Thursday, December 15, 2011

Back Orifice Remote Administration System

                     Cult of the Dead Cow Communications

                                  presents

                                Back Orifice
                        Remote Administration System
                                v1.20   7-30
                               Initial Release

Back Orifice is a client/server application which allows the client software
to monitor, administer, and perform other network and multimedia actions on
the machine running the server.  To communicate with the server, either the
text based or gui client can be run on any Microsoft Windows machine.  The
server currently only runs in Windows 95/98.

This package contains:
bo.txt
This document.
plugin.txt
The plugin programming documentation.
boserve.exe
The Back Orifice self installing server.
bogui.exe
The Back Orifice gui client.
boclient.exe
The Back Orifice text client.
boconfig.exe
Utility to configure exename, port, password, and default plugin for a BO server
melt.exe
Decompresses files compressed with the File freeze command.
freeze.exe
Compresses files that can be decompressed with the File melt command.

To install the server the server simply needs to be executed.  When the
server executable is run, it installs itself and then deletes itself.  This is
useful for network enviroments where the server can be installed on a machine
simply by copying the server executable into the Startup directory, where it
will be installed, then removed.  Once the server is installed on a machine,
it will be started every time the machine boots.

To upgrade a running copy of Back Orifice remotely, simply upload the new
version of the server to the remote host, and use the Process spawn command
to execute it.  When run, the server will automatically kill any programs
running as the file it intends to install itself as, install itself over the
old version, run itself from its installed position, and delete the updated
exe you just ran.

Before installation, several aspects of the server can be configured.  The
filename that Back Orifice installs itself as, the port the server listens
on, and the password used for encryption can all be configured using the
boconf.exe utility.  If the server is not configured, it defaults to listening
on port 31337, using no password for encryption (packets are still encrypted),
and installing itself as " .exe" (space dot exe).

The client communicates to the server via encrypted UDP packets.  For
successful communication, the client needs to send to the same port the server
is listening on, and the client password must match the encryption password
server was configured with.

The port the client sends its packets from can be set using the -p option with
both the gui and text clients.  If packets are being filtered or a firewall
is in place, it may be necessary to send from a specific port that will not be
filtered or blocked.  Since UDP communication is connectionless, the packets
might be blocked either on their way to the server or the return packets might
be blocked on their way back to the client.

Actions are performed on the server by sending commands from the client to a
specific ip address.  If the server machine is not on a static address, it can
be located by using the sweep or sweeplist commands from the text client, or
from the gui client using the "Ping..." dialog or by putting a target ip of
"1.2.3.*".  If sweeping a list of subnets, when a server machine responds the
client will look in the same directory as subnet list and will display the
first line of the first file it finds with the filename of the subnet.

The commands currently implemented in Back Orifice are listed below.  Some of
the command names differ between the gui and text clients, but the syntax is
the same for almost all commands.  More information for any of the commands
can be displayed in the text client by typing 'help command'.  The gui sets
the label of the two paramater fields to a description of the arguments each
command accepts when that command is selected from the 'Command' list.  If
a piece of required information was not supplied with the command, the error
'Missing data' will be returned by the server.  The Back Orifice commands are:

(gui/text command)

App add/appadd
Spawn a text based application on a tcp port.  This allows you control a text
or dos application (such as command.com) via a telnet session.

App del/appdel
Stops an application from listening for connections.

Apps list/applist
Lists the applications currently listening for connections.

Directory create/md
Creates a directory

Directory list/dir
Lists files and directory.  You must specify a wildcard if you want more than
one file to be listed.

Directory remove/rd
Removes a directory

Export add/shareadd
Creates an export on the server.  The exported directory or drive's icon does
not get overlaid with the shared hand icon.

Export delete/sharedel
Deletes an export.

Exports list/sharelist
Lists current share names, the drive or directory that is being shared, the
access for that share, and the password for the share.

File copy/copy
Copys a file.

File delete/del
Deletes a file.

File find/find
Searches a directory tree for files that match a wildcard specification.

File freeze/freeze
Compresses a file.

File melt/melt
Decompresses a file.

