Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
2. @ajinabraham
WHAT IS ?
• Mona is a plugin for Immunity Debugger or WinDBG
developed by Peter of Corelan Team.
• Mona is a Python Script that will simplify the efforts of
an Exploit Developer into many folds.
• As far as I think this tool is created to make Exploit
Development N00bish.
• You don’t have to spend days and hours for exploit
development.
• Mona will do almost everything for you.
5. @ajinabraham
MONA INITIAL CONFIGURATION
Download Mona, copy it to PyCommands directory
of Immunity Debugger.
• !mona config -set workingfolder
Ex: !mona config -set workingfolder C:Mona%p
%p – based on process
%i – based on process id
6. @ajinabraham
GLOBAL OPTIONS OR FILTERS
• -n : Skip modules that start with a null byte.
• -o : Skip OS modules.
• -p <nr> : Stop search after <nr> pointers.
• -m : Limit by 1 or more modules
EX: !mona seh –-m “ntdll”,”xyzdll”
• -cm : Limit by a module property
Ex: !mona seh –-cm aslr=false,os=true
Available options are : aslr,safeseh,os,rebase,nx
• -cp : Limit by the pointer properties
Ex: !mona seh –-cp unicode
Available options are :
unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswith
null,unicoderev
• -cpb : Limit by bytes in pointers (Can be used for bad character filtering)
Ex: !mona seh –cpb “x00x0ax0dx20”
7. @ajinabraham
COMMANDS
• !mona pc <size> : Generate cyclic pattern similar to
pattern_create.rb
• !mona po <4 byte pattern> : Locates the given 4byte in the
cyclic pattern
• !mona findmsp :
Find register overwritten with the pattern.
Find register that points into a pattern.
Find pointers on stack that points into a pattern.
Shows all the location of the Cyclic pattern.
Shows the pattern size.
8. @ajinabraham
COMMANDS
• !mona mod : List all the loaded modules along with there properties.
• !mona bytearray : Generate the Bytes from 0x00 to 0xFF.
• !mona bytearray –-b “<list of bytes>” : Generates Bytes from 0x00 to 0xFF excluding the list
of bytes.
• This will be so handy to check for bad characters during exploit development.
• !mona jmp –-r <register> : To find out the pointers that jump to a given register.
Ex:!mona jmp –-r esp –-m “ntdll” –cm os=true –cp nonull
• !mona noaslr : Show modules that are not aslr or rebased.
• !mona nosafeseh : Show modules that are not safeseh protected.
• !mona seh : List out the pointers to PPR or Call Dword.
• !mona egg –-t <tag> : To create the egghunter code including the specified tag.
9. @ajinabraham
COMMANDS
• !mona rop : To generate gadgets including a running ropfunc and
stackpivot.
• !mona ropfunc : To find pointers to pointers (IAT) to interesting functions
that can be used in your ROP chain (API’s and the Close API’s).
• !mona stackpivot : To find out the stack pivots.
• !mona find : To find bytes in the process memory.
• !mona findwild : To find instructions in the process memory applying
wildcard.
10. @ajinabraham
COMMANDS
• !mona header : Creates an Ruby exploit header from POC.
Ex: !mona header –-f “<path>”
• !mona skeleton : Creates a Metasploit module skeleton.
• !mona suggest : Creates a Metasploit module once you control the EIP or
SEH with cyclic pattern.
11. @ajinabraham
FIGURE OUT OTHER COMMANDS BY
YOURSELF
• assemble
• dump
• stacks
• gflags
• breakpoint
• compare
• ................................... etc.