Published on June 17th, 2011 | by NJ Ouchn0
EXCLUSIVE !! – Mona 1.0 released (pvefindaddr is dead, long live to Mona)
Yesterday, i was attending HackInParis and i’ve twitted live on @toolswatch the announcement done by Peter about the smart move Corelan team did from pvefindaddr to Mona. Peter and I talked a bit. A very cool guy. The keynote was really great with live demo and impressive “how-to-built-exploit” in 5 minutes with Mona !!
Trivia: The photo was taken by his wife with whom i’ve exchanged some words. The little daughter was also here and was proud about daddy 🙂
What is mona ?
For anyone who missed my talks (either at AthCon or Hack In Paris), mona is the long awaited successor to pvefindaddr. Named after my daughter (I’m sure she’s too young to realize or even care at this point), this Immunity Debugger PyCommands introduces a lot of improvements and new features compared to pvefindaddr, including :
- Complete overhaul/rewrite of all search functionality. All searches are now a lot faster (up to 20 times in some cases)
- Better integration with the various functions and classes in the PyCommand. The suggest function will, for example, immediately search for a pointer that should bring you to your payload.
- Major improvements in terms of finetuning searches. You can now specify module critiria (basically including or excluding aslr, rebase, os and/or safeseh modules from searches), you can specifiy pointer criteria (ascii, asciiprint, unicode, nonull, upper, lower, numeric, etc), and you can even specify a list of badchars (to avoid pointers that contain one of more of those bad chars). This should allow you to treat pointers as data on the stack and apply the same rules as you would when encoding your payload with for instance metaploit msfencode.
- We also implemented a config file. This file allows you to set 2 parameters : “workingfolder”, basically defining where you want the output files to be written to. If you include %p in the path, it will get replaced with the process name at runtime. A second parameter is “excluded_modues”, which can have a list of modules to exclude from every search operation. (Shell extensions, virtual machine guest addition tools, etc).
- The rop gadget generator was entirely rewritten. It will still produce a rop.txt file, but it will also create a few more files : rop_suggestions (which will contain categorized gadgets, which based on our own experience, are very likely going to be the ones that you need when writing a rop exploit), and rop_virtualprotect (which will contain a rop chain… that is, if the rop gadget generator could find a “pickup” pointer and a “pushad” pointer). It will also allow you to look for stackpivots with a certain minimum and maximum offset value, and on top of that, it will try to locate static/reliable pointers to pointers to interesting functions in terms of bypassing DEP (VirtualProtect, VIrtualAlloc, etc etc) In short, yes, mona will do rop automation. I’m sure this is a feature a lot of people in the security community have been wanting for a long time. It’s still not perfect in all cases, but it should buy you an awful lot of time already.
Those are just a handful of new features, but there are many more. We will be writing about all of the new features in the near future, and we’ll also continue to update our documentation pages to reflect those improvement in days and weeks to come.
We also have some good ideas on additional functionality and extended improvements for version 1.1, so stay tuned. In the meantime, you can check out the presentation slidedeck (which I used at AthCon and Hack In Paris) at the link below. It should give you a quick overview of what we did and what the results look like.
Download slides here
Where to get it ?
You can find the project page for mona here : http://redmine.corelan.be/projects/mona
There are 2 versions of mona : a stable “release’” version and a development “trunk” version. If you want the bleeding edge changes (but take the risk that something is broken), the latter will be the one you would want to download.
Either way, you can use the !mona update function to download the latest version of the corresponding version you have installed on your system)