rex-ole 0.1.0

data/lib/rex/ole/direntry.rb

@@ -0,0 +1,237 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+#
+# This class serves as the base class for SubStorage, Stream, and Directory head
+#
+class DirEntry
+
+  attr_accessor :sid
+  attr_accessor :_sidChild, :_sidLeftSib, :_sidRightSib
+
+  def initialize(stg)
+    @stg = stg
+
+    # default to a root entry :)
+    @sid = 0
+    @_ab = "Root Entry"
+    @_cb = nil              # NOTE: this is not used until pack
+    @_mse = STGTY_ROOT
+    @_bflags = 0
+    @_sidLeftSib = SECT_FREE
+    @_sidRightSib = SECT_FREE
+    @_sidChild = SECT_FREE
+    @_clsId = CLSID.new
+    @_dwUserFlags = 0
+    @_ctime = "\x00" * 8
+    @_mtime = "\x00" * 8
+    @_sectStart = SECT_END
+    @_ulSize = 0
+
+    # keep track of logical children (in a tree)
+    @children = []
+  end
+
+
+  def length
+    @_ulSize
+  end
+
+  def <<(expr)
+    @children << expr
+  end
+
+  def each
+    @children.each { |de|
+      yield de
+    }
+  end
+
+
+  def type
+    @_mse
+  end
+  def type=(arg)
+    @_mse = arg
+  end
+
+  def name
+    @_ab
+  end
+  def name=(arg)
+    # XXX: validate?
+    @_ab = arg
+  end
+
+  def start_sector
+    @_sectStart
+  end
+  def start_sector=(expr)
+    @_sectStart = expr
+  end
+
+
+  # NOTE: this will not look at children
+  def find_stream_by_name_and_type(name, type)
+    @children.each { |de|
+      next if (de.type != type)
+
+      if (de.name == name)
+        return de
+      end
+    }
+    nil
+  end
+
+
+  def find_by_sid(sid, de=self)
+    if (de.sid == sid)
+      return de
+    end
+    @children.each { |cde|
+      ret = find_by_sid(sid, cde)
+      if (ret)
+        return ret
+      end
+    }
+    nil
+  end
+
+
+  #
+  # low-level functions
+  #
+  def from_s(sid, buf)
+    @sid = sid
+    @_ab           = Util.getUnicodeString(buf[0x00,64])
+    @_cb           = Util.get16(buf, 0x40)
+
+    # too big?
+    if (@_cb > 0x40)
+      raise RuntimeError, 'Invalid directory entry name length %#x' % @_cb
+    end
+
+    # mismatch?
+    if (@_ab.length > 0)
+      declen = ((@_cb) / 2) - 1
+      if (declen != @_ab.length)
+        raise RuntimeError, 'Directory entry name and length mismatch (%d != %d)' % [declen, @_ab.length]
+      end
+    end
+
+    @_mse          = Util.get8(buf, 0x42)
+    @_bflags       = Util.get8(buf, 0x43)
+    @_sidLeftSib   = Util.get32(buf, 0x44)
+    @_sidRightSib  = Util.get32(buf, 0x48)
+    @_sidChild     = Util.get32(buf, 0x4c)
+
+    # only used for storages..
+    @_clsId = CLSID.new(buf[0x50,16])
+    @_dwUserFlags  = Util.get32(buf, 0x60)
+    @_ctime        = buf[0x64,8]
+    @_mtime        = buf[0x6c,8]
+
+    # only used for streams...