File view/view
Views the contents of a text file.

HTTP Disable/httpoff
Disables the http server.

HTTP Enable/httpon
Enables the http server.

Keylog begin/keylog
Logs keystrokes on the server machine to a text file.  The log shows you the
name of the window the text was typed into.

Keylog end
Ends keyboard logging.  To end keyboard logging from the text client, use
'keylog stop'.

MM Capture avi/capavi
Captures video and audio (if available) from a video input device to an avi
file.

MM Capture frame/capframe
Captures a frame of video from a video input device to a bitmap file.

MM Capture screen/capscreen
Captures an image of the server machine's screen to a bitmap file.

MM List capture devices/listcaps
Lists video input devices.

MM Play sound/sound
Plays a wav file on the server machine.

Net connections/netlist
Lists current incomming and outgoing network connections.

Net delete/netdisconnect
Disconnects the server machine from a network resource.

Net use/netconnect
Connects the server machine to a network resource.

Net view/netview
Views all network interfaces, domains, servers, and exports visable from the
server machine.

Ping host/ping
Pings the host machine.  Returns the machine name and the BO version number.

Plugin execute/pluginexec
Executes a Back Orifice plugin.  Executing functions that do not conform to
the Back Orifice plugin interface may cause the server to crash.

Plugin kill/pluginkill
Tells a specific plugin to shut down.

Plugins list/pluginlist
Lists active plugins or the return value of a plugin that has exited.

Process kill/prockill
Terminates a process.

Process list/proclist
Lists running processes.

Process spawn/procspawn
Runs a program.  From the gui, if the second paramater is specified, the
process will be executed as a normal, visable process.  Otherwise it will be
executed hidden or detached.

Redir add/rediradd
Redirects incomming tcp connections or udp packets to another ip address.

Redir del/redirdel
Stops a port redirection.

Redir list/redirlist
Lists active port redirections.

Reg create key/regmakekey
Creates a key in the registry.
NOTE:  For all registry commands, do not specify the leading \\ for registry
values.

Reg delete key/regdelkey
Deletes a key from the registy.

Reg delete value/regdelval
Deletes a value from the registy.

Reg list keys/reglistkeys
Lists the sub keys of a registry key.

Reg list values/reglistvals
Lists the values of a registry key.

Reg set value/regsetval
Sets a value for a registry key.  The values are specified as a type followed
by a comma, then the value data.  For binary values (type B) the value is a
series of two digit hex values.  For DWORD values (type D) the value is a
decimal number.  For string values (type S) the value is a text string.

Resolve host/resolve
Resolves the ip address of a machine name relative to the server machine.  The
machine name can be an internet host name, or a local network machine name.

System dialogbox/dialog
Creates a dialog box on the server machine with the supplied text and an 'ok'
button.  You can create as many dialog boxes as you want, they will just
cascade in front of the previous box.

System info/info
Displays system information for the server machine.  Information displayed
includes machine name, current user, cpu type, total and available memory,
Windows version information, and drive information, including drive type
(Fixed, cd-rom, removable, or remote) and for fixed drives, the size and free
space of the drive.

System lockup/lockup
Locks up the server machine.

System passwords/passes
Displays cached passwords for the current user and the screen saver password.
Displayed passwords may have garbage data at their end.

System reboot/reboot
Shuts down the server machine and reboots it.

TCP file receive/tcprecv
Connects the server machine to a specific ip and port and saves any data
recieved from that connection to the specified file.

TCP file send/tcpsend
Connects the server machine to a specific ip and port and sends the contents
of the specified file, then disconnects.
NOTE:  For tcp file transfers, the specified ip and port must be listening
before the tcp file command is sent or it will fail.  A useful utility for
transfering files this way is netcat, which is available for both unix and
win32.

Files can be transfered _from_ the server using the tcp file send command and
netcat with a syntax like:
netcat -l -p 666 > file
Files can be transfered _to_ the server using the tcp file receive command and
netcat with a syntax like:
netcat -l -p 666 < file
NOTE:  The win32 version of netcat does not disconnect or exit when it reaches
the end of the input file.  After the contents of the file have been
transfered, terminate netcat with ctrl-c or ctrl-break.

