I wonder why I couldn’t solve this problem at that time.
Exploitation part was a bit bothersome.(I used “pushad; pop ; pop ; pop ; ret” gadget. It was a miracle.)

exploit: https://gist.github.com/potetisensei/ce64a777fcb9c351acc8