Mona cheatsheet
29 Mar 2018Useful mona commands for binary exploitation.
Get help
Update Mona
Configure working folder
Global options
Useful Mona commands
Get help
!mona help assemble
manual : https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
Update Mona
!mona update
Switch between stable and trunk release:
!mona update -t release
!mona update -t trunk
Configure working folder
!mona config -set workingfolder c:\mona%p
Global options
-o
This option will tell mona to ignore OS module from search operations.
-m
This option allows you to specify the modules to perform the search operation on (ex: -m "gtk*,*win*,shell32.dll")
If you want to search all modules, you can simply use -m *
-cm
This option allows you to set the criteria (c) a module (m) should comply with to get included in search operations.
The available criteria are :
- aslr
- rebase
- safeseh
- nx
- os
If you want to include aslr and rebase modules, but exclude safeseh modules, you can use :
-cm aslr=true,rebase=true,safeseh=false
-cp
The cp option allows you to specify what criteria (c) a pointer (p) should match.
The available criteria are :
- unicode (this will include unicode transforms as well)
- ascii
- asciiprint
- upper
- lower
- uppernum
- lowernum
- numeric
- alphanum
- nonull
- startswithnull
Example : only show pointers that contain ascii printable bytes
-cp asciiprint
Example : only show pointers that don’t contain null bytes
-cp nonull
-cpb
This option allows you to specify bad characters for pointers. This feature will basically skip pointers that contain any of the bad chars specified at the command line.
Suppose your exploit can’t contain \x00, \x0a or \x0d, then you can use the following global option to skip pointers that contain those bytes :
-cpb '\x00\x0a\x0d'
Useful Mona commands
Analyze crash :
!mona findmsp
Note: replace A's buffer by pattern_create one
Locate EIP - pattern_create / pattern_offset :
!mona pattern_create 5000
note: copy the text from the file in mona workingfolder
!mona pattern_offset EIP_VALUE
or give the ASCII if looking for a value on stack :
!mona pattern_offset 5Ai6
Find bad characters :
1 - generate array of all possible characters :
!mona bytearray -cpb "\x00"
2 - put the following in place of shellcode (keep overwriting EIP by BBBB) :
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
3 - run the program until EIP gets overwritten. Then enter the following (0012FD6C is the address of first byte of the badchars array) :
!mona compare -f C:\mona\SoriTong\bytearray.bin -a 0012FD6C
4 - mona gives 1 or multiple badchars. Remove these badchars from the array in the sploit.
And repeat steps 3 and 4 until no more badchars are added.
or continue by regenerating the array at each step, until mona compare shows "unmodified" :
!mona bytearray -cpb "\x00\x09"
!mona compare -f C:\mona\SoriTong\bytearray.bin -a 0012FD6C
!mona bytearray -cpb "\x00\x09\x0a"
!mona compare -f C:\mona\SoriTong\bytearray.bin -a 0012FD6C
!mona bytearray -cpb "\x00\x09\x0a\x0d"
!mona compare -f C:\mona\SoriTong\bytearray.bin -a 0012FD6C
[SEH] Find SEH offset (nseh / seh + jump code):
1 - Replace A's by unique pattern (pattern_create)
2 - !mona sehchain
[SEH] Find pop pop ret (for SEH Bypass):
!mona seh
Note: this will create seh.txt in working folder
[Egg Hunter] Find eggs occurrences in memory:
!mona find -s "W00TW00T"
[Egg Hunter] Generate egghunter:
mona can create an egghunter with checksum check :
-t : tag (ex: w00t). Default value is w00t
-c : enable checksum routine. Only works in conjunction with parameter -f
-f : file containing the shellcode
ex:
!mona egg -t W00T
!mona egg -t W00T -c -f shellcode.bin
Find jump or call or push/ret to a register:
!mona jmp -r edi
Note: this creates jmp.txt in working folder.
Find arbitrary instructions in dll:
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
jmp esp ==> FF E4
!mona modules
!mona find -s "\xff\xe4" -m challenge.dll
Find shellcode occurrences in memory (and integrity check):
1 - Generate a shellcode bin file :
my $shellcode="\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
...
...
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41;
open(FILE,">shellcode.bin");
print FILE $shellcode;
print "Wrote ".length($shellcode)." bytes to file shellcode.bin\n";
close(FILE);
2 - Ask mona to search for it :
!mona compare -f C:\Users\administrator\Desktop\WORK\tmp\shellcode.bin
Asm instructions to opcodes:
!mona assemble -s "xor eax,eax # pop EBX # ret"
Set breakpoint on addr when the program read or write it:
Mandatory arguments :
-a
-t : where is either “READ” or “WRITE”
Note : the address should exist when setting the breakpoint. If not, you’ll get an error.
Example : set a breakpoint when the application reads from 0012C431 :
!mona bp -a 0x0012C431 -t READ
Generate msfmodule based on crash:
1 - Replace A's by unique pattern (pattern_create)
2 - When crash occurs type :
!mona suggest