Let’s say the address of a shell function is 0x89453290. The below snippet passes that address via stdin but keeps stdin open afterwards using the cat program. With cat, you can interact with the shell after injecting the bytes.
Some programs take their input from argv instead of stdin. However, it can be inconvenient to send large amounts of data to argv, so we can use a special program called xargs to help us. xargs takes whatever values that come into its stdin and uses them as arguments to the program given as its own argument.
Example: The rm program on Unix systems receives the file names it should delete from argv. This could be cumbersome if you need to delete all files in a directory (let’s pretend regex expansions and wildcards don’t exist for this example). A potential solution is the following command.
# Deletes all non-hidden files in the current directory ls | xargs rm
The stdout of ls is piped to the stdin of xargs, and xargs runs rm using that stdin as arguments to rm.