Giters

decalage2 / olefile

olefile is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.

Home Page:http://www.decalage.info/olefile

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Incomplete OLE stream + Incorrect OLE FAT, sector index out of range

decalage2 opened this issue · comments

commented

Originally reported by: Unknown Name (Bitbucket: ganado, GitHub: ganado)

Hello!

I've encountered a parsing error on malware sample. (I could open this file with SSView)

First, incomplete OLE stream error while opening unicode named vba script.

_VBA_PROJECT_CUR/VBA/Лист1

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 753, in __init__
    raise IOError('incomplete OLE stream')
IOError: incomplete OLE stream

and out of range error while opening other vba files ...

"_VBA_PROJECT_CUR/VBA/dir"

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 763, in __init__
    raise IOError('incorrect OLE FAT, sector index out of range')
IOError: incorrect OLE FAT, sector index out of range

Attached is xls file(malware sample), for reproducing the bug.

I am using python 2.7.10, olefile 0.42

Thanks for wonderful project.

commented

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):

After a lot of troubleshooting, I found the issue: the sample file is slightly malformed. Its header sets the "mini sector cutoff size" to 0, whereas the only allowed value is 4096. If I fix this value in olefile, then all streams can be read without error.

I will publish a new version with that fix soon.

commented

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):

fixed issue #27 by correcting the MiniFAT sector cutoff size if invalid, slight changes in _OleDirectoryEntry