+    @_sectStart    = Util.get32(buf, 0x74)
+    if (@stg.header._uMajorVersion == 4)
+      @_ulSize       = Util.get64(buf, 0x78)
+    else
+      @_ulSize       = Util.get32(buf, 0x78)
+    end
+
+    # ignore _dptPropType and pad
+  end
+
+
+  def pack
+    @_sectStart ||= SECT_END
+    @_cb = (@_ab.length + 1) * 2
+
+    data = ""
+    data << Util.putUnicodeString(@_ab) # gets padded/truncated to 0x40 bytes
+    data << Util.pack16(@_cb)
+    data << Util.pack8(@_mse)
+    data << Util.pack8(@_bflags)
+    data << Util.pack32(@_sidLeftSib)
+    data << Util.pack32(@_sidRightSib)
+    data << Util.pack32(@_sidChild)
+    data << @_clsId.pack
+    data << Util.pack32(@_dwUserFlags)
+    data << @_ctime
+    data << @_mtime
+    data << Util.pack32(@_sectStart)
+    data << Util.pack64(@_ulSize)
+    data
+  end
+
+
+  def to_s(extra_spaces=0)
+    @_sectStart ||= SECT_END
+    @_cb = (@_ab.length + 1) * 2
+
+    spstr = " " * extra_spaces
+
+    ret = "%s{\n" % spstr
+    ret << "%s  sid => 0x%x" % [spstr, @sid]
+    ret << ",\n"
+    ret << "%s  _ab => \"%s\"" % [spstr, Util.Printable(@_ab)]
+    ret << ",\n"
+    ret << "%s  _cb => 0x%04x" % [spstr, @_cb]
+    ret << ",\n"
+    ret << "%s  _mse => 0x%02x" % [spstr, @_mse]
+    ret << ",\n"
+    ret << "%s  _bflags => 0x%02x" % [spstr, @_bflags]
+    ret << ",\n"
+    ret << "%s  _sidLeftSib => 0x%08x" % [spstr, @_sidLeftSib]
+    ret << ",\n"
+    ret << "%s  _sidRightSib => 0x%08x" % [spstr, @_sidRightSib]
+    ret << ",\n"
+    ret << "%s  _sidChild => 0x%08x" % [spstr, @_sidChild]
+    ret << ",\n"
+    ret << "%s  _clsId => %s" % [spstr, @_clsId.to_s]
+    ret << ",\n"
+    ret << "%s  _dwUserFlags => 0x%08x" % [spstr, @_dwUserFlags]
+    ret << ",\n"
+    ret << "%s  _ctime => %s" % [spstr, Rex::Text.to_hex_dump(@_ctime).strip]
+    ret << "\n"
+    ret << "%s  _mtime => %s" % [spstr, Rex::Text.to_hex_dump(@_mtime).strip]
+    ret << "\n"
+    ret << "%s  _sectStart => 0x%08x" % [spstr, @_sectStart]
+    ret << ",\n"
+    ret << "%s  _ulSize => 0x%016x" % [spstr, @_ulSize]
+    if (@_mse == STGTY_STREAM)
+      ret << ",\n"
+      ret << "%s  data =>\n" % spstr
+      if (@data)
+        #ret << Util.Printable(@data)
+        ret << Rex::Text.to_hex_dump(@data).strip
+      else
+        if (@_ulSize > 0)
+          ret << "--NOT OPENED YET--"
+        end
+      end
+    elsif (@_mse == STGTY_STORAGE) or (@_mse == STGTY_ROOT)
+      if (@children.length > 0)
+        ret << ",\n"
+        ret << "%s  *children* =>\n" % spstr
+        @children.each { |de|
+          ret << de.to_s(extra_spaces+2)
+          ret << "\n"
+        }
+      end
+    end
+    ret << "\n"
+    ret << "%s}" % spstr
+  end
+
+end
+
+end
+end

