pycommand

Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !!

Published December 31, 2012 |

Ho Ho Ho friends, It has been a while since we posted something on the Corelan Team blog, I guess we all have been busy doing … stuff and things, here and there. Nevertheless, as the year is close to filling up 100%, it’s probably a good time to start thinking about finding some convincing […]

Posted in Development, Exploit Writing Tutorials, Exploits, My Free Tools, Scripts | Tagged debugger, exploit, extension, immunity, immunity debugger, jingle-bofs, mona, mona-albertini, mona-py-2-windbg, mona-windbg, mona.py, new year, plugin, present, pycommand, pykd, python, windbg, windbg-mona-py, www-corelan-be

mona.py – the manual

Published July 14, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

This document describes the various commands, functionality and behaviour of mona.py.

Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues and offering numerous new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged automation, corelan, corelanc0d3r, documentation, exploit, exploit development, immunity, immunity debugger, metasploit, mona, mona.py, pattern, plugin, pycommand, python, rapid7, rop, rop automation, rop gadget, suggest

Mona 1.0 released !

Published June 16, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

FINALLY !
After spending almost 6 months of designing, developing and testing, and after ‘surviving’ 2 presentations (at AthCon and Hack In Paris), I am extremely excited and proud to present, on behalf of the entire Corelan Team, the general availability of mona.py.

With this announcement, we also declare pvefindaddr officially dead from this point forward. (This doesn’t mean pvefindaddr is now entirely worthless, because not all functions have been ported into mona yet, but we won’t be releasing any updates to pvefindaddr anymore and the entire project page/download page will eventually disappear)
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits, Uncategorized | Tagged eip, exploit, gadget, immunity, immunity debugger, immunitydbg-mona-example, immunitydbg-search-for-rop, mona, mona-corelan, mona-corelan-bad-characters, mona-download, mona-py-search-for-pointers, mona-py-youku, mona.py, monapy, pvefindaddr, pycommand, return oriented programming, rop, rop automation

Starting to write Immunity Debugger PyCommands : my cheatsheet

Published January 26, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg […]

Posted in 001_Security, Development, Exploit Writing Tutorials, Scripts | Tagged api, assemble, cheatsheet, debugger, disassemble, hoe-to-use-mona-at-immunity-debugger, immlib, immunity, immunity debugger, immunity-cheatsheet, immunity-debugger-strcat, module, plugin, pycommand, python, readmemory, script, softice-debuger, tuto-immunity-debugger-python, tutorial-debugging-using-immunity

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Published September 21, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp

Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development

Published September 5, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, !findtrampoline, address call, address jmp, aslr, buffer, byakugan, call esp, eip, esp, esp found, findreturn, found valid, hunt, identbuf, immdbg, immunity, jmp, jmp esp, jutsu, listbuf, memdiff, metasploit, msec, pattern_create, pattern_offset, pop, pycommand, ret, return address, rmbuf, safeseh, searchopcode, shellcode, valid return, vista

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !!

mona.py – the manual

Mona 1.0 released !

Starting to write Immunity Debugger PyCommands : my cheatsheet

Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!