librex 0.0.1

data/lib/rex/ole/minifat.rb

@@ -0,0 +1,77 @@
+##
+# $Id: minifat.rb 8457 2010-02-11 18:36:38Z jduck $
+# Version: $Revision: 8457 $
+##
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class MiniFAT < DIFAT
+
+	#
+	# low-level functions
+	#
+	def read
+		@entries = []
+
+		visited = []
+		sect = @stg.header._sectMiniFatStart
+		@stg.header._csectMiniFat.times { |idx|
+			break if sect == SECT_END
+
+			if (visited.include?(sect))
+				raise RuntimeError, 'Sector chain loop detected (0x%08x)' % sect
+			end
+			visited << sect
+
+			buf = @stg.read_sector(sect, @stg.header.sector_size)
+			@stg.header.idx_per_sect.times { |idx|
+				@entries << Util.get32(buf, (idx*4))
+			}
+			sect = @stg.next_sector(sect)
+		}
+	end
+
+	def allocate_sector
+		idx = @entries.index(SECT_FREE)
+
+		if (not idx)
+			# add a sector worth
+			idx = @entries.length
+			@stg.header.idx_per_sect.times {
+				@entries << SECT_FREE
+			}
+		end
+
+		# default mini-sectors to end of chain
+		@entries[idx] = SECT_END
+		idx
+	end
+
+	def write
+		return if (@entries.length < 1)
+
+		mf_start = nil
+		mfs_count = 0
+		prev_sect = nil
+		copy = @entries.dup
+		while (copy.length > 0)
+			part = copy.slice!(0, @stg.header.idx_per_sect)
+			sbuf = Util.pack32array(part)
+			idx = @stg.write_sector(sbuf, nil, prev_sect)
+			mfs_count += 1
+			mf_start ||= idx
+		end
+		@stg.header._sectMiniFatStart = mf_start
+		@stg.header._csectMiniFat = mfs_count
+	end
+
+end
+
+end
+end

data/lib/rex/ole/samples/create_ole.rb

@@ -0,0 +1,27 @@
+#!/usr/bin/env ruby
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+path = File.expand_path(File.dirname(msfbase))
+path += "/../../../"
+$:.unshift(path)
+
+
+require 'rex/ole'
+
+if (ARGV.length < 1)
+	$stderr.puts "usage: make_ole <file>"
+	exit(1)
+end
+
+document = ARGV.shift
+
+if (stg = Rex::OLE::Storage.new(document, Rex::OLE::STGM_WRITE))
+	if (stm = stg.create_stream("testing"))
+		stm << "A" * 1024
+		stm.close
+	end
+	stg.close
+end

data/lib/rex/ole/samples/dir.rb

@@ -0,0 +1,35 @@
+#!/usr/bin/env ruby
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+path = File.expand_path(File.dirname(msfbase))
+path += "/../../../"
+$:.unshift(path)
+
+
+require 'rex/ole'
+
+if (ARGV.length < 1)
+	$stderr.puts "usage: dir <file>"
+	exit(1)
+end
+
+document = ARGV.shift
+
+
+# recursive printer :)
+def show_entries(ent, spaces=0)
+	spstr = " " * spaces
+
+	puts "%s + #{ent.name}" % spstr
+	ent.each { |el|
+		show_entries(el, spaces+2)
+	}
+end
+
+if (stg = Rex::OLE::Storage.new(document))
+	show_entries(stg)
+	stg.close
+end

data/lib/rex/ole/samples/dump_stream.rb

@@ -0,0 +1,34 @@
+#!/usr/bin/env ruby
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+path = File.expand_path(File.dirname(msfbase))
+path += "/../../../"
+$:.unshift(path)
+
+require 'rex/ole'
+
+if (ARGV.length < 2)
+	$stderr.puts "usage: dump_stream <file> <stream>"
+	exit(1)
+end
+
+document = ARGV.shift
+stream = ARGV.shift
+
+if (stg = Rex::OLE::Storage.new(document))
+	if (stm = stg.open_stream(stream))
+		data = stm.read(stm.length)
+		data ||= ""
+		$stderr.puts "Successfully opened the \"%s\" stream (%u bytes)" % [stream, data.length]
+		$stdout.puts data
+		stm.close
+	else
+		$stderr.puts "Unable to open stream: #{stream}"
+	end
+	stg.close
+else
+	$stderr.puts "Unable to open storage: #{document}"
+end

