Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


17,661 views | This page as PDF

Mona 1.0 released !

FINALLY !

_DSC0651
After spending almost 5 months of designing, developing and testing, and after ‘surviving’ 2 presentations (at AthCon and Hack In cf6nlParis), I am extremely excited and proud to present, on behalf of the entire Corelan Team, the general availability of mona.py.

Together with this announcement, we also declare pvefindaddr officially dead from this point forward.

This doesn’t mean pvefindaddr is now entirely worthless now, because not all functions have been ported into mona yet.

It simply means we won’t be releasing any updates to pvefindaddr anymore and the entire project page/download page will eventually disappear after all functionality has been ported into mona.

 

What is mona ?

For anyone who missed my talks (either at AthCon or Hack In Paris), mona is the long awaited successor to pvefindaddr.  Named after my daughter (I’m sure she’s too young to hackinparis_IMG_8830realize or even care at this point), this Immunity Debugger PyCommands introduces a lot of improvements and new features compared to pvefindaddr, including :

  • Complete overhaul/rewrite of all search functionality. All searches are now a lot faster (up to 20 times in some cases)
  • Better integration with the various functions and classes in the PyCommand. The suggest function will, for example, immediately search for a pointer that should bring you to your payload.
  • Major improvements in terms of finetuning searches. You can now specify module critiria (basically including or excluding aslr, rebase, os and/or safeseh modules from searches), you can specifiy pointer criteria (ascii, asciiprint, unicode, nonull, upper, lower, numeric, etc), and you can even specify a list of badchars (to avoid pointers that contain one of more of those bad chars). This should allow you to treat pointers as data on the stack and apply the same rules as you would when encoding your payload with for instance metaploit msfencode.
  • We also implemented a config file. This file allows you to set 2 parameters : "workingfolder", basically defining where you want the output files to be written to. If you include %p in the path, it will get replaced with the process name at runtime.  A second parameter is "excluded_modues", which can have a list of modules to exclude from every search operation. (Shell extensions, virtual machine guest addition tools, etc).
  • The rop gadget generator was entirely rewritten.  It will still produce a rop.txt file, but it will also create a few more files : rop_suggestions (which will contain categorized gadgets, which based on our own experience, are very likely going to be the ones that  you need when writing a rop exploit), and rop_virtualprotect (which will contain a rop chain… that is, if the rop gadget generator could find a "pickup" pointer and a "pushad" pointer).  It will also allow you to look for stackpivots with a certain minimum and maximum offset value, and on top of that, it will try to locate static/reliable pointers to pointers to interesting functions in terms of bypassing DEP (VirtualProtect, VIrtualAlloc, etc etc)  In short, yes, mona will do rop automation. I’m sure this is a feature a lot of people in the security community have been wanting for a long time. It’s still not perfect in all cases, but it should buy you an awful lot of time already.

 

Those are just a handful of new features, but there are many more. We will be writing about all of the new features in the near future, and we’ll also continue to update our documentation pages to reflect those improvement in days and weeks to come.

We also have some good ideas on additional functionality and extended improvements for version 1.1, so stay tuned.  In the meantime, you can check out the presentation slidedeck (which I used at AthCon and Hack In Paris) at the link below. It should give you a quick overview of what we did and what the results look like.

Download slides here. During the presentation, I used 3 video’s. You can find the video’s here :

Demo 1 : pvefindaddr suggest : http://www.youtube.com/watch?v=JiKyOIS4yx0

Demo 2 : mona suggest : http://www.youtube.com/watch?v=klXFqtYR5Mg

Demo 3 : Rop automation : http://www.youtube.com/watch?v=0rRLcFd6_Jk 

 

Where to get it ?

You can find the project page for mona here : http://redmine.corelan.be/projects/mona

There are 2 versions of mona : a stable "release’" version and a development "trunk" version. If you want the bleeding edge changes (but take the risk that something is broken), the latter will be the one you would want to download.

Either way, you can use the !mona update function to download the latest version of the corresponding version you have installed on your system)

 

Corelan Team needs you !

We have been testing the PyCommand over the last few weeks, but that doesn’t mean it’s bug free.  If you discover issues or want to suggest new features or improvements, don’t hesitate to contact us (peter [dot] ve @ corelan [dot] be).

Thanks to

  • Corelan Team – awesome job guys!
  • My wife and daughter, for their everlasting love and support
  • the AthCon and Hack In Paris organization, for giving me the opportunity to do a presentation and show mona to the world.
  • All friends around the globe

© 2011 – 2015, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

2 Responses to Mona 1.0 released !

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories