Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploit Research and Development Megaprimer:, Exploit Writer's Swiss Army Knife


Published on

Exploit Research and Development Megaprimer

Published in: Education, Technology

Exploit Research and Development Megaprimer:, Exploit Writer's Swiss Army Knife

  1. 1. EXPLOIT RESEARCH EXPLOIT DEVELOPMENT WITH MONA Kerala Cyber Force Ajin Abraham @ajinabraham
  2. 2. @ajinabraham WHAT IS ? • Mona is a plugin for Immunity Debugger or WinDBG developed by Peter of Corelan Team. • Mona is a Python Script that will simplify the efforts of an Exploit Developer into many folds. • As far as I think this tool is created to make Exploit Development N00bish. • You don’t have to spend days and hours for exploit development. • Mona will do almost everything for you.
  5. 5. @ajinabraham MONA INITIAL CONFIGURATION Download Mona, copy it to PyCommands directory of Immunity Debugger. • !mona config -set workingfolder Ex: !mona config -set workingfolder C:Mona%p %p – based on process %i – based on process id
  6. 6. @ajinabraham GLOBAL OPTIONS OR FILTERS • -n : Skip modules that start with a null byte. • -o : Skip OS modules. • -p <nr> : Stop search after <nr> pointers. • -m : Limit by 1 or more modules EX: !mona seh –-m “ntdll”,”xyzdll” • -cm : Limit by a module property Ex: !mona seh –-cm aslr=false,os=true Available options are : aslr,safeseh,os,rebase,nx • -cp : Limit by the pointer properties Ex: !mona seh –-cp unicode Available options are : unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswith null,unicoderev • -cpb : Limit by bytes in pointers (Can be used for bad character filtering) Ex: !mona seh –cpb “x00x0ax0dx20”
  7. 7. @ajinabraham COMMANDS • !mona pc <size> : Generate cyclic pattern similar to pattern_create.rb • !mona po <4 byte pattern> : Locates the given 4byte in the cyclic pattern • !mona findmsp : Find register overwritten with the pattern. Find register that points into a pattern. Find pointers on stack that points into a pattern. Shows all the location of the Cyclic pattern. Shows the pattern size.
  8. 8. @ajinabraham COMMANDS • !mona mod : List all the loaded modules along with there properties. • !mona bytearray : Generate the Bytes from 0x00 to 0xFF. • !mona bytearray –-b “<list of bytes>” : Generates Bytes from 0x00 to 0xFF excluding the list of bytes. • This will be so handy to check for bad characters during exploit development. • !mona jmp –-r <register> : To find out the pointers that jump to a given register. Ex:!mona jmp –-r esp –-m “ntdll” –cm os=true –cp nonull • !mona noaslr : Show modules that are not aslr or rebased. • !mona nosafeseh : Show modules that are not safeseh protected. • !mona seh : List out the pointers to PPR or Call Dword. • !mona egg –-t <tag> : To create the egghunter code including the specified tag.
  9. 9. @ajinabraham COMMANDS • !mona rop : To generate gadgets including a running ropfunc and stackpivot. • !mona ropfunc : To find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain (API’s and the Close API’s). • !mona stackpivot : To find out the stack pivots. • !mona find : To find bytes in the process memory. • !mona findwild : To find instructions in the process memory applying wildcard.
  10. 10. @ajinabraham COMMANDS • !mona header : Creates an Ruby exploit header from POC. Ex: !mona header –-f “<path>” • !mona skeleton : Creates a Metasploit module skeleton. • !mona suggest : Creates a Metasploit module once you control the EIP or SEH with cyclic pattern.
  11. 11. @ajinabraham FIGURE OUT OTHER COMMANDS BY YOURSELF • assemble • dump • stacks • gflags • breakpoint • compare • ................................... etc.
  12. 12. @ajinabraham THANKS @AJINABRAHAM Good Read :