data/lib/rex/ole/docs/dependencies.txt

@@ -0,0 +1,8 @@
+Object              Dependencies
+------------------  ---------------------
+User Data           None
+Header              Fat, DIFat, Directory, MiniStream
+DIFat               Fat
+Fat                 Directory, *Fat, User Data, MiniStream
+Directory           User Data, MiniStream
+MiniFat             MiniStreams

data/lib/rex/ole/docs/references.txt

@@ -0,0 +1 @@
+[MS-CFB].pdf

data/lib/rex/ole/fat.rb

@@ -0,0 +1,96 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class FAT < DIFAT
+
+  #
+  # low-level functions
+  #
+  def read(difat)
+    @entries = []
+    cnt = left = @stg.header._csectFat
+    difat.each { |fs|
+      break if (left == 0)
+
+      if (fs != SECT_FREE)
+        buf = @stg.read_sector(fs, @stg.header.sector_size)
+        arr = Util.get32array(buf)
+
+        # hax!
+        if (@entries[fs] == SECT_DIF)
+          # chop the next ptr
+          @entries += arr.slice!(0, arr.length - 1)
+        else
+          @entries += arr
+        end
+        left -= 1
+      end
+    }
+
+    if (left != 0)
+      raise RuntimeError, 'Only found %u of %u sectors' % [(cnt - left), cnt]
+    end
+  end
+
+  def allocate_sector(type=nil)
+    idx = @entries.index(SECT_FREE)
+    if (not idx)
+      # add a sector worth
+      idx = @entries.length
+      @stg.header.idx_per_sect.times {
+        @entries << SECT_FREE
+      }
+    end
+
+    # mark the sector as in use
+    if (type)
+      @entries[idx] = type
+    else
+      # default normal sectors to end of chain
+      @entries[idx] = SECT_END
+    end
+    idx
+  end
+
+  def write(difat)
+    # we build the difat as we write these..
+    difat.reset
+
+    # allocate the sectors
+    fat_sects = []
+    left = @entries.length
+    while (left > 0)
+      if (left > @stg.header.idx_per_sect)
+        left -= @stg.header.idx_per_sect
+      else
+        left = 0
+      end
+      fat_sects << allocate_sector(SECT_FAT)
+    end
+
+    # write the fat into the difat/allocated sectors
+    copy = @entries.dup
+    fat_sects.each { |fs|
+      part = copy.slice!(0, @stg.header.idx_per_sect)
+      sbuf = Util.pack32array(part)
+
+      if (sbuf.length != @stg.header.sector_size)
+        raise RuntimeError, 'Unsupported number of fat sectors (not multiple of idx per sect)'
+      end
+
+      @stg.write_sector_raw(fs, sbuf)
+      difat << fs
+    }
+  end
+
+end
+
+end
+end

