rex-ole 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 96d83d1e258c69844bac338287ba147f27e79092
+  data.tar.gz: 7b939852df46e093e63355d852b5860178bdefc9
+SHA512:
+  metadata.gz: 450d8312a1b4a2846999802543eab21bdae5894649195aa53d8f72a7e99fa8077df6a1b5414f2ff1adcfbcce3dfeb4c1e57c0419b4ccbf0c5ea81a87e8d97983
+  data.tar.gz: 9578bb85804856ee572f3d2f9f6c18b74363ac86694526de63f0bf34b2825be6759bf882a0d6150dde94463854e575e0a3841fb827b45744bcf9492fb337e7fe

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.1
+before_install: gem install bundler -v 1.12.5

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,52 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project maintainers at msfdev@metasploit.com. If
+the incident involves a committer, you may report directly to
+egypt@metasploit.com or todb@metasploit.com.
+
+All complaints will be reviewed and investigated and will result in a
+response that is deemed necessary and appropriate to the circumstances.
+Maintainers are obligated to maintain confidentiality with regard to the
+reporter of an incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rex-ole.gemspec
+gemspec
+
+gem 'rex-text'

data/LICENSE

@@ -0,0 +1,27 @@
+Copyright (C) 2012-2013, Rapid7, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+	  this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright notice,
+	  this list of conditions and the following disclaimer in the documentation
+	  and/or other materials provided with the distribution.
+
+    * Neither the name of Rapid7 LLC nor the names of its contributors
+	  may be used to endorse or promote products derived from this software
+	  without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,32 @@
+# Rex::OLE
+
+Ruby Exploitation(rex) Library for reading/writing Object-Linking-and-Embedding (OLE) files and streams. Ported over from Joshua Drake's original code inside Metasploit Framework.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rex-ole'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rex-ole
+
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/rapid7/rex-ole. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rex/ole"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rex/ole/clsid.rb

@@ -0,0 +1,44 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+
+module Rex
+module OLE
+
+class CLSID
+
+  def initialize(buf=nil)
+    @buf = buf
+    @buf ||= "\x00" * 16
+  end
+
+  def pack
+    @buf
+  end
+
+  def to_s
+    ret = ""
+    ret << "%08x" % Util.get32(@buf, 0)
+    ret << "-"
+    ret << "%04x" % Util.get16(@buf, 4)
+    ret << "-"
+    ret << "%04x" % Util.get16(@buf, 6)
+    ret << "-"
+    idx = 0
+    last8 = @buf[8,8]
+    last8.unpack('C*').each { |byte|
+      ret << [byte].pack('C').unpack('H*')[0]
+      ret << "-" if (idx == 1)
+      idx += 1
+    }
+    ret
+  end
+
+end
+
+end
+end

