BBS-Era Exploitation for Fun and Anachronism

Video in TIB AV-Portal: BBS-Era Exploitation for Fun and Anachronism

Formal Metadata

BBS-Era Exploitation for Fun and Anachronism
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The bulletin board era was a golden age for those of us who were into computers (and in existence) at the time. Yet, think of how much better it could have been if we’d had today’s exploitation tradecraft to bring to bear back then. In this presentation, we’re taking modern technology back with us a couple decades and aiming it at BBS-era software, possibly to see what we can learn from attacking these scrutable-yet-unusual systems but mostly just because we can. We’ll use tools and techniques that didn’t publicly exist at the time to run, reverse engineer, attack, debug, and exploit old code. Finally, we’ll demonstrate some of the fun we could’ve had, if only we knew then what we know now… Source code and proofs-of-concept will be released.
Point (geometry) Computer animation Multiplication sign
Point (geometry) Dissipation Group action Touchscreen Multiplication sign View (database) Bit Field (computer science) Connected space Mechanism design Roundness (object) Software Meeting/Interview Internetworking Cuboid Endliche Modelltheorie Error message Modem
Pairwise comparison Existence Scaling (geometry) Multiplication sign Line (geometry) Client (computing) Bulletin board system Neuroinformatik Computer animation Internetworking Term (mathematics) Website Computer architecture
Point (geometry) Slide rule Server (computing) View (database) Density of states Control flow Client (computing) Mass Drop (liquid) Computer programming Programmable read-only memory Bus (computing) Tetraktys Cuboid Information security Booting Dialect Interface (computing) Bit Radical (chemistry) Computer animation Software Password Self-organization Reverse engineering
Numbering scheme Ripping Computer file Java applet Multiplication sign Client (computing) Mereology Code Computer programming Term (mathematics) Modem Vulnerability (computing) Physical system Scripting language Surface Cursor (computers) Communications protocol Vector graphics File Transfer Protocol Radical (chemistry) Computer animation Software Telnet Charge carrier Reverse engineering
Computer file File format Structural load Multiplication sign Mathematical analysis Density of states Bit Line (geometry) Sequence Code Crash (computing) Process (computing) Computer animation Integrated development environment Different (Kate Ryan album) Semiconductor memory Window
Message passing Computer animation State of matter Cuboid Escape character Computer programming
Vector graphics Computer animation Real number Circle Parameter (computer programming) Line (geometry) Sequence
Game controller Key (cryptography) File format Multiplication sign Density of states Sheaf (mathematics) Bit Primitive (album) Line (geometry) Event horizon Power (physics) Curvature Crash (computing) Computer animation Right angle HTTP cookie Lie group Pressure Address space Asynchronous Transfer Mode
Point (geometry) Server (computing) Real number Surface Debugger Extreme programming Client (computing) Cartesian coordinate system Food energy Perspective (visual) Communications protocol Computer animation Cuboid output Asynchronous Transfer Mode
Point (geometry) Dataflow Functional (mathematics) Numbering scheme Game controller Multiplication sign Public domain Mereology Code Scattering Power (physics) Revision control String (computer science) Software testing Binary multiplier Resource allocation Metropolitan area network Pascal's triangle Electronic mailing list Memory management Content (media) Bit Line (geometry) Limit (category theory) Variable (mathematics) Electronic signature Message passing Pointer (computer programming) Computer animation Buffer solution Right angle Freeware Buffer overflow
Computer animation Demo (music) Lecture/Conference Bit Computer worm
Email Numbering scheme Computer animation Combinational logic Modem
Computer animation Personal digital assistant
Lecture/Conference Image resolution Game theory
Numbering scheme Computer animation Term (mathematics) Personal digital assistant Block (periodic table) Video game Endliche Modelltheorie Bulletin board system Cartesian coordinate system System call Neuroinformatik
tough bed and time and then that
in a and and
so this is brolly in my opinion is the perfect talk for the end of the 1st day of so who yeah who here was on was on is like back in the day OK so so all of you I'm sure have wondered at some point in their lives if like what if we knew then what we know now I always a wonder that so I'm happy to introduce their and pull that up from silence so cool cool talk this has been century then called well so yeah and and I'm Paul in debt
and I'm glad you guys are all here PBS error is something most of us remember and have nostalgic memories about and I thought we might talk a little bit about the inspiration for the talk to begin with it you know it started as an April Fool's joke but like a lot of things that stars jokes at end of getting serious and we decided that you know round about the time that the recon if he opened they wouldn't that make a fun talking of something a little exotic of yeah we didn't action preparing April Fool's they press releases that this kind of announced for the vulnerabilities like as though they were and as over overhard leader ghost or something uh women of making a logo for it because you know that just gives death and and this supplanted back and I think it's anyways but that was basically inspiration and looks like they accept the talking so managerial it right so the modem
