Use An ENV Variable
•
Put shellcode in an environment variable
•
Compute return address: 0xbffffffa -
strlen(shellcode) - strlen(<vuln prog
name>) to get address for EIP
•
Overflow buffer with the computed return
address