When the morris worm exploited the "finger" vulnerability, where did the shellcode reside when it executed?

The Morris Worm was one of - - if not the - - first worms that used the Internet to travel, and it did so by being deposited in the buffer overflow. It used a network service finger vulnerability in Unix to spread from machine to machine: the finger program ran at the root (admin) level and was programmed to assume no username would exceed 100 characters. By creating longer names, the worm code was entered, copied, and passed on. Buffer overflow attacks occur when too much code or data is entered or created for the buffer to hold. This creates an error in which data is stored elsewhere, or in this case, the code entered using the username vulnerability.