error but before the internet and the everything was one-to-one connection so you had 1 model you can only talk to 1 another computer and that further for the few of you who and who are familiar at PBS is welcome back this view prevails we're going to talk just a little bit about what is a the so BBS is 1 of the things on the screen we're gonna be having 1 of them midpoint point to which are when you think it is FIL and don't be shy the OK well I think have and a suggest a field dissipating and if you're putting in the giddy you and congratulations so the yeah server-side software that we're looking at is called a wild and there tones of allows that is the funny thing about wildcat is Wildcat is 1 of the you this Fabio there'd mechanism check that box and yeah goes to take away so we're looking at
essentially the architecture of how they talk to each other and it's over phone lines so everyone from the nineties has heard that sound when you pick up a phone can someone using the internet cotton call-waiting is the bane of my existence and so there is another side to it is also the client side and the client side and the rendering whatever the BBS sends back and that leads you to let in the red dragon with anybody and also that the times as much performance years so yeah you get exactly 1 computer yours elected exactly on computer the desysopped hopefully this is up isn't sitting there staring everything you doing all the time but the Tillich could if it wanted to and both yeah interest would today where everything is connected everything all the time and I was come along way the approach to watching that the and that's not just once something so looking at this we wanted to go and ask the
question because while it's relevant and are BDS is still relevant today for scale and in the last 30 days or so there have been 10 new BBS is gonna up what called welcome to the internet has they long term and I think in comparison with their been roughly 16 million new websites per month or so so the steel here he got into account but there are still a BBS is going up and people still use them and I looked it up actually as of 2015 this still 2 . 1 million people in America on dialog again this is about that I got there on PBS is by I thought I was kind of interesting so now that
you all know about everything about BBS is no uh here the soft the programs organ attack wildcat being the BBS software that the server and then return to being the clients a terminal program retirement typically calls Wildcat and with the sound it goes something like who is working the so warm year a year of the of the tetrad how we we could differ enough for conciseness it actually ran on for like a minute or so and so we thought would look
at back then and today so I that who knows where this has from the the blue guy yeah thank you and the comparatively orange guy who of yeah there you know the mass in the president united in 1 slide so when it comes to a stop or what we use back then what we use today they had to back then people would boot from a desk and today we really have to use DOS box or a or if you're running on like 2003 you can use in the medium which is the take the bus back then there are a dozen debug no I didn't even didn't have break points and Otis upon some postal look that way but it will not be a is constant simple unimportant today we use wind about mostly or GDV if you're on Unix and their DOS about which we actually can be quite useless now that's a DOS spikes debugging interface it is a bit of a pain you can rebuild it with the debugging support yeah we just weren't able to bring very much to that of the and looking at this Assembly thank i think you may have had used debug back then the prom here reverse engineering tool of the ADC and is nowadays we have things like Heider and a slew of other tools at our disposal which makes a lot easy from a reverse engineering point of view come back then the today we have things that problem intact in the days of a Security was war dialing guessing passwords today this is invisible million-dollar 0 days this is like the emperor's new clothing but in reverse we can we can see that if you're a good person and understand who must I I killed him and I have so back then you got stoned that nearly and today it's a lot more knowing have to pay and big point the US as have been dead drops is how the gold bullion the gold again happen
In and now looking at the postmortem air the day before a above recitatives back not always there users could but this is not always a great leap forward of course not always 2 steps back because they see more about intake couple big steps back um starting off talking about rip term I mean I'm just gonna go through the basic care down the same way we look at nowadays for like street assessment what is the attack surface it's a client but it's got all these protocols it supports there is the the protocol that speaks with the modem which we don't expect to have much too much influence over so this is a command to dial the number and then the node might say that no carrier or connected or whatever there's a telnet protocol and NC codes really great before there was a script which about to get to you there was Freud a color and the cursor needs the the um their various file transfer protocols xyz modem I don't know I didn't then look into that because I really was we look to rich script there was no need to go anywhere else in this is super rich data and so these get telegraphic Sorokin and if there's anybody from telegraphic here who worked there was part time I love your software you don't take this wrong way system sister convenient all program uh um for a talk about modern attacking and is supported this really rich protocol called rich scripts for drawing vector graphics essentially like whereas with NCD make ASCII are and pretty colorful ASCII art but just ASCII art with the rich script you could do all kinds of things even accessing files on the host and from the client's computer and that's really really crazy so so is not script in the Java Script sense where you can actually like massage the Heber something too bad that you can do a lot of we're sorry look at that for vulnerabilities wonderful find anything
