%%%%%%%%%% HOW TO DESTROY AN RBBS-PC SYSTEM %%%%%%%%%%

    BY: MAD HACKER

  IN THE COURSE OF YOUR HACKING AND PHREAKING ACTIVITIES, YOU
WILL RUN ACROSS A GEEK SYSOP OR TWO. IN THIS SERIES OF ARTICLES,
I AM GOING TO DESCRIBE WAYS TO DESTROY THESE GEEK BOARDS. I WILL
COVER MOST OF THE MAJOR BBS PROGRAMS IN THE COURSE OF THIS
TUTORIAL SET. THIS ISSUE WILL DEAL WITH THE RBBS SYSTEM.

BASIC SYSTEM FACTS :
--------------------

HARDWARE : IBM-PC (OR XT)
   2 DRIVES
   128K OR MORE
   HAYES SMARTMODEM

FILES : COMMENTS TO SYSOP STORED IN "COMMENTS"
   MESSAGES STORED IN "MESSAGES"
   HELP FILES : "HELP01" - "HELP07"
   DOWNLOAD DIRCTORIES : "DIR" - "DIR 99"
   (DIR CONTIANS LIST OF DIRECTORIES ON CPC 12.1C AND OVER.
   IN EARLIER VERSIONS, ALL FILES ARE CONTAINED HERE.)
   USER FILES (PASSWORDS, ETC) : "USERS"
   SYSTEM CONFIG FILE (SYSOP'S PASSWORD, ETC) : "RBBS-PC.DEF"


 BUG #1 : DOWNLOADING THE USER FILE
 ----------------------------------

VERSIONS THAT MAY BE ATTACKED THIS WAY : CPC 12.1C AND BEFORE.

PROCEDURE : DOWNLOAD "USERS."
    READ PASSWORDS.
    HAVE PHUN.

NOTE : LOOK FOR PASSWORDS MARKED "SYSOP". THESE PASSWORDS ON CPC 12.1F HAVE
THE ABILITY TO DROP TO DOS.

EXPLAINATION :
--------------

    IBM'S BASIC (BY MICROSOFT) IS A RATHER HIGH LEVEL BASIC,
WITH MANY POWERFUL COMMANDS. PC DOS, HOWEVER, IS A RATHER
IDIOT-PROOF DISK SYSTEM.  THE PROBLEM LIES IN THE DIFFERENT WAYS
DOS AND BASIC INTERPRET A STRING OF CHARACTERS. IN THE RBBS
PROGRAM IS A LINE THAT SAYS :

   IF FN$ = USERS$ THEN 13520

   FN$ IS THE NAME OF THE FILE YOU REQUESTED FOR DOWNLOAD.
   USER$ IS THE NAME OF THE USER FILE (USERS).
   13520 IS THE LINE THAT PRINTS "FILE XXXX NOT FOUND. TYPE L FOR DIR"

    NOW THAT YOU KNOW HOW RBBS WAS MEANT TO TRAP HACKERS, IT IS
EASY TO EXPLAIN THE FALACY OF IT'S WAYS. BASIC SAYS THAT "USERS"
IS NOT EQUAL TO "USERS." (AND FOR GOOD REASON!!!). BUT PC DOS
SAYS THAT "USERS" IS EQUAL TO "USERS.". SO YOU ARE ACCESSING THE
SAME FILE, BUT UNDER 2 DIFFERENT NAMES. SINCE THE SYSTEM ONLY
TRAPS ONE OF THEM, YOU CAN USE THE OTHER ONE AND GET THE SAME
DATA. THIS PROBLEM IS WELL KNOWN AND MOST RBBS SYSTEMS HAVE BEEN
FIXED TO AVOID THIS BUG.

 BUG #2 : DOWNLOADING THE SYSOP'S PASSWORD
 -----------------------------------------

VERSIONS ATTACKABLE : ANY RBBS UP TO VERSION 12.2, WHICH IS
STILL IN TESTING BY TOM MACK.

PROCEDURE : DOWNLOAD "RBBS-PC.DEFF"
    READ PASSWORD
    HAVE PHUN

   THE SYSOP'S PASSWORD IS CONTAINED IN A FILE CALLED
"RBBS-PC.DEF".  THERE IS A TRAP IN THE RBBS CODE TO PREVENT YOU
FROM DOWNLOADING IT.  BUT, HERE AGAIN, BASIC AND DOS ARE NOT IN
AGREEMENT ABOUT THE EQUIVILANCE OF STRINGS. BASIC SAYS THAT
"RBBS-PC.DEFF" <> "RBBS-PC.  DEF" (AGAIN, RIGHTFULLY SO!!). BUT
DOS TRUNCATES THE EXTRA CHARACTER, AND ALLOWS YOU TO GET THE
SAME FILE UNDER THIS NAME. (NOTE THAT ANY CHARACTER WILL WORK
AFTER THE "F" IN .DEF. SO IF THE SYSOP HAS FIXED THIS BUG, TRY
ANOTHER CHARACTER. HE MIGHT HAVE BEEN TOO DUMB TO SET UP A
LENGTH TEST AND JUST TRAPPED "RBBS-PC.DEFF"). THIS BUG, TOO, IS
WELL KNOWN, AND MAY BE FIXED ON SOME BOARDS.

 BUG #3 : OVERLOADING THE USER FILE
 ----------------------------------

VERSIONS ATTACKABLE : ALL

PROCEDURE : WRITE A PROGRAM THAT CALLS THE BOARD REPEATEDLY
UNDER NEW NAMES EACH TIME.

EXPLAINATION :
--------------

   THIS IS RATHER OBVIOUS. IF YOU KEEP FILLING UP THE USERLOG
WITH BULLSHIT I.D.'S, YOU WILL CAUSE IT TO BECOME TOO LARGE, AND
DOS WILL NOT ALLOW IT TO BE WRITTEN TO. THIS WILL CAUSE IT TO
"FATAL ERROR" WHENEVER A CALLER LOGS ON.

     /\    /\             
    /  \  /  \             
   /\/    \        ------
  /       \             
 /\AD          ACKER

