Problem ROP 2

Hello everyone.

Let's solve the ROP Chal2. Check the mitigations how many in the problem,the same as the last time. This time I wanna use "peda" to solve problems. I describe simply the tool,it is use with "gdb", and display more intelligibly.for example, it is able to use 'checksec' in peda.

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

These explanation will tell us, we are to bypass the NS bit(DEP) only.
And, check the disassembly main function.

gdb-peda$ pdisas main
Dump of assembler code for function main:
   0x080484e8 <+12>:	mov    DWORD PTR [esp+0x9c],0x0
   0x080484f3 <+23>:	mov    DWORD PTR [esp+0x8],0x1
   0x080484fb <+31>:	mov    DWORD PTR [esp+0x4],0x804a060
   0x08048503 <+39>:	mov    DWORD PTR [esp],0x0
   0x0804850a <+46>:	call   0x8048370 <read@plt>
   0x0804850f <+51>:	cmp    eax,0x1
   0x08048512 <+54>:	je     0x804851e <main+66>
   0x08048528 <+76>:	mov    DWORD PTR [esp+0x8],eax
   0x0804852c <+80>:	mov    DWORD PTR [esp+0x4],0x804a061
   0x08048534 <+88>:	mov    DWORD PTR [esp],0x0
   0x0804853b <+95>:	call   0x8048370 <read@plt>
   0x08048540 <+100>:	movsx  eax,al
   0x08048543 <+103>:	mov    DWORD PTR [esp+0x9c],eax
   0x0804854a <+110>:	mov    eax,DWORD PTR [esp+0x9c]
   0x08048551 <+117>:	add    eax,0x1
   0x08048554 <+120>:	test   eax,eax
   0x0804857e <+162>:	call   0x8048380 <memcpy@plt>
   0x08048583 <+167>:	call   0x80483d0 <fork@plt>
   0x08048588 <+172>:	test   eax,eax
   0x0804858a <+174>:	jne    0x80485cc <main+240>
   0x0804858c <+176>:	mov    DWORD PTR [esp+0x10],0x8048680
   0x08048594 <+184>:	lea    eax,[esp+0x1c]
   0x08048598 <+188>:	mov    DWORD PTR [esp+0x14],eax
   0x0804859c <+192>:	mov    DWORD PTR [esp+0x18],0x0
   0x080485a4 <+200>:	mov    DWORD PTR [esp],0x1
   0x080485ab <+207>:	call   0x8048390 <sleep@plt>
   0x080485b0 <+212>:	mov    DWORD PTR [esp+0x8],0x0
   0x080485b8 <+220>:	lea    eax,[esp+0x10]
   0x080485bc <+224>:	mov    DWORD PTR [esp+0x4],eax
   0x080485c0 <+228>:	mov    DWORD PTR [esp],0x8048680
   0x080485c7 <+235>:	call   0x80483c0 <execve@plt>