*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
~                                            ~
*Owning Telus Internet Call Director By PhluX*
~                                            ~                                                                              ~
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
Version 1.0


Be sure you have all of the following files: 
ICD.TXT (This file)
Acount.html
STARTICD.EXE (Installation program ver5.8.7 build Oct 28 1999

NOTE(so you don't get confused):
Telus calls "their" program internet call director.
The actual creators of the software uses manager inplace of the word director. I have seen lots of companies utalize this
software, and ive only seen it come from one company.


First ill explain what ICD (internet call director) is.
When you sign up for this service (from telus) you are billed 5.50$ or so per month.. (check site for more details... im more
concerned about the technical aspect anyways) Then the program runs everytime you start your windows 9x computer and it is
automatically minimized to system tray with a pager like icon that is red. When you connect to the internet and
the program is working, the light will be green. 
Ill let telus elaborate;

"Internet Call Director (ICD) delivers call management to your screen when you receive calls while you are on the Internet.  It provides the ability to answer, forward or play callers a courtesy voice message.  If you use Internet Call Director in conjunction with voice mail you can also send incoming calls to your mailbox.  Each call will be logged for your convenience.

With Internet Call Director, you will never miss those important calls again while youre on the Internet.  While online, Internet Call Director will monitor your incoming call and display the name, telephone number and time associated with each call (if Caller ID information is available for the person calling)."

also;

"When you select an option, your caller's will hear a message, asking them to wait while you engage the call, to wait while the call is being transferred or to advise them that you aren't available. You can personalize each of these messages. "

"I do not always get my caller's information. Why?

Our software is designed to display the information that is sent along with the phone call by the telephone company. It is often the case, with many cellular or long distance telephone systems, that no such information is sent, or that this information is lost or replaced with other information as it passes through various telephone networks and switches. Unfortunately, these circumstances are beyond our control, and at this time, there is no way our system can get this information to display to you."


So, in theory if someone should call you while your on the internet and you have the
program running, the CID(caller identification) data is sent thro the internet to an open port on your computer
and the program displays who is calling you and you can do a few things...
You can answer the call, if you choose this option you are disconnected from the internet and approximately 10 seconds later
your telephone rings (i dont have any CPE's (customer premises equipment, the lil box that recieves the CID data) so i dont
know if the ANI information (caller name+number) is transmitted.. but the program displays it. 
So basically the program is a computer software based CPE(maestro, caller display box, whatever).
Other options include sending the caller to voice mail, or having the telus automated operator say you will call them back
or she well tell them to call back. These options are reprogrammable.(IE, be your own telus operator(joy))
Oh yeah you can forward calls too. (you dont need to subscribe to any kind of call forwarding service (72# rings a bell)
However if you do have your line forwarded.. the ICD software will not work. 73# and untransfer your phone.
When you get the cute little popup you have 18 seconds to react.(to someone who's calling you, thats 4 rings before the
ICD tells you you missed the call, the phonee(person calling you) just gets more rings and thats it)

I just verified the program works with any ISP.. (however theres a checkbox for AOL users)
And you dont need to subscribe to CID(caller identification) or CWCID(call waiting caller identification).

The telus internet call director program has an ICM.INI(internet call manager information) file, install the program 
yourself and mess around.. but i'll paste mine in here.

For the userid variable, the #'s signs are replaced with your phone number obvisouly.
For the password variable, your password is displayed in plain ASCII text in this information file... 
can we say "encryption", telus?? Well actually blame may be to the makers of the actual program (information at bottom of
this file) telus just jazzed up the program with theyre colors and logos and stuff... either way they should of done 
something about this vulnerability!

SIGNATURE variable is very important, more on it later.. its just a 6 digit number (algorithm maybe?)
Ok heres my ICM.INF:

