Description: Slides:- https://www.corelan.be/public/presentations/athcon_hip2011.pdf
After spending almost 5 months of designing, developing and testing, and after ‘surviving’ 2 presentations (at AthCon and Hack In Paris), I am extremely excited and proud to present, on behalf of the entire Corelan Team, the general availability of mona.py.Together with this announcement, we also declare pvefindaddr officially dead from this point forward.This doesn’t mean pvefindaddr is now entirely worthless now, because not all functions have been ported into mona yet.It simply means we won’t be releasing any updates to pvefindaddr anymore and the entire project page/download page will eventually disappear after all functionality has been ported into mona.
What is mona ?
Complete overhaul/rewrite of all search functionality. All searches are now a lot faster (up to 20 times in some cases)
Better integration with the various functions and classes in the PyCommand. The suggest function will, for example, immediately search for a pointer that should bring you to your payload.
Major improvements in terms of finetuning searches. You can now specify module critiria (basically including or excluding aslr, rebase, os and/or safeseh modules from searches), you can specifiy pointer criteria (ascii, asciiprint, unicode, nonull, upper, lower, numeric, etc), and you can even specify a list of badchars (to avoid pointers that contain one of more of those bad chars). This should allow you to treat pointers as data on the stack and apply the same rules as you would when encoding your payload with for instance metaploit msfencode.
We also implemented a config file. This file allows you to set 2 parameters : "workingfolder", basically defining where you want the output files to be written to. If you include %p in the path, it will get replaced with the process name at runtime. A second parameter is "excluded_modues", which can have a list of modules to exclude from every search operation. (Shell extensions, virtual machine guest addition tools, etc).
The rop gadget generator was entirely rewritten. It will still produce a rop.txt file, but it will also create a few more files : rop_suggestions (which will contain categorized gadgets, which based on our own experience, are very likely going to be the ones that you need when writing a rop exploit), and rop_virtualprotect (which will contain a rop chain… that is, if the rop gadget generator could find a "pickup" pointer and a "pushad" pointer). It will also allow you to look for stackpivots with a certain minimum and maximum offset value, and on top of that, it will try to locate static/reliable pointers to pointers to interesting functions in terms of bypassing DEP (VirtualProtect, VIrtualAlloc, etc etc) In short, yes, mona will do rop automation. I’m sure this is a feature a lot of people in the security community have been wanting for a long time. It’s still not perfect in all cases, but it should buy you an awful lot of time already.
You can find the project page for mona here : http://redmine.corelan.be/projects/mona
Latest from the SecurityTube Blog:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.