Successfully reported this slideshow.
Your SlideShare is downloading. ×

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss Army Knife

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 12 Ad

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss Army Knife

Download to read offline

Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/

http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf

Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/

http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf

Advertisement
Advertisement

More Related Content

Viewers also liked (20)

Similar to Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss Army Knife (20)

Advertisement

More from Ajin Abraham (20)

Recently uploaded (20)

Advertisement

Exploit Research and Development Megaprimer: mona.py, Exploit Writer's Swiss Army Knife

  1. 1. EXPLOIT RESEARCH EXPLOIT DEVELOPMENT WITH MONA Kerala Cyber Force www.keralacyberforce.in Ajin Abraham @ajinabraham
  2. 2. @ajinabraham WHAT IS ? • Mona is a plugin for Immunity Debugger or WinDBG developed by Peter of Corelan Team. • Mona is a Python Script that will simplify the efforts of an Exploit Developer into many folds. • As far as I think this tool is created to make Exploit Development N00bish. • You don’t have to spend days and hours for exploit development. • Mona will do almost everything for you.
  3. 3. @ajinabraham SET OF COMMANDS SUPPORTED BY MONA
  4. 4. @ajinabraham GLOBAL OPTIONS THAT YOU CAN APPLY AS FILTERS
  5. 5. @ajinabraham MONA INITIAL CONFIGURATION Download Mona, copy it to PyCommands directory of Immunity Debugger. • !mona config -set workingfolder Ex: !mona config -set workingfolder C:Mona%p %p – based on process %i – based on process id
  6. 6. @ajinabraham GLOBAL OPTIONS OR FILTERS • -n : Skip modules that start with a null byte. • -o : Skip OS modules. • -p <nr> : Stop search after <nr> pointers. • -m : Limit by 1 or more modules EX: !mona seh –-m “ntdll”,”xyzdll” • -cm : Limit by a module property Ex: !mona seh –-cm aslr=false,os=true Available options are : aslr,safeseh,os,rebase,nx • -cp : Limit by the pointer properties Ex: !mona seh –-cp unicode Available options are : unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswith null,unicoderev • -cpb : Limit by bytes in pointers (Can be used for bad character filtering) Ex: !mona seh –cpb “x00x0ax0dx20”
  7. 7. @ajinabraham COMMANDS • !mona pc <size> : Generate cyclic pattern similar to pattern_create.rb • !mona po <4 byte pattern> : Locates the given 4byte in the cyclic pattern • !mona findmsp : Find register overwritten with the pattern. Find register that points into a pattern. Find pointers on stack that points into a pattern. Shows all the location of the Cyclic pattern. Shows the pattern size.
  8. 8. @ajinabraham COMMANDS • !mona mod : List all the loaded modules along with there properties. • !mona bytearray : Generate the Bytes from 0x00 to 0xFF. • !mona bytearray –-b “<list of bytes>” : Generates Bytes from 0x00 to 0xFF excluding the list of bytes. • This will be so handy to check for bad characters during exploit development. • !mona jmp –-r <register> : To find out the pointers that jump to a given register. Ex:!mona jmp –-r esp –-m “ntdll” –cm os=true –cp nonull • !mona noaslr : Show modules that are not aslr or rebased. • !mona nosafeseh : Show modules that are not safeseh protected. • !mona seh : List out the pointers to PPR or Call Dword. • !mona egg –-t <tag> : To create the egghunter code including the specified tag.
  9. 9. @ajinabraham COMMANDS • !mona rop : To generate gadgets including a running ropfunc and stackpivot. • !mona ropfunc : To find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain (API’s and the Close API’s). • !mona stackpivot : To find out the stack pivots. • !mona find : To find bytes in the process memory. • !mona findwild : To find instructions in the process memory applying wildcard.
  10. 10. @ajinabraham COMMANDS • !mona header : Creates an Ruby exploit header from POC. Ex: !mona header –-f “<path>” • !mona skeleton : Creates a Metasploit module skeleton. • !mona suggest : Creates a Metasploit module once you control the EIP or SEH with cyclic pattern.
  11. 11. @ajinabraham FIGURE OUT OTHER COMMANDS BY YOURSELF • assemble • dump • stacks • gflags • breakpoint • compare • ................................... etc.
  12. 12. @ajinabraham THANKS @AJINABRAHAM Good Read : https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/

×