data/lib/rex/ole/difat.rb

@@ -0,0 +1,138 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class DIFAT
+
+  def initialize stg
+    @stg = stg
+    @entries = []
+  end
+
+  #
+  # convenience access to entries
+  #
+  def []=(idx,expr)
+    @entries[idx] = expr
+  end
+
+  def [](idx)
+    @entries[idx]
+  end
+
+  def +(expr)
+    @entries += expr
+    self
+  end
+
+  def <<(expr)
+    @entries << expr
+  end
+
+  def length
+    @entries.length
+  end
+
+  def slice!(start,stop)
+    @entries.slice!(start,stop)
+  end
+
+  def reset
+    @entries = []
+  end
+
+  def each
+    @entries.each { |el|
+      yield el
+    }
+  end
+
+  #
+  # woop
+  #
+  def to_s
+    ret = "{ "
+    @entries.each { |el|
+      ret << ", " if (ret.length > 2)
+      case el
+      when SECT_END
+        ret << "END"
+      when SECT_DIF
+        ret << "DIF"
+      when SECT_FAT
+        ret << "FAT"
+      when SECT_FREE
+        ret << "FREE"
+      else
+        ret << "0x%x" % el
+      end
+    }
+    ret << " }"
+    ret
+  end
+
+  #
+  # low-level functions
+  #
+  def read
+    @entries = []
+
+    # start with the header part
+    @entries += @stg.header._sectFat
+
+    # double indirect fat
+    sect = @stg.header._sectDifStart
+    while (sect != SECT_END)
+      if (@entries.include?(sect))
+        raise RuntimeError, 'Sector chain loop detected (0x%08x)' % sect
+      end
+
+      @entries << sect
+      buf = @stg.read_sector(sect, @stg.header.sector_size)
+
+      # the last sect ptr in the block becomes the next entry
+      sect = Util.get32(buf, ((@stg.header.idx_per_sect)-1) * 4)
+    end
+
+    # don't need these free ones, but it doesn't hurt to keep them.
+    #@difat.delete(SECT_FREE)
+  end
+
+  def write
+    len = @entries.length
+    first109 = @entries.dup
+
+    rest = nil
+    if (len > 109)
+      rest = first109.slice!(109,len)
+    end
+
+    @stg.header._sectFat = []
+    @stg.header._sectFat += first109
+    if (len < 109)
+      need = 109 - len
+      need.times {
+        @stg.header._sectFat << SECT_FREE
+      }
+    end
+
+    if (rest and rest.length > 0)
+      raise RuntimeError, 'TODO: support writing DIF properly!'
+      # may require adding more fat sectors :-/
+      #@stg.header._csectDif = rest.length
+      #@stg.header._sectDifStart = idx
+    end
+
+    @stg.header._csectFat = len
+  end
+
+end
+
+end
+end

