Rating:
Leak the address of puts and search for the correct libc version. Then calculate the offsets and overflow the buffer with system and /bin/sh.
I don't remember