Exploit Research and Development Megaprimer http://opensecurity.in/exploit-research-and-development-megaprimer/ http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf

1. EXPLOIT RESEARCH
EXPLOIT DEVELOPMENT WITH
MONA
Kerala Cyber Force
www.keralacyberforce.in
Ajin Abraham
@ajinabraham

2. @ajinabraham
WHAT IS ?
• Mona is a plugin for Immunity Debugger or WinDBG
developed by Peter of Corelan Team.
• Mona is a Python Script that will simplify the efforts of
an Exploit Developer into many folds.
• As far as I think this tool is created to make Exploit
Development N00bish.
• You don’t have to spend days and hours for exploit
development.
• Mona will do almost everything for you.

3. @ajinabraham
SET OF COMMANDS SUPPORTED BY MONA

4. @ajinabraham
GLOBAL OPTIONS THAT YOU CAN APPLY AS
FILTERS

5. @ajinabraham
MONA INITIAL CONFIGURATION
Download Mona, copy it to PyCommands directory
of Immunity Debugger.
• !mona config -set workingfolder
Ex: !mona config -set workingfolder C:Mona%p
%p – based on process
%i – based on process id

6. @ajinabraham
GLOBAL OPTIONS OR FILTERS
• -n : Skip modules that start with a null byte.
• -o : Skip OS modules.
• -p <nr> : Stop search after <nr> pointers.
• -m : Limit by 1 or more modules
EX: !mona seh –-m “ntdll”,”xyzdll”
• -cm : Limit by a module property
Ex: !mona seh –-cm aslr=false,os=true
Available options are : aslr,safeseh,os,rebase,nx
• -cp : Limit by the pointer properties
Ex: !mona seh –-cp unicode
Available options are :
unicode,ascii,asciiprint,upper,lower,uppernum,lowernum,numeric,alphanum,nonull,startswith
null,unicoderev
• -cpb : Limit by bytes in pointers (Can be used for bad character filtering)
Ex: !mona seh –cpb “x00x0ax0dx20”

7. @ajinabraham
COMMANDS
• !mona pc <size> : Generate cyclic pattern similar to
pattern_create.rb
• !mona po <4 byte pattern> : Locates the given 4byte in the
cyclic pattern
• !mona findmsp :
Find register overwritten with the pattern.
Find register that points into a pattern.
Find pointers on stack that points into a pattern.
Shows all the location of the Cyclic pattern.
Shows the pattern size.

8. @ajinabraham
COMMANDS
• !mona mod : List all the loaded modules along with there properties.
• !mona bytearray : Generate the Bytes from 0x00 to 0xFF.
• !mona bytearray –-b “<list of bytes>” : Generates Bytes from 0x00 to 0xFF excluding the list
of bytes.
• This will be so handy to check for bad characters during exploit development.
• !mona jmp –-r <register> : To find out the pointers that jump to a given register.
Ex:!mona jmp –-r esp –-m “ntdll” –cm os=true –cp nonull
• !mona noaslr : Show modules that are not aslr or rebased.
• !mona nosafeseh : Show modules that are not safeseh protected.
• !mona seh : List out the pointers to PPR or Call Dword.
• !mona egg –-t <tag> : To create the egghunter code including the specified tag.

9. @ajinabraham
COMMANDS
• !mona rop : To generate gadgets including a running ropfunc and
stackpivot.
• !mona ropfunc : To find pointers to pointers (IAT) to interesting functions
that can be used in your ROP chain (API’s and the Close API’s).
• !mona stackpivot : To find out the stack pivots.
• !mona find : To find bytes in the process memory.
• !mona findwild : To find instructions in the process memory applying
wildcard.

10. @ajinabraham
COMMANDS
• !mona header : Creates an Ruby exploit header from POC.
Ex: !mona header –-f “<path>”
• !mona skeleton : Creates a Metasploit module skeleton.
• !mona suggest : Creates a Metasploit module once you control the EIP or
SEH with cyclic pattern.

11. @ajinabraham
FIGURE OUT OTHER COMMANDS BY
YOURSELF
• assemble
• dump
• stacks
• gflags
• breakpoint
• compare
• ................................... etc.

12. @ajinabraham
THANKS
@AJINABRAHAM
Good Read : https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/