If a packet is received when running CASE 5 a TCP server is placed in listening state in port 23281. For example, when receiving "(0x2)abcdef": bash-2.04# strace -f reverse/the-binary5 execve("reverse/the-binary5", ["reverse/the-binary5"], [/* 35 vars */]) = 0 personality(PER_LINUX) = 0 geteuid() = 0 sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 0x4006b008) = 0 setsid() = 1240 sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 chdir("/") = 0 close(0) = 0 close(1) = 0 close(2) = 0 time(NULL) = 1022197808 socket(PF_INET, SOCK_RAW, 0xb /* IPPROTO_??? */) = 0 sigaction(SIGHUP, {SIG_IGN}, {SIG_DFL}, 0x4006b008) = 0 sigaction(SIGTERM, {SIG_IGN}, {SIG_DFL}, 0x4006b008) = 0 sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 recv(0, "E\0\5\334l\326@\0@\vC\343\300\250\1\17\300\250\1\376\2"..., 2048, 0) = 1500 sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 setsid() = -1 EPERM (Operation not permitted) sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 1 sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 sigaction(SIGCHLD, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 sigaction(SIGHUP, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 sigaction(SIGTERM, {SIG_IGN}, {SIG_IGN}, 0x80575a8) = 0 sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 0x4006b008) = 0 setsockopt(1, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 bind(1, {sin_family=AF_INET, sin_port=htons(23281), sin_addr=inet_addr("0.0.0.0")}},16) = 0 listen(1, 3) = 0 accept(1, If you try to connect to the NEW created server, you cannot get any result if you donīt type the expected password: ... [root@hpspcr67 net]# telnet 127.0.0.1 23281 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. hello Connection closed by foreign host. [root@hpspcr67 net]# ... accept(1, {sin_family=AF_INET, sin_port=htons(32771), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 2 recv(2, "hola\r\n", 19, 0) = 6 send(2, "\377\373\1\0", 4, 0) = 4 close(2) = 0 _exit(1) = ? bash-2.04# And "the-binary" dies. If you telnet to the port, and uses "SeNiF" as the password (obtained analyzing the assembler code), you get a response: accept(1, {sin_family=AF_INET, sin_port=htons(32772), sin_addr=inet_addr("127.0.0.1")}}, [16]) = 2 recv(2, "SeNiF\r\n", 19, 0) = 7 dup2(2, 0) = 0 dup2(2, 1) = 1 dup2(2, 2) = 2 execve("/bin/sh", ["sh"], [/* 35 vars */]) = 0 brk(0) = 0x80bc62c old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40013000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/mmx/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory)open("i686/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("mmx/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("/opt/openoffice60/program/i686/mmx/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/opt/openoffice60/program/i686/mmx", 0xbffff2bc) = -1 ENOENT (No such file or directory) open("/opt/openoffice60/program/i686/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/opt/openoffice60/program/i686", 0xbffff2bc) = -1 ENOENT (No such file or directory) open("/opt/openoffice60/program/mmx/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/opt/openoffice60/program/mmx", 0xbffff2bc) = -1 ENOENT (No such file or directory) open("/opt/openoffice60/program/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/opt/openoffice60/program", 0xbffff2bc) = -1 ENOENT (No such file or directory)open("/etc/ld.so.cache", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/i686/mmx/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/lib/i686/mmx", 0xbffff2bc) = -1 ENOENT (No such file or directory) open("/lib/i686/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat("/lib/i686", 0xbffff2bc) = -1 ENOENT (No such file or directory) open("/lib/mmx/libreadline.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory)stat("/lib/mmx", 0xbffff2bc) = -1 ENOENT (No such file or directory) open("/lib/libreadline.so.4.1", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0755, st_size=155768, ...}) = 0 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\236\0"..., 4096) = 4096 old_mmap(NULL, 162160, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40014000 mprotect(0x40037000, 18800, PROT_NONE) = 0 old_mmap(0x40037000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x22000) = 0x40037000 old_mmap(0x4003b000, 2416, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4003b000 close(3) open("i686/mmx/libhistory.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libhistory.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("mmx/libhistory.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("libhistory.so.4.1", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/libhistory.so.4.1", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0755, st_size=22472, ...}) = 0 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\25\0\000"..., 4096) = 4096 old_mmap(NULL, 25532, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4003c000 mprotect(0x40042000, 956, PROT_NONE) = 0 old_mmap(0x40042000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x5000) = 0x40042000 close(3) = 0 open("i686/mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("mmx/libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("libtermcap.