Reaver Pro Livedisc has a named pipe called /tmp/exe that is world writable and any input to it is passed to the shell interpreter, where it is executed as root. This provides a good demonstration as to why using named pipes to execute commands in applications is a bad idea. This exploit spawns a bindshell on localhost:4444 then connects to it.
c81a78f06cb4d36066f8e2f74dece7cc299f97e8c59ea7b40e8f927d7389faaa