There is a UAF vulnerability when we assign a value to a variable using + statement. We can achieve an arbitrary code execution in the Print function by exploit the UAF vulnerability. At last, we just need to build our ROP chain and find a gadget that can trigger a stack pivot to execute execve("/bin/sh", 0, 0)