Cult of the Dead Cow Communications presents Back Orifice Remote Administration System v1.20 7-30 Initial Release Back Orifice is a client/server application which allows the client software to monitor, administer, and perform other network and multimedia actions on the machine running the server. To communicate with the server, either the text based or gui client can be run on any Microsoft Windows machine. The server currently only runs in Windows 95/98. This package contains: bo.txt This document. plugin.txt The plugin programming documentation. boserve.exe The Back Orifice self installing server. bogui.exe The Back Orifice gui client. boclient.exe The Back Orifice text client. boconfig.exe Utility to configure exename, port, password, and default plugin for a BO server melt.exe Decompresses files compressed with the File freeze command. freeze.exe Compresses files that can be decompressed with the File melt command. To install the server the server simply needs to be executed. When the server executable is run, it installs itself and then deletes itself. This is useful for network enviroments where the server can be installed on a machine simply by copying the server executable into the Startup directory, where it will be installed, then removed. Once the server is installed on a machine, it will be started every time the machine boots. To upgrade a running copy of Back Orifice remotely, simply upload the new version of the server to the remote host, and use the Process spawn command to execute it. When run, the server will automatically kill any programs running as the file it intends to install itself as, install itself over the old version, run itself from its installed position, and delete the updated exe you just ran. Before installation, several aspects of the server can be configured. The filename that Back Orifice installs itself as, the port the server listens on, and the password used for encryption can all be configured using the boconf.exe utility. If the server is not configured, it defaults to listening on port 31337, using no password for encryption (packets are still encrypted), and installing itself as " .exe" (space dot exe). The client communicates to the server via encrypted UDP packets. For successful communication, the client needs to send to the same port the server is listening on, and the client password must match the encryption password server was configured with. The port the client sends its packets from can be set using the -p option with both the gui and text clients. If packets are being filtered or a firewall is in place, it may be necessary to send from a specific port that will not be filtered or blocked. Since UDP communication is connectionless, the packets might be blocked either on their way to the server or the return packets might be blocked on their way back to the client. Actions are performed on the server by sending commands from the client to a specific ip address. If the server machine is not on a static address, it can be located by using the sweep or sweeplist commands from the text client, or from the gui client using the "Ping..." dialog or by putting a target ip of "1.2.3.*". If sweeping a list of subnets, when a server machine responds the client will look in the same directory as subnet list and will display the first line of the first file it finds with the filename of the subnet. The commands currently implemented in Back Orifice are listed below. Some of the command names differ between the gui and text clients, but the syntax is the same for almost all commands. More information for any of the commands can be displayed in the text client by typing 'help command'. The gui sets the label of the two paramater fields to a description of the arguments each command accepts when that command is selected from the 'Command' list. If a piece of required information was not supplied with the command, the error 'Missing data' will be returned by the server. The Back Orifice commands are: (gui/text command) App add/appadd Spawn a text based application on a tcp port. This allows you control a text or dos application (such as command.com) via a telnet session. App del/appdel Stops an application from listening for connections. Apps list/applist Lists the applications currently listening for connections. Directory create/md Creates a directory Directory list/dir Lists files and directory. You must specify a wildcard if you want more than one file to be listed. Directory remove/rd Removes a directory Export add/shareadd Creates an export on the server. The exported directory or drive's icon does not get overlaid with the shared hand icon. Export delete/sharedel Deletes an export. Exports list/sharelist Lists current share names, the drive or directory that is being shared, the access for that share, and the password for the share. File copy/copy Copys a file. File delete/del Deletes a file. File find/find Searches a directory tree for files that match a wildcard specification. File freeze/freeze Compresses a file. File melt/melt Decompresses a file. File view/view Views the contents of a text file. HTTP Disable/httpoff Disables the http server. HTTP Enable/httpon Enables the http server. Keylog begin/keylog Logs keystrokes on the server machine to a text file. The log shows you the name of the window the text was typed into. Keylog end Ends keyboard logging. To end keyboard logging from the text client, use 'keylog stop'. MM Capture avi/capavi Captures video and audio (if available) from a video input device to an avi file. MM Capture frame/capframe Captures a frame of video from a video input device to a bitmap file. MM Capture screen/capscreen Captures an image of the server machine's screen to a bitmap file. MM List capture devices/listcaps Lists video input devices. MM Play sound/sound Plays a wav file on the server machine. Net connections/netlist Lists current incomming and outgoing network connections. Net delete/netdisconnect Disconnects the server machine from a network resource. Net use/netconnect Connects the server machine to a network resource. Net view/netview Views all network interfaces, domains, servers, and exports visable from the server machine. Ping host/ping Pings the host machine. Returns the machine name and the BO version number. Plugin execute/pluginexec Executes a Back Orifice plugin. Executing functions that do not conform to the Back Orifice plugin interface may cause the server to crash. Plugin kill/pluginkill Tells a specific plugin to shut down. Plugins list/pluginlist Lists active plugins or the return value of a plugin that has exited. Process kill/prockill Terminates a process. Process list/proclist Lists running processes. Process spawn/procspawn Runs a program. From the gui, if the second paramater is specified, the process will be executed as a normal, visable process. Otherwise it will