[PARAMS]
USERID=(780) ###-####
PASSWORD=xxxxx
MINIMIZE=1
SOUND=1
RAS=1
USEAOL=0
SERVICE=4
VERSION=7.0
IP1ADDR=
IP1PORT=
IP2ADDR=
IP2PORT=
REDIRECTADDR=207.34.24.16/10002
REDIRECTPORT=
IPLASTCONNECTED=0
NAME1=
NUMBER1=
TIME1=10
NAME2=
NUMBER2=
TIME2=10
NAME3=
NUMBER3=
TIME3=10
NAME4=
NUMBER4=
TIME4=10
PACKETTIMEOUT=10
PACKETRESENDS=1
DUTY=120
AUTOLOG=1
VOLUME=63
HANGUP=1
SIGNATURE=123456
REGION=0
DEBUG=0
AOLTIMER=20
SHOWNOTIFY=1
SHOWIGNORE=1
SHOWANSWER=1
CUSTOMIZENUMBER=(XXX) XXX-XXXX
CUSTOMIZEPIN=not yet available
CUSTOMNOTIFY=0
CUSTOMANSWER=0
SERVERLIST=0:3
SERVER0=207.229.3.186/15001
SERVER1=207.229.4.116/15001
SERVER2=207.229.4.114/15001


By editing the information file we can turn on and off stuff the program might not let us.. Incase youforgot 1 is on, 0 is off. Right now that may be jibberish... but run the program.. look at the checkboxes and you will see... however stuff like
"VOLUME" is not modifyable by the app.
Go wild.. but have a backup.

Oh yeah hit up internetcallmanager.com ... i guess them and telus are in kahutz... 
click partnerships and you can see all the telcos who pay for info interactives technology... a cool idea it is.


mmm...:
SERVER0=207.229.3.186/15001
SERVER1=207.229.4.116/15001
SERVER2=207.229.4.114/15001

The servers to which the program corresponds with.. netstat -a and see what port ICD is using to interact with the server.
Don't forget the;
REDIRECTADDR=207.34.24.16/10002
I'll let you packet kids mess with all that stuff.


Telus payed for the source/liscensing/blah blah to the ICD program, made it nice and they use the
interactive servers. ( :P~ on you if you already figured that out, as ive never seen this program in use elsewhere until we
subscribed to the service and i poked around) See the end of this file for links.

Anyways, onto the exploit!

http://telus.internetcalldirector.com/Account.cgi?780PRESUFF,123456

That url is the url to view account information, replace the letters PRE with your prefix and the letters SUFF
with your suffix. So if your phone number is 780-555-1337 try:
http://telus.internetcalldirector.com/Account.cgi?7805551337,123456
Try and enter in any phone number and you get the following error:


Internal Error  
  [5]Account does not exist check your ICD Number  

As expected...
You need your ICD number, this is in the information (ICM.INF) file under "SIGNATURE=123456" though it will not be 123456.
With the inf file, you have all the information and power... encrypt bitches! (BTW 123456 is just an example signature
for this file!)

Ok, so you opened someones ICM.INF or you used some back door program and snagged it, get they're phone number and the ICD #
(A.K.A signature # (as ICM.INF refers to it as) and then goto
http://telus.internetcalldirector.com/Account.cgi?7805551337,123456 (but remember.. replace with the infos you obtained)
And hehe, the nice lil page gives us all the information! The 877 # to call to change the greeting, the pin, the page tells
you if the account has subscribed to voice mail, even tells you the OS of the person using the ICD# and account status.
From this page you can also change *your* (i hope were not abusing telus' poor security) email and operating system...
The page is enclosed with this zip file as Account.html however all my legit information has been
changed to the above example (phone number 780 555 1337 and signcode 123456.)

The 877 number is universal, meaning everyone who uses the ICD service and wants to change greetings and such has to call
this number and enter their pin (but once you get in change the email to one of yours.. make sure its anon email)
ICD System Phone # is 1-877-225-5426 (call this # to change your ANSWER and ACKNOWLEDGE messages) 

For your convience i have mapped out the system, after dialing (1-877-225-5426) the automated operator answers after the
first ring but before the second. (this is consistent :-)
Ring...
ANSWER
"Welcome to internet call director from telus, please enter your 6 digit ICD pin #, you will find this # in the email you
recieved when you signed up for ICD"
11-2 seconds later...(if there is no DTMF activity)
"Please enter your 6 digit ICD pin #, you will find this # in the email you recieved when you signed up for ICD"
11-12 seconds later closing message is played.

Enter in 6 dtmf signals (that is not a valid ICD pin#) you get an error:
"Im sorry the the pin number you entered was incorrect, Please enter your 6 digit ICD pin #, you will find this # in the email you recieved when you signed up for ICD"

After the second incorrect pin, the error is repeated, and the third time, the error message above is not stated, instead
the closing message is heard and the line released.