not so we actually found something before we actually got the reverse engineering part but when you actually open up rip terminator the doesn't really know you're looking at and it it's not something even massage into something nice you have to take 1 step further before you can begin in reversing it in idea and so we found 2 different ways to do this that I'm sure there's a whole bunch more but we thought that
the sidereal year actually took the and reconstituted into a P. almost of way so that so for a little bit of background about the whole thing looks like a 16 bit DOS EXE but this 16 bit code recessive like this DOS protected-mode environment is like that what come DOS-extender if you've heard of that and then inside of the exceeds that embedded this linear executable which is actually a think the same format or almost the same format as the windows the expertise used by the low that into memory but they're just just enough differences to make annoying to we can just cut it out of the file and loaded straight niter I got about as far as applying the relocations to it ran out of time because a popular with the way so he was kind of funny Derek was working on it and I have used a couple hours and because it was you just do this and so I pull it up the I ran it on DVD M and I like any byte sequence data so the nice enough to spare 1 over and did a search dump the regenerated this open that up in Idaho and they go the it understands it and this nice it's easy it's an oldie but I mean we still use it all the time so that work nicely the hand this here as the process basically dumping it and going from a crash to an analysis and what we found was quote you guessed it is a little arteries that yes this is the topic you who
knows this is how Derek actually ended up with the crash so who who was her go to technique nowadays when doubt he
despises you happens and so we didn't um artists to
real dumb buzzer uh the annoying thing those message boxes see popping up there certain commands you can do that will cause a message box and everything stops and those dismissed so uh I erodible program the dissimulate states like escape keystrokes to
make it go away every few seconds real
cheesy but the of uh so that you could do that back in the days of the so as the visitors were recording of what it looked like and it's trying vector graphics here and you'll see lines and stuff like that which we got is a perfect place to look and at the day there's a there's just like enjoyed dozens and dozens of commands like they're all that bank pipe and and command sequence and parameters and so the father's really just doing a bunch of that during lecture thank i garbage and sometimes you circle sometimes you
get a line and sometimes you get ready the notice that the father's name is really in the and sometimes you get
crash and this is the a DOS-extender itself but it the intercepting the fall and then just do and power cord of thing to to the Council what is not at the corner to my this evening about the the hit so it in any course actually crashing for for the 1st time when the so I was was as the circuit from but this is a after we miss I've super concept all that really got a a control over most registers most notably this is a a home fact might have time to get into it but this a little weird but I was expecting returned yet 16 you totally real mode but no it's so not only is it like protected-mode the section 32 bit flat address space I guess a DOS 40 of the extended him with a 40 centrally 40 rights so uh so that's why this pressure don't look such like such a familiar format the the now when it comes to exploiting return fire this is flights taking a step back in time and realizing while OK we you have the keys to the kingdom here there is no doubt primitive everything is RWX acts like OK sweet there is no way as lie that also nice you know safe sch no as EH no stack cookies control-flow varied but in any event also got half an hour what they were thinking but I know the for full full enhancement technology that's a new 1 enables the problem is that the the and you and but thanks the so we we kind of went from uh we took its to an
extreme we tried to do like Robert and you know it only work but then you're like what's the point which are you know kind of summed it up nicely so we could so we had a dresser tools we had a when debugging now on in which is pretty cool because you get to see it executing and you know protected mode with arbitrary selectors or on virtual 86 mode or whatever that making the it there is a course DOS box debugger led that when there was a pleasant experience so it's not actually debuggers so you can't set real breakpoints energy it's very frustrating use In this brings
