ, the Dimensions | | bulletin board in sunny Miami, Florida: (305) 383-2950 | \===========================================================================/ The author grants you permission to reproduce, distribute, quote, etcetera etcetera this document in any form you like but please keep deletions, changes, mutilations, and so forth to a minimum. Introduction ============ So you want to leech hundreds of megs of files or get back at some lamer sysop who kicked you off his system? Well, if it's a Renegade 07-17 system, you're in luck. Since there are a good number of these systems out there, it is more than likely that you have several in your local calling area alone, and plenty to play with if you're willing to dial LD or phreak your way to one, whatever suits your fancy. The Renegade BBS software has many many holes just waiting to be exploited by the hacker. Only a small number of these are discussed here but with a little exploration and (perhaps) a bit of ingenuity, you should be able to uncover some of the others on your own. About Renegade Security ======================= In the most popular setup, the user is greeted either by the echomail handler or by the sysop's clever ANSI drawing. The system then prompts you for a user name or number and a password. Most systems also ask that you enter the last four digits of your phone number. The software can be set to prompt you to enter your birthdate every N logins just as an extra precaution. If you are attempting to login as the sysop (#1) or as any user that has some level of sysop access, you will be prompted to enter the system password which happens very typically to be identical to the sysop's own password. The routines which handle user login, prompting for and verifying passwords, phone numbers, birthdates, etc... are located in a file called RENEGADE.OVR. These routines are loaded into memory and executed as needed. Happily, it is comprised of nice compiler object code -- no self-modifications, encryption, and so forth. With just a couple of changes to this key file, the Renegade software becomes extremely friendly to hackers or, as a matter of fact, to anybody else who happens along. Bundled with this file should be two programs, FIXRG and UNFIXRG. These are just a couple stupid little assembly language programs I wrote that NOP out a few bytes in RENEGADE.OVR. With just these few alterations, however, the system will recognize any password and telephone number entered at login as valid. It does NOT clear you through the occasional birthdate check nor does it clear you through the sysop password prompt. UNFIXRG simply replaces the original code, for use in covering up your tracks once you've completed your handywork. By this point, anybody with half a brain should realize that this fix will only work on version 07-17 of Renegade. The good news is that this code is unlikely to dramatically change in future versions of Renegade. Locating the code that needs to be changed in future versions is a trivial debugging exercise and should only require a couple of changes to the fix programs. What To Do ========== First, verify that the target system is operating version 07-17. This is very easy to do as the program displays a copyright notice showing the version just before transmitting the ANSI greeting. Once you know that you've got a workable system you need to be able to get the fix program into the system. This, of course, involves having an account on the system. Either login as a new user with fake information or, far more preferably, use information gleaned from hacking other systems to use somebody else's account. Very very often, people either reuse the same passwords or use passwords with a recognizable pattern. This part generally does not present a problem. On more security-conscious systems, you will not be immediately greeted with a username prompt but will first have to get through the "shuttle login" screen. This simply asks you to enter a BBS password or a newuser password before granting you access to the main system. BBS passwords are generally either well known or can be easily found. Many users enter BBS passwords in the 'reference' field of their newuser applications. Again, information gathered from successfully hacking other systems can be extremely helpful in this regard. The real trick to this specific approach is getting the fix to be run on the machine with Renegade on it. There are numerous ways of going about this. The best way of doing this is embedding either this specific fix code or some other equivalent code into some game or utility and uploading it to the system. Choose something that is likely to be run on the target machine. The demonstration code enclosed in this package attempts to open RENEGADE.OVR in the '\renegade', '\bbs', and '\rene' directories of the drive as these are the directories where the file is most likely to be found. When preparing your little trojan you may want to put some more effort into the altering code, perhaps having it search through every directory in the drive or ensuring that the -r attribute is off. You can use this in conjunction with any other holes you may be aware of such as those found in those ever-popular doors or external protocols. Be creative. Once You're In ============== Once the fix is implemented, you're in business. You can log in as any ordinary user of the system, download files, leave obscene automessages, change passwords, get personal information (perhaps for hacking other systems), and so on. Keep in mind that anybody that happens to call a system with an altered RENEGADE.OVR will be able to do the same thing. How long do you suppose it would take somebody else to realize that all the accounts have been unlocked? One particularly nice feature of Renegade is that you don't need sysop access to have it. All you need to be able to do is execute an absolute download, '/D'. Co/remote-sysops typically do not have sysop access but are still able to use this feature. What this command allows you to do is download any file in any path in the system. And what files are you interested in? Well, a good place to start is '\renegade\renegade.dat'. This file has all of the system passwords in it. Next move on to the user database, 'users.dat'. Once you have this, just view it with your favorite hex editor (Norton or any one of the eight million viewers out there will do). In one shot you've got all of the user information at your disposal. There's no encryption or anything like that and all of the text strings are in Pascal format where the first byte in each sequence tells you the number of characters that follow. User account information can also be viewed and altered online from the sysop menu although this is considerably slower than downloading the user database. If you've only got your hands on a cosysop account (security level s250), just go to the system setup area and lower the minimum security level settings for whatever command functions you wish to perform. Happy hacking! **************************************************************************** Call the Dimensions BBS at (305) 383-2950 ****************************************************************************