After entering a valid pin # you get the following options(onward reffered to as the main menu):
"To change your answer greeting press 1"
"To change voice mail greeting 2"
"To change your play message greetings press 3"
"To change your pin # press 4"
"To repeat these options press 5"
The same rules apply here.. if theres no dtmf activity in between 11-12 seconds, the options are repeated, but then on the 
third time the closing message is played.

#1 Change your answer greeting:
"You have selected to customize the answer greeting, this option lets you record a customized greeting that callers
hear when you choose to answer or forward a call. Internet call director is currently using the system greeting when you
answer calls."

"To record your answer greeting press 1"
"To restore the system greeting press 2"
"To review your current greeting press 3"
"To review the system greeting press 4"
"To return to the main menu press star"
The '12 second rule' takes place, and the options are replayed (starting at "to record your answer greeting...")
And then the closing message is played.

2# Change your voice mail greeting:
"You have selected to customize the voice mail greeting. This option lets you record a customized greeting, which plays
to callers before transfering them to voice mail.
"To record your voice mail greeting press 1"
"To restore the system greeting press 2"
"To return to the main menu press star"

#3 Change your play message greetings:(you know
"You have selected to customize the play message greeting."
"To record your I'll call you back greeting, press 1"
"To record your You call me back greeting, press 2"
"To return to the main menu press star"

#4 Change your pin #:
"Please enter a new 6 digit pin #, or press star to cancel and return to the main menu."

Closing message:
"If you would like assistance please call our internet call director hotline at 310-4423"
And then the line is released.

As with most DTMF driven automated voice systems as this, the star (or sometimes pound(#)) is the 'Back up key'.
This is great for making maps above... hehe saved me dialing them over and over.

If your REAL bored you can try guessing pins(its random or algorithm based.. but 6 digits is alot unless your some crypto
freak) And if you get a pin, you can mess around and customize greetings to someones ICD. But you can't really take them
over without they're phone number. (you need it to use the above URL trick to get to the account information page)

But this is good security if you plan on legitly using the ICD service.. and its a nice service, just not too secure.
If your on the main menu and you try and 'back up'(hit *) you are asked for your phone number that has ICD
subscribed too.. including area code, and then you are asked for the pin(or signature number or ICD#... just that 6digi #)
But this isn't mentioned on the main menu... (its a conspiracy!)

So yeah now crack away, get yourself a pin number.
But theres waaay better things to be cracking... hehe best of luck!

However, if you get lucky, you might be able to record some message to social engineer information..
Hehe that'd be pretty funny. Use some software to emulate a computer voice and have it say 'Your Internet Call Director
services have been temporarily taken down due to *whatever* (your SE'ing them not me...)
"Please call 1-877-123-4567 and enter in the phone number to which ICD is subscribed to in order to restore service."
Use my map of the ICD system phone number, and try and get a voice like hers, or just talk the way she does.
The toll free number (looks less suspicious... and who wants to use their home phone #?) is a ureach voice mail box with
a greeting along the lines of "Thank you for calling telus internet call director troubleshooting hotline, please
enter in the phone number to which ICD servces is subscribed to which is having technical difficulties..."

Or if you call up your friend and findout he uses the ICD program, instead of using the above technique to get the
phone number, have the voicemail ask for the pin. Make the recorded message say something like "you are calling from xxx xxx
xxxx and your ICD needs to be reinitalized, please enter your current ICD pin #"

Once you got the DTMF signals... decode them (if you can't figure this one out.. do some toll free scanning, find a voice
mail box system that says the number after you punch it in, you know you enter in your voice mail box # and instead play
the tones you duped some poor bastard into giving you and they are read back "We're sorry, the voice mail box 780 555 1337
is not valid. Please try again.") So yeah, now youve got the PIN and theyre home phone number... change account email...
and theyre ICD services are completely owned. One such VMB to use is 313-333-3337 (me and Lucky225 found that one when we
were bored one nite, its some biker dudes voicemail, i think his name is bob, but lucky says its doug, even if you don't
need to decode DTMF call it up anyways hes got a funny ass voice)
Hmm... just remembered ureach service's aren't available to canadians, but oh well you get my drift... crack some poor sobs
voice mail to get the ICD PIN and phone number.

