Re: 1988 called and wants its exploit back
Not really. The Morris Worm exploited vulnerabilities in fingerd, sendmail, and rsh/rexec. It did attack passwords, but not by overwriting /etc/passwd.1 It tried some heuristics and a small dictionary against the password hashes;2 according to a 1984 study this approach could be expected to succeed on about 30% of accounts on typical UNIX machines of the day.
The fingerd exploit was a BOF against gets() - perhaps the quintessential BOF, and likely the impetus for the interest in stack-smashing that eventually led to Levi's famous phrack article.
The sendmail exploit abused the DEBUG command in sendmail, which was essentially a deliberate command-injection vulnerability, from a more innocent era.
The use of rsh/rexec wasn't a program vulnerability but the architectural insecurity of the r-commands, which were often configured to allow remote execution to local users without credentials. The Morris Worm used that mechanism to spread among machines within organizations that used the r-commands.
See Spaf's analysis for more details.
1It didn't know anything about the shadow password file, which some UNIX variants, but not all, had started to use in '88.
2UNIX crypt-derived passwords of that era were salted hashes generated by iterated DES encryption of a zero block using the password as the DES key. Due to the salt and the network bandwidth and storage limitations of the time, the worm had to rehash the dictionary for each salt value; it couldn't use a precomputed dictionary. Obviously retrieving hashes and doing an offline lookup or attack would have been more efficient, but dangerous (the cracking server could be identified), and in any case password cracking wasn't the worm's main goal or attack vector.
Biting the hand that feeds IT
