Exploit classic dangling pointer to UAF. In the first time, allocate a list_child object, which I used to get info disc and leak my chunk in the heap, and from that getting libc base addr. Then, allocate a string child, corrupt it's vtable and jump to pivot, which call system().