\x44\x65\x66\x65\x61\x74\x69\x6e\x67\x20\x56\x41\x20\x69\x6e\x20\x32\x2e\x36\x2e\x39\x20\x41\x6e\x64\x20\x41\x62\x6f\x76\x65

First method first, because its easy to understand.
HOORAY FOR ret2eax
- Theroy:
- - All functions return values via %eax
  - There is a statically mapped call *%eax somewhere in the vsyscalls
  - If the function is returning %eax logically by program flow, it will not be zeroed out before return.
  - If you fill your return address with a call *%eax, you can execute anything in eax.

First method first, because its easy to understand.