Essential Immunity Commands for OSCP and CTFs
I don’t often use Immunity, it’s nice but if you take OSCP you will have to get familiar with it. I have assembled my favourite commands I use with mona to get through basic exploit dev fast.
Configure Mona Log/Export Directory
When mona completes a command, it usually writes a log entry to a file, this can be a cyclical pattern for finding offset, it could be a list of memory addresses that match a gadget you search for or it could contain a number of other useful information such as register state when a program crashes.
In order to keep a consistent and easy to access location from lab to lab I like to create a mona directory in C:\, you can do that as follows in Immunity console…
!mona config -set workingfolder c:\mona\%p
Creating Cyclical Pattern
We all know about the awesome Metasploit binaries, msf-pattern_create
and msf-pattern_offset to figure out correct offset, but how do we do this in Immunity?
!mona pc 3333
It will generate the following output in the mona directory…
Now use your cyclical pattern in your exploit…
payload = "Aa0Aa1..."
When the program crashes, execute the following command in Immunity console…
EIP contains normal pattern : 0xcafedude (offset 128)
Finding Bad Characters
First, we need to generate an array of all the possible range of characters, from 0x00 to 0xff, however, in many cases, it’s a string based exploit so we can exclude the null byte as it’s a string line terminator and would kill our exploit.
!mona bytearray -cpb \x00
This will generate some files in C:\mona, bytearray.txt and bytearray.bin, open bytearray.txt and use that in your payload…
payload = "\x01\x02\x03..."
Again, when the program crashes, execute the following command in Immunity console…
!mona compare -a esp -f c:\mona\bytearray.bin
If no bad chars are found you will see this…
!!! Hooray, normal shellcode unmodified !!!
Otherwise, you will see the character causing the issue…
Possibly bad chars: 01
Bad Character Argument to Functions (Bonus)
-cpb allows you to specify bad characters for other functions, as you will see below it is used to search for gadgets that do not contain our null byte string terminator that we need to avoid. Figure out bad characters first, then call functions using -cpb to ensure your exploit dev and testing is on the right track.
Let’s say we want to find a gadget like ‘jmp esp’ that does not contain our badchars, easy…
!mona jmp -r esp -cpb "\x00\x01"
List Loaded Modules for Gadget Searching
With DEP you need to do a return2 exploit, in this case, you normally want to get an address for in instruction in a loaded module code to jump somewhere else to execute your code.
With the above commands, you have all the pieces you need for CTF challenges and OSCP, there are other ways to do the same things in Immunity but I have found the commands above to be the best.