With someone else's PIN number and land line number that subscribes to ICD, you will be able to
install the ICD software, and edit the INF file to your needs. You will have to get the password, but all you do is use
the account information 'exploit'(the url) and change the subscribers email address to some new anonymous email you used.
Try subdimension.com, they dont ask any questions, and don't monitor unless theres any abuse of service (SPAM).
And the email is accessible from the web and via pop protocol. Steal a laptop, use an AOL account, dialup to AOL from a 
payphone, and create the email account using random numbers and letters as the user name.
Change the subscribers email to the subdimension one(using the afformentioned URL vulnerability).
Use my attack.. then burn the laptop, dilute the ashes in gas and ignite the gas. 
Mail the ashes to each corner of the country. (the double burn process is a must)

With all the information here, you can steal ICD accounts for whatever reason...
Cracking the pins then social engineering the subscriber line
(you might even be able to phone the ICD hotline (310-4423) and claim ignorance. 'yeah uh, my pin is 123456 and im not sure which phone line that was registered under')
I dunno experiment.. then change the subscribors e-mail and 'forget your password'.
Or you just steal the information file :P~


Use techniques above and use 3web or some free ISP and you own the phone line.. (or screen it in such a way that the dude
only gets the calls that YOU want!)
If anyone calls  the line and you've accomplished the above, you get the calls... they're phone wont ring and they wont know
why!! Ofcourse if they find out they can phone telus complain and prove theyre identity and stuff so it might not last long
if your playing everyone a message 'haha this line is owned'. Excellent for screening though! 

However if the poor sob decided he wants to look at some porn and runs the program and someone calls, you and him will
both get a popup on the ICD software.


NOTES:
If your going to phone 310-4ICD and get some information, at the end of the call they ask for your phone number (even though
they have most likely already pulled your #) So i would recomend doing this from a payphone if possible.

When i phoned, the op said a lineman had to go into the field to add the service... but thats included in the monthly charge.

Interestingly enough, if you edit the ICM.INF and put in nothing for the PASSWORD= (or just an astericks * all by itself)
you get a nifty little popup that has the ICD program icon, and it says:
BC TEL Internet Call Director
ICD Number: (XXX) XXX-XXXX   (whichever number is in your ICM.INF
New Password: (input box)
Confirm new password: (input box)

At this point i got very excited, it doesn't ask for an old password! But if you enter in any password other then the
owners, and hit OK, the software runs, but the light blinks red to denote its not working :-( Opening the program
and you get an "Incorrect Password" message.

Try going to http://telus.internetcalldirector.com/ and signing up someone else for ICD! Though you need the first and last
name of the name that appears on that phone lines bill... shouldn't be too hard to get, but ill let you guys test this one.

Recently we just got a second phone line, and my old man musta subscribed to ICD on this line aswell, as i changed
the ICM.INF to reflect this phone number, keeping the password and signature # the same, it worked!
Allright, i just deleted the SIGNATURE # and it still worked! On both accounts, no less! Even putting in random #s and it
still worked, thinking this was just the # that telus used as the second part of the account administering URL, i hit
the account button, yet i was still taken to the correct page! However if you think about it this doesnt make this
attack any easier, as you still need the password. And if you read, you need the telephone # and ICD # to get the password..

I believe thats all the information i have to offer.. best of luck!

Resources/Links:
Tell a friend about ICD: http://www.telus.com/cgi-bin/tell_a_friend.cgi 
(or use the cgi to pester someone.. i'll go with the latter)

http://telus.internetcalldirector.com/
Telus ICD signup page.

http://www.telus.com/icdirector/
Telus' basic ICD information.

http://www.internetcallmanager.com/Agent/ResellerScreenForm.html
Reseller information

http://telus.internetcalldirector.com/Account.cgi?7805551337,123456 
hehhehe

http://www.internetcallmanager.com/SignupForm.cgi 
Free trial period (haven't tested this..)

http://www.internetcallmanager.com/
The SOURCE(telus gets theyre service from these guys)

http://www.infointeractive.com/
And them guys are owned by Info Interactive
(click partners)

http://www.internetcalldirector.com/
Info interactives ICD information site.


Hope you found this txt informative, should you find any errors, have any questions email phlux@gtemail.net

Greets to Lucky225, theclone, the entire HackCanada crew, http://www.nettwerked.net, pooly, bigb, ^cupcake^, _Slayer_,
hecktabite, Smev, and anyone else i missed!

EOF