News

Mona v1.2 released

Added by Peter 4 months ago

Introduction

6 months after releasing v1.1, we're back with a new official release.
A few things have changed in v1.2.
First of all, I will no longer keep 2 separate branches.
There will be the trunk (dev) version, and that's it.
The release folder hasn't disappeared yet (to allow older 'release' versions to update to the new 1.2), but the update routine has been changed to target the trunk version at all times.
This also means you can no longer change between trunk and release using the -t parameter in the update command.

With this announcement, the version number will be changed to 1.3-dev.

If you have been using the dev/trunk version of mona (and keeping it up to date), you've already been able to enjoy the new changes to mona.py.
mona.py is actively being updated, so we advise everyone to run !mona update at least every other day.

What else is new in v1.2 ?

  • Bugfixes : click here to get a list
  • New features : click here for a list:
    • The output of findmsp is now properly stored into a text file
    • Made some changes to the Metasploit templates. They no longer include SVN propset attributes or unnecessary references to Corelan
    • The default behaviour for the 'seh' command has changed. By default, the routine no longer searches for instructions outside of the loaded modules. If you want to instruct mona to search all virtual memory, use the -all parameter
    • Added the 'heap' command, which allows you to query LookAsideList and FreeLists
    • Added the 'getiat' command, which allows you to show/filter IAT entries from selected modules
    • Added the 'findwild' command, which allows you to perform powerful wildcard searches
    • Added the 'breakfunc' command, which allows you to set mass breakpoints on certain functions
    • pattern_create can now output a cyclic pattern in javascript unescape format
    • The offset from entries in the IAT to interesting functions is displayed (ropfunc)
    • The find command now has a '-unicode' switch, which allows you to search for the unicode version of an ASCII string
    • The entire ROP routine has been rewritten and will now produce ROP chains for VirtualProtect, VirtualAlloc, NtSetInformationProcess and SetProcessDEPPolicy
    • The stackpivots output is now sorted by size, which makes it easier to find the pivot you need.
    • The header function is now capable of detecting unicode and uses the Rex command to reproduce them
    • All commands now have aliases (a short version of the full command), which makes it even easier to use mona
    • The filecompare command now has a -range option, allowing you to find matching pointers in a range (using the pointers in the first file as start address)

We hope you like this new release.
If you find bugs or want to submit patches, don't hesitate to create a useraccount on redmine, send me an email so I can enable the account, and create a ticket.

Mona v1.1 released

Added by Peter 10 months ago

What's new in mona.py v1.1?

If you have been using the trunk version of mona, you have been able to enjoy the improvements and additions that were put in place over the last few weeks.
In case you were using the release version, this is what has changed :

  • various bug fixes
  • improved rop routine
  • pattern_create function can now take custom charsets, or an extended version of the regular charset
  • the suggest routine will now produce an entire metasploit file. It will also ask if you are building a fileformat exploit, or a tcp network client or udp network client module and will build an exploit module based on those selections. It will also ask for an exploit-db ID (or URL) and scrape the original author, name of the exploit, and CVE ID.
  • new option added to the config command : author (when set, it will use this config parameter to populate the metasploit module author section)
  • the find routine can now search for a customizable nr of levels of pointers to pointers. You can even tell the find routine to subtract a certain offset from one of the pointers in one of the levels
  • the seh routine has a new option -rop, which will look for pop/pop/pop esp/ret combinations
  • the findmsp routine now searches the entire stack. You can optionally set an offset from esp too, to prevent it from searching the entire stack
  • if you use -n and/or -cpb in the suggest or skeleton routine, the badchars will be used in the BadChars section of the metasploit module
  • the egghunter routine has support for DEP bypass
  • the update routine now uses https by default. You can still use http using the -http parameter
  • you can switch between trunk and release versions by setting a parameter to the update routine
  • new commands :
  • jop : finds jump oriented programming gadgets, still very very basic and beta
  • skeleton : builds a metasploit exploit module skeleton
  • stacks : shows all stacks (base, top, size) for each thread in the application
  • last but not least : we have released documentation for all current commands in mona. We will most likely move the documentation into the wiki on redmine later on, but for now, the manual at www.corelan.be is up-to-date. Thanks fancy for producing the video's in the documentation !

Also available in: Atom