data/lib/rex/ole/samples/ole_info.rb

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+path = File.expand_path(File.dirname(msfbase))
+path += "/../../../"
+$:.unshift(path)
+
+require 'rex/ole'
+
+if (ARGV.length < 1)
+	$stderr.puts "usage: ole_info <file>"
+	exit(1)
+end
+
+document = ARGV.shift
+
+if (stg = Rex::OLE::Storage.new(document))
+	puts stg.inspect
+	stg.close
+end

data/lib/rex/ole/storage.rb

@@ -0,0 +1,395 @@
+##
+# $Id: storage.rb 8457 2010-02-11 18:36:38Z jduck $
+# Version: $Revision: 8457 $
+##
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class Storage
+
+	attr_accessor :header
+
+	def initialize(filename=nil, mode=STGM_READ)
+		@mode = mode
+		@modified = nil
+
+		@fd = nil
+		@filename = nil
+		@header = Header.new
+		@difat = DIFAT.new self
+		@fat = FAT.new self
+		@minifat = MiniFAT.new self
+		@directory = Directory.new self
+		@ministream = Stream.new self
+
+		if (filename)
+			@filename = filename
+			open(filename, mode)
+			return
+		end
+	end
+
+
+	def each
+		@directory.each { |el|
+			yield el
+		}
+	end
+
+
+	def name
+		@filename
+	end
+
+
+	def open(filename, mode)
+		if (mode == STGM_READWRITE)
+			fmode = 'r+b'
+		elsif (mode == STGM_WRITE)
+			fmode = 'w+b'
+		else
+			fmode = 'rb'
+		end
+
+		@fd = File.new(filename, fmode)
+
+		# don't read for new files
+		if (mode == STGM_WRITE)
+			# ensure there is a root
+			write_to_disk
+			return
+		end
+
+		# parse the header
+		@header.read @fd
+		@difat.read
+		@fat.read @difat
+		@minifat.read
+		@directory.read
+		# NOTE: we can't use read_stream_data here (must read using regular FAT, regardless of size)
+		# read data using the root node's start/length
+		@ministream << read_data(@directory)
+	end
+
+	def close
+		if (@modified) and (@mode != STGM_READ)
+			write_to_disk
+		end
+		@fd.close
+	end
+
+	def inspect
+		ret = ""
+		ret << "header = %s\n" % @header.to_s
+
+		ret << "*** %u DIFAT sectors\n" % @difat.length
+		ret << @difat.to_s << "\n"
+
+		ret << "*** %u FAT sectors\n" % @fat.length
+		ret << @fat.to_s << "\n"
+
+		ret << "*** %u MiniFAT sectors:\n" % @minifat.length
+		if (@minifat.length > 0)
+			ret << @minifat.to_s << "\n"
+		end
+
+		ret << "*** ministream (%u bytes):\n" % @ministream.length
+		if (@ministream.length > 0)
+			ret << @ministream.to_s << "\n"
+		end
+
+		ret << "*** %u directory entries\n" % @directory.num_entries
+		ret << @directory.to_s << "\n"
+	end
+
+
+	#
+	# stream manipulation functions
+	#
+	def create_stream(name, mode=STGM_WRITE, parent_stg=nil)
+		if (stm = open_stream(name, mode, parent_stg))
+			stm.close
+			return nil
+		end
+
+		# eek, don't check the name for now
+		# if we do, we cant create alot of streams (summary info for example)
+=begin
+		if (not Util.name_is_valid(name))
+			return nil
+		end
+=end
+
+		stm = Stream.new self
+		stm.name = name
+		parent_stg ||= @directory
+		dlog("Adding stream #{name} to storage #{parent_stg.name}", 'rex', LEV_3)
+		@directory.link_item(parent_stg, stm)
