Cult of the Dead Cow Communications
presents:
Back
Orifice
Remote Administration System
v1.20 7-30-98
Initial Release
Back
Orifice is a client/server application which allows the client
software
to monitor, administer, and perform other network and multimedia
actions on
the machine running the server. To communicate with the server,
either the
text based or gui client can be run on any Microsoft Windows
machine. The
server currently only runs in Windows 95/98.
This
package contains:
bo.txt
This document.
plugin.txt
The plugin programming documentation.
boserve.exe
The Back Orifice self installing server.
bogui.exe
The Back Orifice gui client.
boclient.exe
The Back Orifice text client.
boconfig.exe
Utility to configure exename, port, password, and default plugin
for a BO server
melt.exe
Decompresses files compressed with the File freeze command.
freeze.exe
Compresses files that can be decompressed with the File melt
command.
To install the server the server simply needs to be executed.
When the
server executable is run, it installs itself and then deletes
itself. This is
useful for network enviroments where the server can be installed
on a machine
simply by copying the server executable into the Startup
directory, where it
will be installed, then removed. Once the server is installed on
a machine,
it will be started every time the machine boots.
To upgrade a running copy of Back Orifice remotely, simply upload
the new
version of the server to the remote host, and use the Process
spawn command
to execute it. When run, the server will automatically kill any
programs
running as the file it intends to install itself as, install
itself over the
old version, run itself from its installed position, and delete
the updated
exe you just ran.
Before installation, several aspects of the server can be
configured. The
filename that Back Orifice installs itself as, the port the
server listens
on, and the password used for encryption can all be configured
using the
boconf.exe utility. If the server is not configured, it defaults
to listening
on port 31337, using no password for encryption (packets are
still encrypted),
and installing itself as " .exe" (space dot exe).
The client communicates to the server via encrypted UDP packets.
For
successful communication, the client needs to send to the same
port the server
is listening on, and the client password must match the
encryption password
server was configured with.
The port the client sends its packets from can be set using the
-p option with
both the gui and text clients. If packets are being filtered or a
firewall
is in place, it may be necessary to send from a specific port
that will not be
filtered or blocked. Since UDP communication is connectionless,
the packets
might be blocked either on their way to the server or the return
packets might
be blocked on their way back to the client.
Actions are performed on the server by sending commands from the
client to a
specific ip address. If the server machine is not on a static
address, it can
be located by using the sweep or sweeplist commands from the text
client, or
from the gui client using the "Ping..." dialog or by
putting a target ip of
"1.2.3.*". If sweeping a list of subnets, when a server
machine responds the
client will look in the same directory as subnet list and will
display the
first line of the first file it finds with the filename of the
subnet.
The commands currently implemented in Back Orifice are listed
below. Some of
the command names differ between the gui and text clients, but
the syntax is
the same for almost all commands. More information for any of the
commands
can be displayed in the text client by typing 'help command'. The
gui sets
the label of the two paramater fields to a description of the
arguments each
command accepts when that command is selected from the 'Command'
list. If
a piece of required information was not supplied with the
command, the error
'Missing data' will be returned by the server. The Back Orifice
commands are:
(gui/text command)
App add/appadd
Spawn a text based application on a tcp port. This allows you
control a text
or dos application (such as command.com) via a telnet session.
App del/appdel
Stops an application from listening for connections.
Apps list/applist
Lists the applications currently listening for connections.
Directory create/md
Creates a directory
Directory list/dir
Lists files and directory. You must specify a wildcard if you
want more than
one file to be listed.
Directory remove/rd
Removes a directory
Export add/shareadd
Creates an export on the server. The exported directory or
drive's icon does
not get overlaid with the shared hand icon.
Export delete/sharedel
Deletes an export.
Exports list/sharelist
Lists current share names, the drive or directory that is being
shared, the
access for that share, and the password for the share.
File copy/copy
Copys a file.
File delete/del
Deletes a file.
File find/find
Searches a directory tree for files that match a wildcard
specification.
File freeze/freeze
Compresses a file.
File melt/melt
Decompresses a file.
File view/view
Views the contents of a text file.
HTTP Disable/httpoff
Disables the http server.
HTTP Enable/httpon
Enables the http server.
Keylog begin/keylog
Logs keystrokes on the server machine to a text file. The log
shows you the
name of the window the text was typed into.
Keylog end
Ends keyboard logging. To end keyboard logging from the text
client, use
'keylog stop'.
MM Capture avi/capavi
Captures video and audio (if available) from a video input device
to an avi
file.
MM Capture frame/capframe
Captures a frame of video from a video input device to a bitmap
file.
MM Capture screen/capscreen
Captures an image of the server machine's screen to a bitmap
file.
MM List capture devices/listcaps
Lists video input devices.
MM Play sound/sound
Plays a wav file on the server machine.
Net connections/netlist
Lists current incomming and outgoing network connections.
Net delete/netdisconnect
Disconnects the server machine from a network resource.
Net use/netconnect
Connects the server machine to a network resource.
Net view/netview
Views all network interfaces, domains, servers, and exports
visable from the
server machine.
Ping host/ping
Pings the host machine. Returns the machine name and the BO
version number.
Plugin execute/pluginexec
Executes a Back Orifice plugin. Executing functions that do not
conform to
the Back Orifice plugin interface may cause the server to crash.
Plugin kill/pluginkill
Tells a specific plugin to shut down.
Plugins list/pluginlist
Lists active plugins or the return value of a plugin that has
exited.