BOConfig:
BOConfig.exe allows you to configure the options for a bo server before it has
been installed.  It asks you for the executable name, which is the name that
Back Orifice will install itself as in in the system directory.  It does not
have to end in .exe, but it will not append .exe if you do not suply a file
extension.  It then asks for the exe description, which is the description
that will describe the exe in the registry where it gets started from durring
boot.  It then asks for the port which the server will listen for packets on.
It then asks for a password which it will use for encryption.  To communicate
with the server from a client, the client must be configured with this same
password.  This can be null.  It then asks for the default plugin to run on
startup.  This is a DLL and function name in the form "DLL:_Function" of a
Back Orifice plugin which will automatically be run when the server starts.
This can be null.  It then lets you enter any arguments that you want to pass
to the plugin at startup.  This also can be null.  And finally, it asks for
the path to a file which can be attached to the server, which will be written
in the system directory as the server starts.  This could be a Back Orifice
plugin which is automatically started.

The server will work without being configured.  It defaults to communicating
on port 31337 with no password and installing itself as " .exe".

Known bugs/problems:
MM Capture screen - The bitmap is saved in whatever resolution and pixel depth
the server machine is running in.  As a result, bitmaps may be produced with
color depths of 16 bit or 24 bit.  Most graphics applications can only deal
with 8 or 32 bit bitmaps and will either be unable to load the bitmap or
display it incorrectly (this includes Graphics Workshop for Windows, Photoshop,
and the WANG Imaging distributed with Windows.  There is, however, a program
that comes with Windows will view it.  Paint.exe.  Go figure.

Keyboard logging - Apparently ms-dos windows don't have a message loop, which
prevents the ability to log keys that are typed into them.

Text based application tcp redirection (App add) - Several bugs.  When
command.com is spawned with it's handles redirected, the system also spawns
REDIR32.EXE, which it does not apear possible to terminate.  (This seems os
interface that communicates with a tsr module loaded in the dos session to
redirect the input and output handles to pipes)  So if you terminate the tcp
connection before the application has terminate (or you have 'exit'ed it),
REDIR32.EXE and WINOA386.MOD (the 'old application' (16 bit) wrapper) will
remain running, and neither Back Orifice nor the operating system itself will
be able to terminate them.  This even prevents the system from being able to
shut down, it just sits at the 'Please wait...' screen forever.
There also seems to be problems redirecting the output from some console
applications (such as FTP.EXE, and unfortunately currently boclient.exe).
Altho output from the program is not relayed out, input may still be relayed
in, so you can often quit the program through the tcp session.  Otherwise use
Back Orifice to kill the executable.

Send questions, comments, bitches and bugs to bo@cultdeadcow.com.



    .-.                             _   _                             .-.
   /   \           .-.             ((___))             .-.           /   \
  /.ooM \         /   \       .-.  [ x x ]  .-.       /   \         /.ooM \
-/-------\-------/-----\-----/---\--\   /--/---\-----/-----\-------/-------\-
/lucky  13\     /       \   /     `-(' ')-'     \   /       \     /lucky  13\
           \   /         `-'         (U)         `-'         \   /
            `-'              the original e-zine              `-'    _
      Oooo                    eastside westside                     / )   __
/)(\ (   \                       WORLDWIDE                        /  (  /  \
\__/  )  /  Copyright (c) 1998 cDc communications and the author. \   ) \)(/
       (_/     CULT OF THE DEAD COW is a registered trademark of    oooO
              cDc communications, PO Box 53011, Lubbock, TX, 79453, USA.      _
  oooO                      All rights reserved.                    __   ( \
/   ) /)(\                                                        /  \  )  \
\  (  \__/       Save yourself!  Go outside!  Do something!       \)(/ (   /
  \_)                     xXx   BOW to the COW   xXx                    Oooo

                                                                                         http://www.cultdeadcow.com

Microsoft, Windows, Windows 95, Windows 98, and Windows NT are all registered
trademarks of the Microsoft Corporation.