+		@modified = true
+		stm
+	end
+
+	def open_stream(name, mode=STGM_READ, parent_stg=nil)
+		parent_stg ||= @directory
+		stm = parent_stg.find_stream_by_name_and_type(name, STGTY_STREAM)
+		if (stm)
+			# TODO: optimize out the need to read all of the data up-front
+			stm << read_stream_data(stm)
+		end
+		stm
+	end
+
+
+	#
+	# storage manipulation functions
+	#
+	def create_storage(name, mode=STGM_READ, parent_stg=nil)
+		stg = SubStorage.new self
+		stg.name = name
+		parent_stg ||= @directory
+		dlog("Adding storage #{name} to storage #{parent_stg.name}", 'rex', LEV_3)
+		@directory.link_item(parent_stg, stg)
+		stg
+	end
+
+	def open_storage(name, mode=STGM_READ, parent_stg=nil)
+		@directory.find_stream_by_name_and_type(name, STGTY_STORAGE)
+	end
+
+
+	#
+	# low-level functions
+	#
+	def write_to_disk
+		# reset  FAT/DIFAT
+		@difat = DIFAT.new self
+		@fat = FAT.new self
+
+		@header.write @fd
+		write_user_data
+
+		# NOTE: we call write_stream here since we MUST write this to 
+		# the regular stream (regardless of size)
+		ms_start = write_stream(@ministream)
+		@directory.set_ministream_params(ms_start, @ministream.length)
+
+		@minifat.write
+		@directory.write
+		@fat.write(@difat)
+		@difat.write
+
+		# write it again, now that its complete
+		@header.write @fd
+		@fd.flush
+	end
+
+	def write_sector(sbuf, type=nil, prev_sect=nil)
+		len = sbuf.length
+		if (len != @header.sector_size)
+			# pad it if less
+			if (len < @header.sector_size)
+				sbuf = sbuf.dup
+				sbuf << "\x00" * (@header.sector_size - len)
+			else
+				raise RuntimeError, 'not sector sized!'
+			end
+		end
+
+		# write the data
+		idx = @fat.allocate_sector(type)
+		# point previous sector to here
+		if (prev_sect)
+			@fat[prev_sect] = idx
+		end
+		write_sector_raw(idx, sbuf)
+		return idx
+	end
+
+	def write_sector_raw(sect, sbuf)
+		dlog("Writing sector 0x%02x" % sect, 'rex', LEV_3)
+		@fd.seek((sect + 1) * @header.sector_size, ::IO::SEEK_SET)
+		@fd.write(sbuf)
+	end
+
+
+	def write_mini_sector(sbuf, prev_sect=nil)
+		len = sbuf.length
+		if (len != @header.mini_sector_size)
+			if (len < @header.mini_sector_size)
+				sbuf = sbuf.dup
+				sbuf << "\x00" * (@header.mini_sector_size - len)
+			else
+				raise RuntimeError, 'not mini sector sized!'
+			end
+		end
+
+		idx = @minifat.allocate_sector
+		# point the previous mini sector to here
+		if (prev_sect)
+			@minifat[prev_sect] = idx
+		end
+		write_mini_sector_raw(idx, sbuf)
+		idx
+	end
+
+	def write_mini_sector_raw(sect, sbuf)
+		dlog("Writing mini sector 0x%02x" % sect, 'rex', LEV_3)
+		@ministream << sbuf
+	end
+
+
+
+	def write_user_data
+		@directory.each_entry { |stm|
+			# only regular streams this pass
+			next if (stm.type != STGTY_STREAM)
+			
+			if (stm.length >= @header._ulMiniSectorCutoff)
+				stm.start_sector = write_stream(stm)
+			else
+				# NOTE: stm_start is a minifat value
+				stm.start_sector = write_mini_stream(stm)
+			end
+		}
+	end
+
+	def write_stream(stm)