data/lib/rex/ole/directory.rb

@@ -0,0 +1,228 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+require 'rex/ole/direntry'
+
+#
+# This class serves as the root directory entry in addition to
+# an abstraction around the concept of a directory as a whole.
+#
+class Directory < DirEntry
+
+  # XXX: num_entries is not maintained once a stream/storage is added!
+  attr_accessor :num_entries
+
+  def initialize(stg)
+    super
+
+    @num_entries = 1
+  end
+
+
+  # woop, recursive each
+  def yield_entries(de, &block)
+    block.call(de)
+    de.each { |el|
+      yield_entries(el, &block)
+    }
+  end
+  def each_entry(&block)
+    yield_entries(self, &block)
+  end
+
+
+  def set_ministream_params(start, size)
+    @_sectStart = start
+    @_ulSize = size
+  end
+
+  def link_item(parent, child)
+    # set sid, advance count
+    child.sid = @num_entries
+    @num_entries += 1
+
+    # link item to siblings and/or parent
+    if (parent._sidChild == DIR_NOSTREAM)
+      parent._sidChild = child.sid
+      dlog("Linking #{child.name} as THE child of #{parent.name} as sid #{child.sid}", 'rex', LEV_3)
+    else
+      sib = nil
+      parent.each { |el|
+        if (el._sidLeftSib == DIR_NOSTREAM)
+          sib = el
+          el._sidLeftSib = child.sid
+          dlog("Linking #{child.name} as the LEFT sibling of #{sib.name} as sid #{child.sid}", 'rex', LEV_3)
+          break
+        end
+        if (el._sidRightSib == DIR_NOSTREAM)
+          sib = el
+          el._sidRightSib = child.sid
+          dlog("Linking #{child.name} as the RIGHT sibling of #{sib.name} as sid #{child.sid}", 'rex', LEV_3)
+          break
+        end
+      }
+      if (not sib)
+        raise RuntimeError, 'Unable to find a sibling to link to in the directory'
+      end
+    end
+    parent << child
+  end
+
+
+  #
+  # low-level functions
+  #
+  def from_s(sid, buf)
+    super
+
+    if (@_sidRightSib != DIR_NOSTREAM)
+      raise RuntimeError, 'Root Entry is invalid! (has right sibling)'
+    end
+    if (@_sidLeftSib != DIR_NOSTREAM)
+      raise RuntimeError, 'Root Entry is invalid! (has left sibling)'
+    end
+  end
+
+  def read
+    @children = []
+    visited = []
+    entries = []
+    root_node = nil
+    sect = @stg.header._sectDirStart
+    while (sect != SECT_END)
+
+      if (visited.include?(sect))
+        raise RuntimeError, 'Sector chain loop detected (0x%08x)' % sect
+      end
+      visited << sect
+
+      sbuf = @stg.read_sector(sect, @stg.header.sector_size)
+      while (sbuf.length >= DIRENTRY_SZ)
+        debuf = sbuf.slice!(0, DIRENTRY_SZ)
+
+        type = Util.get8(debuf, 0x42)
+        case type
+        when STGTY_ROOT
+          if (entries.length != 0)
+            raise RuntimeError, 'Root Entry found, but not first encountered!'
+          end
+          if (root_node)
+            raise RuntimeError, 'Multiple root directory sectors detected (0x%08x)' % sect
+          end
+          de = self
+          root_node = de
+
+        when STGTY_STORAGE
+          de = SubStorage.new @stg
+
+        when STGTY_STREAM
+          de = Stream.new @stg
+
+        when STGTY_INVALID
+          # skip invalid entries
+          next
+
+        else
+          raise RuntimeError, 'Unsupported directory entry type (0x%02x)' % type
+        end
+
+        # read content
+        de.from_s(entries.length, debuf)
+        entries << de
+      end
+      sect = @stg.next_sector(sect)
+    end
+
+    @num_entries = entries.length
+
+    # sort out the tree structure, starting with the root
+    if (@_sidChild != DIR_NOSTREAM)
+      populate_children(entries, root_node, @_sidChild)
+    end
+  end
+
+
+  # recursively add entries to their proper parents :)
+  def populate_children(entries, parent, sid)
+    node = entries[sid]
+    dlog("populate_children(entries, \"#{parent.name}\", #{sid}) - node: #{node.name}", 'rex', LEV_3)
+    parent << node
+    if (node.type == STGTY_STORAGE) and (node._sidChild != DIR_NOSTREAM)
+      populate_children(entries, node, node._sidChild)
+    end
+    if (node._sidLeftSib != DIR_NOSTREAM)
+      populate_children(entries, parent, node._sidLeftSib)
+    end
+    if (node._sidRightSib != DIR_NOSTREAM)
+      populate_children(entries, parent, node._sidRightSib)
+    end
+  end
+
+  # NOTE: this may not be necessary if we were to use each_entry
+  def flatten_tree(entries, parent)
+    entries << parent
+    parent.each { |el|
+      flatten_tree(entries, el)
+    }
+  end
+
+
+  def write
+    # flatten the directory again
+    entries = []
+    flatten_tree(entries, self)
+    dlog("flattened tree has #{entries.length} entries...", 'rex', LEV_3)
+
+    # count directory sectors
+    ds_count = entries.length / 4
+    if ((entries.length % 4) > 0)
+      # one more sector to hold the rest
+      ds_count += 1
+    end
+
+    # put the root entry first
+    sbuf = self.pack
+
+    # add the rest
+    prev_sect = nil
+    dir_start = nil
+    entries.each { |de|
+      # we already got the root entry, no more!
+      next if (de.type == STGTY_ROOT)
+
+      dir = de.pack
+      dlog("writing dir entry #{de.name}", 'rex', LEV_3)
+      sbuf << dir
+
+      if (sbuf.length == @stg.header.sector_size)
+        # we have a full sector, add it!
+        sect = @stg.write_sector(sbuf, nil, prev_sect)
+        prev_sect = sect
+        dir_start ||= sect
+        # reset..
+        sbuf = ""
+      end
+    }
+
+    # still a partial sector left?
+    if (sbuf.length > 0)
+      # add it! (NOTE: it will get padded with nul bytes if its not sector sized)
+      sect = @stg.write_sector(sbuf, nil, prev_sect)
+      prev_sect = sect
+      dir_start ||= sect
+    end
+
+    @stg.header._sectDirStart = dir_start
+  end
+
+end
+
+end
+end