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/libtermcap.so.2", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0755, st_size=11480, ...}) = 0 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\r\0"..., 4096) = 4096 old_mmap(NULL, 14568, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40043000 mprotect(0x40046000, 2280, PROT_NONE) = 0 old_mmap(0x40046000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x2000) = 0x40046000 close(3) = 0 open("i686/mmx/libdl.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libdl.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("mmx/libdl.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("libdl.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/libdl.so.2", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0755, st_size=9416, ...}) = 0 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\34"..., 4096) = 4096 old_mmap(NULL, 12392, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40047000 mprotect(0x40049000, 4200, PROT_NONE) = 0 old_mmap(0x40049000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x40049000 close(3) open("i686/mmx/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("i686/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("mmx/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib/libc.so.6", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0755, st_size=931668, ...}) = 0 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\210\215"..., 4096) = 4096 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4004b000 old_mmap(NULL, 946076, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4004c000 mprotect(0x4012b000, 32668, PROT_NONE) = 0 old_mmap(0x4012b000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xde000) = 0x4012b000 old_mmap(0x40130000, 12188, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40130000 close(3) = 0 mprotect(0x4004c000, 913408, PROT_READ|PROT_WRITE) = 0 mprotect(0x4004c000, 913408, PROT_READ|PROT_EXEC) = 0 getpid() = 1254 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = -1 ENOENT (No such file or directory) ioctl(0, TCGETS, 0xbffff810) = -1 EINVAL (Invalid argument) brk(0) = 0x80bc62c brk(0x80bd000) = 0x80bd000 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 brk(0x80be000) = 0x80be000 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 brk(0x80bf000) = 0x80bf000 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 open("/usr/share/locale/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/i18n/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory) rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 open("/usr/share/locale/es_ES/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/i18n/es_ES/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/es/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/i18n/es/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory) getuid() = 0 getgid() = 0 geteuid() = 0 getegid() = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 brk(0x80c0000) = 0x80c0000 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 time(NULL) = 1022198118 ioctl(0, TCGETS, 0xbffff940) = -1 EINVAL (Invalid argument) rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 brk(0x80c1000) = 0x80c1000 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 brk(0x80c2000) = 0x80c2000 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_IGN}, 8) = 0 rt_sigaction(SIGCHLD, {SIG_IGN}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGINT, {SIG_DFL}, {SIG_IGN}, 8) = 0 rt_sigaction(SIGINT, {SIG_IGN}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL}, {SIG_DFL}, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigaction(SIGQUIT, {SIG_IGN}, {SIG_DFL}, 8) = 0 uname({sys="Linux", node="hpspcr67.spain.hp.com", ...}) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 brk(0x80c3000) = 0x80c3000 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 stat64("/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat64(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 getpid() = 1254 getppid() = 1253 stat64(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 stat64("/sbin/sh", 0xbffff69c) = -1 ENOENT (No such file or directory) stat64("/bin/sh", {st_mode=S_IFREG|0755, st_size=451964, ...}) = 0 stat64("/bin/sh", {st_mode=S_IFREG|0755, st_size=451964, ...}) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 getpgrp() = 1254 rt_sigaction(SIGCHLD, {0x80711c0, [], 0x4000000}, {SIG_IGN}, 8) = 0 rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 fcntl(0, F_GETFL) = 0x2 (flags O_RDWR) fstat64(0, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 _llseek(0, 0, 0xbffff8ec, SEEK_CUR) = -1 ESPIPE (Illegal seek) rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, [CHLD TTOU], [], 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 read(0, And it waits for reading more information: It is a SHELL interpreter.