+		dlog("Writing \"%s\" to regular stream" % stm.name, 'rex', LEV_3)
+		stm_start = nil
+		prev_sect = nil
+		stm.seek(0)
+		while (sbuf = stm.read(@header.sector_size))
+			sect = write_sector(sbuf, nil, prev_sect)
+			stm_start ||= sect
+			prev_sect = sect
+		end
+		stm_start
+	end
+
+	def write_mini_stream(stm)
+		dlog("Writing \"%s\" to mini stream" % stm.name, 'rex', LEV_3)
+		prev_sect = nil
+		stm.seek(0)
+		while (sbuf = stm.read(@header.mini_sector_size))
+			sect = write_mini_sector(sbuf, prev_sect)
+			stm_start ||= sect
+			prev_sect = sect
+		end
+		stm_start
+	end
+
+
+	def read_stream_data(direntry)
+		if (direntry.length < @header._ulMiniSectorCutoff)
+			return read_data_mini(direntry)
+		end
+
+		read_data(direntry)
+	end
+
+	def read_data(direntry)
+		ret = ""
+		visited = []
+		left = direntry.length
+		sect = direntry.start_sector
+		while (sect != SECT_END)
+			if (visited.include?(sect))
+				raise RuntimeError, 'Sector chain loop detected (0x%08x)' % sect
+			end
+			visited << sect
+
+			# how much to read?
+			block = @header.sector_size
+			block = left if (block > left)
+
+			# read it.
+			dlog("read_data - reading 0x%x bytes" % block, 'rex', LEV_3)
+			buf = read_sector(sect, block)
+			ret << buf
+			left -= buf.length
+
+			# done?
+			break if (left == 0)
+
+			sect = next_sector(sect)
+		end
+		ret
+	end
+
+	def read_data_mini(direntry)
+		ret = ""
+		visited = []
+		left = direntry.length
+		sect = direntry.start_sector
+		while (sect != SECT_END)
+			if (visited.include?(sect))
+				raise RuntimeError, 'Sector chain loop detected (0x%08x mini)' % sect
+			end
+			visited << sect
+
+			# how much to read?
+			block = @header.mini_sector_size
+			block = left if (block > left)
+
+			# read it.
+			dlog("read_data_mini - reading 0x%x bytes" % block, 'rex', LEV_3)
+			buf = read_mini_sector(sect, block)
+			ret << buf
+			left -= buf.length
+
+			# done?
+			break if (left == 0)
+
+			sect = next_mini_sector(sect)
+		end
+		ret
+	end
+
+
+	def read_sector(sect, len)
+		off = ((sect + 1) * @header.sector_size)
+		@fd.seek(off, ::IO::SEEK_SET)
+		buf = @fd.read(len)
+		if (not buf)
+			if (@fd.eof?)
+				raise RuntimeError, 'EOF while reading sector data (0x%08x)' % sect
+			else
+				raise RuntimeError, 'Unknown error while reading sector data (0x%08x)' % sect
+			end
+		end
+		if (buf.length != len)
+			raise RuntimeError, 'Insufficient data for sector (0x%08x): got %u of %u' % [sect, buf.length, len]
+		end
+		buf
+	end
+
+	def next_sector(sect)
+		return SECT_END if (sect >= @fat.length)
+		@fat[sect]
+	end
+
+
+	def read_mini_sector(sect, len)
+		dlog("Reading mini sector 0x%x" % sect, 'rex', LEV_3)
+		off = (@header.mini_sector_size * sect)
+		dlog("Reading from offset 0x%x of ministream" % off, 'rex', LEV_3)
+		@ministream.seek(off)
+		data = @ministream.read(len)
+		data
+	end
+
+	def next_mini_sector(sect)
+		return SECT_END if (sect >= @minifat.length)
+		@minifat[sect]
+	end
+
+end
+
+end
+end