Corelan Cybersecurity Research

FINALLY !

After spending almost 5 months of designing, developing and testing, and after ‘surviving’ 2 presentations (at AthCon and Hack In Paris), I am extremely excited and proud to present, on behalf of the entire Corelan Team, the general availability of mona.py.

Together with this announcement, we also declare pvefindaddr officially dead from this point forward.

This doesn’t mean pvefindaddr is now entirely worthless now, because not all functions have been ported into mona yet.

It simply means we won’t be releasing any updates to pvefindaddr anymore and the entire project page/download page will eventually disappear after all functionality has been ported into mona.

What is mona ?

For anyone who missed my talks (either at AthCon or Hack In Paris), mona is the long awaited successor to pvefindaddr.  Named after my daughter (I’m sure she’s too young to realize or even care at this point), this Immunity Debugger PyCommands introduces a lot of improvements and new features compared to pvefindaddr, including :

• Complete overhaul/rewrite of all search functionality. All searches are now a lot faster (up to 20 times in some cases)
• Better integration with the various functions and classes in the PyCommand. The suggest function will, for example, immediately search for a pointer that should bring you to your payload.
• Major improvements in terms of finetuning searches. You can now specify module critiria (basically including or excluding aslr, rebase, os and/or safeseh modules from searches), you can specifiy pointer criteria (ascii, asciiprint, unicode, nonull, upper, lower, numeric, etc), and you can even specify a list of badchars (to avoid pointers that contain one of more of those bad chars). This should allow you to treat pointers as data on the stack and apply the same rules as you would when encoding your payload with for instance metaploit msfencode.
• We also implemented a config file. This file allows you to set 2 parameters : "workingfolder", basically defining where you want the output files to be written to. If you include %p in the path, it will get replaced with the process name at runtime.  A second parameter is "excluded_modues", which can have a list of modules to exclude from every search operation. (Shell extensions, virtual machine guest addition tools, etc).
• The rop gadget generator was entirely rewritten.  It will still produce a rop.txt file, but it will also create a few more files : rop_suggestions (which will contain categorized gadgets, which based on our own experience, are very likely going to be the ones that  you need when writing a rop exploit), and rop_virtualprotect (which will contain a rop chain… that is, if the rop gadget generator could find a "pickup" pointer and a "pushad" pointer).  It will also allow you to look for stackpivots with a certain minimum and maximum offset value, and on top of that, it will try to locate static/reliable pointers to pointers to interesting functions in terms of bypassing DEP (VirtualProtect, VIrtualAlloc, etc etc)  In short, yes, mona will do rop automation. I’m sure this is a feature a lot of people in the security community have been wanting for a long time. It’s still not perfect in all cases, but it should buy you an awful lot of time already.

Those are just a handful of new features, but there are many more. We will be writing about all of the new features in the near future, and we’ll also continue to update our documentation pages to reflect those improvement in days and weeks to come.

We also have some good ideas on additional functionality and extended improvements for version 1.1, so stay tuned.  In the meantime, you can check out the presentation slidedeck (which I used at AthCon and Hack In Paris) at the link below. It should give you a quick overview of what we did and what the results look like.

Download slides here. During the presentation, I used 3 video’s. You can find the video’s here :

Demo 1 : pvefindaddr suggest : http://www.youtube.com/watch?v=JiKyOIS4yx0

Demo 2 : mona suggest : http://www.youtube.com/watch?v=klXFqtYR5Mg

Demo 3 : Rop automation : http://www.youtube.com/watch?v=0rRLcFd6_Jk 

Where to get it ?

You can find the project page for mona here : http://redmine.corelan.be/projects/mona

There are 2 versions of mona : a stable "release’" version and a development "trunk" version. If you want the bleeding edge changes (but take the risk that something is broken), the latter will be the one you would want to download.

Either way, you can use the !mona update function to download the latest version of the corresponding version you have installed on your system)

Corelan Team needs you !

We have been testing the PyCommand over the last few weeks, but that doesn’t mean it’s bug free.  If you discover issues or want to suggest new features or improvements, don’t hesitate to contact us (peter [dot] ve @ corelan [dot] be).

Thanks to

• Corelan Team – awesome job guys!
• My wife and daughter, for their everlasting love and support
• the AthCon and Hack In Paris organization, for giving me the opportunity to do a presentation and show mona to the world.
• All friends around the globe

© 2011 – 2015, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Similar/Related posts:

mona.py – the manual Hack Notes : ROP retn+offset and impact on stack setup Universal DEP/ASLR bypass with msvcr71.dll and mona.py Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !! Heap Layout Visualization with mona.py and WinDBG