Process kill/prockill
Terminates a process.
Process list/proclist
Lists running processes.
Process spawn/procspawn
Runs a program. From the gui, if the second paramater is
specified, the
process will be executed as a normal, visable process. Otherwise
it will be
executed hidden or detached.
Redir add/rediradd
Redirects incomming tcp connections or udp packets to another ip
address.
Redir del/redirdel
Stops a port redirection.
Redir list/redirlist
Lists active port redirections.
Reg create key/regmakekey
Creates a key in the registry.
NOTE: For all registry commands, do not specify the leading \\
for registry
values.
Reg delete key/regdelkey
Deletes a key from the registy.
Reg delete value/regdelval
Deletes a value from the registy.
Reg list keys/reglistkeys
Lists the sub keys of a registry key.
Reg list values/reglistvals
Lists the values of a registry key.
Reg set value/regsetval
Sets a value for a registry key. The values are specified as a
type followed
by a comma, then the value data. For binary values (type B) the
value is a
series of two digit hex values. For DWORD values (type D) the
value is a
decimal number. For string values (type S) the value is a text
string.
Resolve host/resolve
Resolves the ip address of a machine name relative to the server
machine. The
machine name can be an internet host name, or a local network
machine name.
System dialogbox/dialog
Creates a dialog box on the server machine with the supplied text
and an 'ok'
button. You can create as many dialog boxes as you want, they
will just
cascade in front of the previous box.
System info/info
Displays system information for the server machine. Information
displayed
includes machine name, current user, cpu type, total and
available memory,
Windows version information, and drive information, including
drive type
(Fixed, cd-rom, removable, or remote) and for fixed drives, the
size and free
space of the drive.
System lockup/lockup
Locks up the server machine.
System passwords/passes
Displays cached passwords for the current user and the screen
saver password.
Displayed passwords may have garbage data at their end.
System reboot/reboot
Shuts down the server machine and reboots it.
TCP file receive/tcprecv
Connects the server machine to a specific ip and port and saves
any data
recieved from that connection to the specified file.
TCP file send/tcpsend
Connects the server machine to a specific ip and port and sends
the contents
of the specified file, then disconnects.
NOTE: For tcp file transfers, the specified ip and port must be
listening
before the tcp file command is sent or it will fail. A useful
utility for
transfering files this way is netcat, which is available for both
unix and
win32.
Files can be transfered _from_ the server using the tcp file send
command and
netcat with a syntax like:
netcat -l -p 666 > file
Files can be transfered _to_ the server using the tcp file
receive command and
netcat with a syntax like:
netcat -l -p 666
the end of the input file. After the contents of the fil e have
been
transfered, terminate netcat with ctrl-c or ctrl-break.
BOConfig:
BOConfig.exe allows you to configure the options for a bo server
before it has
been installed. It asks you for the executable name, which is the
name that
Back Orifice will install itself as in in the system directory.
It does not
have to end in .exe, but it will not append .exe if you do not
suply a file
extension. It then asks for the exe description, which is the
description
that will describe the exe in the registry where it gets started
from durring
boot. It then asks for the port which the server will listen for
packets on.
It then asks for a password which it will use for encryption. To
communicate
with the server from a client, the client must be configured with
this same
password. This can be null. It then asks for the default plugin
to run on
startup. This is a DLL and function name in the form
"DLL:_Function" of a
Back Orifice plugin which will automatically be run when the
server starts.
This can be null. It then lets you enter any arguments that you
want to pass
to the plugin at startup. This also can be null. And finally, it
asks for
the path to a file which can be attached to the server, which
will be written
in the system directory as the server starts. This could be a
Back Orifice
plugin which is automatically started.
The server will work without being configured. It defaults to
communicating
on port 31337 with no password and installing itself as "
.exe".
Known bugs/problems:
MM Capture screen - The bitmap is saved in whatever resolution
and pixel depth
the server machine is running in. As a result, bitmaps may be
produced with
color depths of 16 bit or 24 bit. Most graphics applications can
only deal
with 8 or 32 bit bitmaps and will either be unable to load the
bitmap or
display it incorrectly (this includes Graphics Workshop for
Windows, Photoshop,
and the WANG Imaging distributed with Windows. There is, however,
a program
that comes with Windows will view it. Paint.exe. Go figure.
Keyboard logging - Apparently ms-dos windows don't have a message
loop, which
prevents the ability to log keys that are typed into them.
Text based application tcp redirection (App add) - Several bugs.
When
command.com is spawned with it's handles redirected, the system
also spawns
REDIR32.EXE, which it does not apear possible to terminate. (This
seems os
interface that communicates with a tsr module loaded in the dos
session to
redirect the input and output handles to pipes) So if you
terminate the tcp
connection before the application has terminate (or you have
'exit'ed it),
REDIR32.EXE and WINOA386.MOD (the 'old application' (16 bit)
wrapper) will
remain running, and neither Back Orifice nor the operating system
itself will
be able to terminate them. This even prevents the system from
being able to
shut down, it just sits at the 'Please wait...' screen forever.
There also seems to be problems redirecting the output from some
console
applications (such as FTP.EXE, and unfortunately currently
boclient.exe).
Altho output from the program is not relayed out, input may still
be relayed
in, so you can often quit the program through the tcp session.
Otherwise use
Back Orifice to kill the executable.
Send questions, comments, bitches and bugs to [email protected].
Microsoft, Windows, Windows 95, Windows 98, and Windows NT are
all registered
trademarks of the Microsoft Corporation.