This is an exploit for HoleyBeep.
To use it, place any command you want root to execute in /tmp/x
.
$ cat /tmp/x
echo PWNED $(whoami)
The exploit takes a path to write to (the file must already exist) and rewrites its first bytes to /*/x
.
This means that if it's a shell script, it will execute /tmp/x
as its first and only command.
To gain root access, the idea is to use the exploit to overwrite any file in /etc/profile.d/
so it will execute /*/x
on the next login, possibly as the root user.
Variants are possible using cron instead of the shell, so you don't have to wait until root logs in.