us to the other application that we looked at the server side um so pretty much wildcat is released from our client perspective it's all just text-based UI like the to read of so yeah you I will say so this is pretty much attack surface whatever you can get to do or whatever protocols is going to speak which is mostly just like user keystrokes in input but there there's file-transfer we didn't really get into that because of 1st which talk
about Hatteras wildcat this 1 a lot better than return when we tell you like idea works like a charm it knows OK so wild was written Pascal is all like 16 bit and idea and bless his heart it knows all those functions like as for signatures so it found their man there Alex found their copies and it's book that's pretty handy the uh the Deacon power didn't quite work but I didn't expect it to so much that you know nobody wants to go back far pointers the
but in now sexual talk about turn it down so we walk through a bunch of functionality and this is just like a test drive version wildcat off of you know some like public domain or some freeware CD um so all the scatter chase this is a this arena putting messages interim message you can enter a message but then you know they have 150 wine 131 line limit which OK you can only and 181 lines but you can insert where be like that and so they didn't bother detector which line you put their um and I'll tell you why that's cool so Pascal has all of these strings like these counted strings and there's no likes the copy buffer overflow that I know of in Pascal so I like the lines news message were truncated 80 characters but but that they needed to thinking more how about he delegations there are almost no heap allocations in wildcat its use of the heap is paltry but use it here and here there's an like a 16 bit arithmetical overflow you put in a line number multiplies it by 81 to go find a place in the buffer to put it and so we were thinking we find it part of the exploitation includes OK go here ever message at wine 810 hinder these contents essentially 810 worked out to the size of a line times the number of O. The you enter and to rapid you only have to wrap a 16 bit variable so you can end up overflowing the previous string and your flow the character that says how many like characters are in a string the good point of it was yeah like pretty much almost arbitrary control over where rights to it within that 64 K segments without borders is within the 64 K segment um and there were basically there's no he at overflow there was a free list but because it uses a heap so little and they didn't actually matter overriding the free list pointers and so we did not the code execution in wild this turns out to be a useful tool in crafting like malicious message but not so you know as a story for another day and know 3rd yeah OK
so we have a bit of a demo here but we get out of this assumed she writes of the demos of
fear the this is using that 16
bit wrap that we just talked about and entering some malicious payload
a now this is dialogs on both sides here they're talking to each other equal uh yeah DOS vaccinate because it emulates modems and the OK say and yet you are drive should I think is needed to say that in an open it gas so I think this with best and done as a snapshot because you can enter the stuff I text and nobody was aware of that Imagen in your shellcode with like all number number number combinations byte-by-byte as Israel so is going to go there we're gonna read them as a so we just ended presumably you leave for someone else but the the and what you end up with is and I scratch and and then it disconnects and she you can turn this past the could excuse the values of so it's like the receiving a fishing mail e-mail with the use of the that exploit attached to it but old-school just call this number with a modem you this yeah
and were in this like not a case we just
do that now In the other
and that none of this
would put their like what it give you a history of the and usually it is but what they the of now that we have 1 more damaging guys and this is kind of but where we where we left it I think it shows up this perfectly because ever tried to get on the play a game and the like the although the minutes of stimulant maintaining ever get around it I think we may have some of that if the the goal of this I tried to decrease resolution just before so you guys to see better the the of the the the wonders of DOS belongs and and who survived as you things thank you for telling me the and
a very so this is running right term and talking to another application over the a model and so we're going to see an incoming calls whose life we answer it Due the high I In Yolane's Dumont assistant who the now you have remember this sleuthing about what to do with it and brings me back the nineties if only an hour in ML alright so now that's the conclusion and the questions of freedom has questions are what we do is were not a main what is played in the I by evaluating other block then would know yeah are they also they become was that in 2013 there was a recom BBS I had no idea and and and and this is a the we Our which we've known about that we we try to stay away from Happy real computers of the on opportunity in this will send me the number the the heart of the 1st do the and and the other half of the year when a centuries-old holder of those would be expensive achieve yeah well what is the demand for let's try said that when you may not have reasonable 90 95 or they could is going you know 1st themselves the shelling out because its and then it there's like suffer antiques and anything else anything else into kind if it that thank you