Think you have skills?

/*
   Try to exploit this without using any shellcode.
   Assume a nonexecutable stack.
   Get a root shell.

   Jose Ronnick <matrix@phiral.com>
*/

#define message "Are two bytes enough for you? =) <matrix@phiral.com>\n"

void clearmem(char **target)
{
	int i;
	for(i = 0; target[i] != 0; i++)
		memset(target[i], 0, strlen(target[i]));
}

void func(char *src)
{
	char buffer[56];
	strcpy(buffer, src);
}

int main(int argc, char *argv[], char *envp[])
{
	char buffer[100];
	char *data, *loc;
	long *location;
	int buf_len;

	if(argc == 1) exit(0);

	data = (char *) malloc(20);
	loc = data + 16;
	*((long *)loc) = (long)message;
	location = (long *) loc;
	
	if(argc > 2)
		loc = argv[2];
	else
		loc = 0;

	if(strlen(argv[1]) > 38)
		if(((unsigned char) argv[1][33] != 0xff) || 
			 ((unsigned char) argv[1][34] != 0xbf)) exit(1);

	bzero(buffer, 100);
	buf_len = strlen((char *)*location) + strlen(argv[1]);
	strncat(buffer, (char *)*location, strlen((char *)*location));
	strncat(buffer, argv[1], strlen(argv[1]));
	buffer[buf_len] = 0;

	if(loc)
	{
		if(strlen(loc) > 15) exit(1);
		if(strlen(loc) < 14)
		{
			if(loc[14] == 0) 
				memcpy(data, loc, 17);
			else
				strcpy(data, loc);
		}
	}

	buf_len = strlen((char *)*location) + strlen(argv[1]);
	printf("%s (%d)\n", buffer, buf_len);

	clearmem(envp);
	clearmem(argv);
	bzero(0xbfffff00, 250);
	
	if(buf_len < 56)
		func(buffer);
}

Get the file as source: matrix_challenge.c

If you are able to solve it, e-mail me. matrix@phiral.com