be executed hidden or detached. Redir add/rediradd Redirects incomming tcp connections or udp packets to another ip address. Redir del/redirdel Stops a port redirection. Redir list/redirlist Lists active port redirections. Reg create key/regmakekey Creates a key in the registry. NOTE: For all registry commands, do not specify the leading \\ for registry values. Reg delete key/regdelkey Deletes a key from the registy. Reg delete value/regdelval Deletes a value from the registy. Reg list keys/reglistkeys Lists the sub keys of a registry key. Reg list values/reglistvals Lists the values of a registry key. Reg set value/regsetval Sets a value for a registry key. The values are specified as a type followed by a comma, then the value data. For binary values (type B) the value is a series of two digit hex values. For DWORD values (type D) the value is a decimal number. For string values (type S) the value is a text string. Resolve host/resolve Resolves the ip address of a machine name relative to the server machine. The machine name can be an internet host name, or a local network machine name. System dialogbox/dialog Creates a dialog box on the server machine with the supplied text and an 'ok' button. You can create as many dialog boxes as you want, they will just cascade in front of the previous box. System info/info Displays system information for the server machine. Information displayed includes machine name, current user, cpu type, total and available memory, Windows version information, and drive information, including drive type (Fixed, cd-rom, removable, or remote) and for fixed drives, the size and free space of the drive. System lockup/lockup Locks up the server machine. System passwords/passes Displays cached passwords for the current user and the screen saver password. Displayed passwords may have garbage data at their end. System reboot/reboot Shuts down the server machine and reboots it. TCP file receive/tcprecv Connects the server machine to a specific ip and port and saves any data recieved from that connection to the specified file. TCP file send/tcpsend Connects the server machine to a specific ip and port and sends the contents of the specified file, then disconnects. NOTE: For tcp file transfers, the specified ip and port must be listening before the tcp file command is sent or it will fail. A useful utility for transfering files this way is netcat, which is available for both unix and win32. Files can be transfered _from_ the server using the tcp file send command and netcat with a syntax like: netcat -l -p 666 > file Files can be transfered _to_ the server using the tcp file receive command and netcat with a syntax like: netcat -l -p 666 < file NOTE: The win32 version of netcat does not disconnect or exit when it reaches the end of the input file. After the contents of the file have been transfered, terminate netcat with ctrl-c or ctrl-break. BOConfig: BOConfig.exe allows you to configure the options for a bo server before it has been installed. It asks you for the executable name, which is the name that Back Orifice will install itself as in in the system directory. It does not have to end in .exe, but it will not append .exe if you do not suply a file extension. It then asks for the exe description, which is the description that will describe the exe in the registry where it gets started from durring boot. It then asks for the port which the server will listen for packets on. It then asks for a password which it will use for encryption. To communicate with the server from a client, the client must be configured with this same password. This can be null. It then asks for the default plugin to run on startup. This is a DLL and function name in the form "DLL:_Function" of a Back Orifice plugin which will automatically be run when the server starts. This can be null. It then lets you enter any arguments that you want to pass to the plugin at startup. This also can be null. And finally, it asks for the path to a file which can be attached to the server, which will be written in the system directory as the server starts. This could be a Back Orifice plugin which is automatically started. The server will work without being configured. It defaults to communicating on port 31337 with no password and installing itself as " .exe". Known bugs/problems: MM Capture screen - The bitmap is saved in whatever resolution and pixel depth the server machine is running in. As a result, bitmaps may be produced with color depths of 16 bit or 24 bit. Most graphics applications can only deal with 8 or 32 bit bitmaps and will either be unable to load the bitmap or display it incorrectly (this includes Graphics Workshop for Windows, Photoshop, and the WANG Imaging distributed with Windows. There is, however, a program that comes with Windows will view it. Paint.exe. Go figure. Keyboard logging - Apparently ms-dos windows don't have a message loop, which prevents the ability to log keys that are typed into them. Text based application tcp redirection (App add) - Several bugs. When command.com is spawned with it's handles redirected, the system also spawns REDIR32.EXE, which it does not apear possible to terminate. (This seems os interface that communicates with a tsr module loaded in the dos session to redirect the input and output handles to pipes) So if you terminate the tcp connection before the application has terminate (or you have 'exit'ed it), REDIR32.EXE and WINOA386.MOD (the 'old application' (16 bit) wrapper) will remain running, and neither Back Orifice nor the operating system itself will be able to terminate them. This even prevents the system from being able to shut down, it just sits at the 'Please wait...' screen forever. There also seems to be problems redirecting the output from some console applications (such as FTP.EXE, and unfortunately currently boclient.exe). Altho output from the program is not relayed out, input may still be relayed in, so you can often quit the program through the tcp session. Otherwise use Back Orifice to kill the executable. Send questions, comments, bitches and bugs to bo@cultdeadcow.com. .-. _ _ .-. / \ .-. ((___)) .-. / \ /.ooM \ / \ .-. [ x x ] .-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\- /lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\ \ / `-' (U) `-' \ / `-' the original e-zine `-' _ Oooo eastside westside / ) __ /)(\ ( \ WORLDWIDE / ( / \ \__/ ) / Copyright (c) 1998 cDc communications and the author. \ ) \)(/ (_/ CULT OF THE DEAD COW is a registered trademark of oooO cDc communications, PO Box 53011, Lubbock, TX, 79453, USA. _ oooO All rights reserved. __ ( \ / ) /)(\ / \ ) \ \ ( \__/ Save yourself! Go outside! Do something! \)(/ ( / \_) xXx BOW to the COW xXx Oooo http://www.cultdeadcow.com Microsoft, Windows, Windows 95, Windows 98, and Windows NT are all registered trademarks of the Microsoft Corporation.