data/lib/rex/ole/header.rb

@@ -0,0 +1,201 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+#
+# Should we support major == 4 && sectorshift == 0xc ?
+#
+
+module Rex
+module OLE
+
+require 'rex/ole/util'
+
+class Header
+
+  attr_accessor :_csectFat, :_sectFat
+  attr_accessor :_csectMiniFat, :_sectMiniFatStart
+  attr_accessor :_ulMiniSectorCutoff, :_uMiniSectorShift
+  attr_accessor :_csectDif, :_sectDifStart
+  attr_accessor :_sectDirStart
+  attr_accessor :_uMajorVersion
+
+  attr_accessor :sector_size, :idx_per_sect
+  attr_accessor :mini_sector_size
+
+  def initialize
+    set_defaults
+
+    # calculate some numbers (save a little math)
+    @sector_size = 1 << @_uSectorShift
+    @mini_sector_size = 1 << @_uMiniSectorShift
+    @idx_per_sect = @sector_size / 4
+  end
+
+  def set_defaults
+    @_abSig               = SIG
+    @_clid = CLSID.new
+    @_uByteOrder          = LITTLE_ENDIAN
+
+    @_uMinorVersion       = 0x3e
+    @_uMajorVersion       = 0x03
+
+    @_uSectorShift        = 9         # 512 byte sectors
+    @_uMiniSectorShift    = 6         # 64 byte mini-sectors
+
+    @_csectDir            = nil             # TBD (v4 only, 1 required)
+
+    @_csectFat            = nil             # TBD (one required)
+    @_sectDirStart        = nil             # TBD (one required)
+
+    @_signature           = 0               # no transactions support
+
+    @_ulMiniSectorCutoff  = 0x1000    # 4k
+    @_sectMiniFatStart    = SECT_END   # TBD
+    @_csectMiniFat        = 0               # TBD
+
+    @_sectDifStart        = SECT_END   # TBD (default to none)
+    @_csectDif            = 0               # TBD (default to none)
+
+    @_sectFat             = []              # TBD
+  end
+
+  def to_s
+    ret = "{\n"
+    ret << "  _abSig => \"%s\"" % Util.Printable(@_abSig)
+    ret << ",\n"
+    ret << "  _clid => %s" % @_clid.to_s
+    ret << ",\n"
+    ret << "  _uMinorVersion => 0x%04x" % @_uMinorVersion
+    ret << ",\n"
+    ret << "  _uMajorVersion => 0x%04x" % @_uMajorVersion
+    ret << ",\n"
+    ret << "  _uByteOrder => 0x%04x" % @_uByteOrder
+    ret << ",\n"
+    ret << "  _uSectorShift => 0x%04x" % @_uSectorShift
+    ret << ",\n"
+    ret << "  _uMiniSectorShift => 0x%04x" % @_uMiniSectorShift
+    ret << ",\n"
+
+    if (@_csectDir)
+      ret << "  _csectDir => 0x%08x" % @_csectDir
+    else
+      ret << "  _csectDir => UNALLOCATED" % @_csectDir
+    end
+    ret << ",\n"
+
+    if (@_csectFat)
+      ret << "  _csectFat => 0x%08x" % @_csectFat
+    else
+      ret << "  _csectFat => UNALLOCATED"
+    end
+    ret << ",\n"
+
+    if (@_sectDirStart)
+      ret << "  _sectDirStart => 0x%08x" % @_sectDirStart
+    else
+      ret << "  _sectDirStart => UNALLOCATED"
+    end
+    ret << ",\n"
+
+    ret << "  _signature => 0x%08x" % @_signature
+    ret << ",\n"
+    ret << "  _uMiniSectorCutoff => 0x%08x" % @_ulMiniSectorCutoff
+    ret << ",\n"
+    ret << "  _sectMiniFatStart => 0x%08x" % @_sectMiniFatStart
+    ret << ",\n"
+    ret << "  _csectMiniFat => 0x%08x" % @_csectMiniFat
+    ret << ",\n"
+    ret << "  _sectDifStart => 0x%08x" % @_sectDifStart
+    ret << ",\n"
+    ret << "  _csectDif => 0x%08x" % @_csectDif
+    #ret << ",\n"
+    #ret << "  _sectFat => "
+    #ret << Rex::Text.to_hex_dump32array(@_sectFat)
+    ret << "\n}"
+    ret
+  end
+
+  #
+  # low-level functions
+  #
+  def read(fd)
+    buf = fd.read(HDR_SZ)
+
+    @_abSig        = buf[0x00,8]
+    if (@_abSig != SIG) and (@_abSig != SIG_BETA)
+      raise RuntimeError, 'Invalid signature for OLE file'
+    end
+    @_clid = CLSID.new(buf[0x08,16])
+
+    @_uByteOrder   = Util.get16(buf, 0x1c)
+    Util.set_endian(@_uByteOrder)
+
+    @_uMinorVersion       = Util.get16(buf, 0x18)
+    @_uMajorVersion       = Util.get16(buf, 0x1a)
+
+    @_uSectorShift        = Util.get16(buf, 0x1e)
+    @_uMiniSectorShift    = Util.get16(buf, 0x20)
+
+    # ignore reserved bytes
+
+    @_csectDir            = Util.get32(buf, 0x28) # NOTE: only for v4 files
+
+    @_csectFat            = Util.get32(buf, 0x2c)
+    @_sectDirStart        = Util.get32(buf, 0x30)
+
+    @_signature           = Util.get32(buf, 0x34)
+
+    @_ulMiniSectorCutoff  = Util.get32(buf, 0x38)
+    @_sectMiniFatStart    = Util.get32(buf, 0x3c)
+    @_csectMiniFat        = Util.get32(buf, 0x40)
+
+    @_sectDifStart        = Util.get32(buf, 0x44)
+    @_csectDif            = Util.get32(buf, 0x48)
+
+    @_sectFat = Util.get32array(buf[0x4c, (109 * 4)])
+  end
+
+  def write(fd)
+    hdr = ""
+    hdr << @_abSig
+    hdr << @_clid.pack
+    hdr << Util.pack16(@_uMinorVersion)
+    hdr << Util.pack16(@_uMajorVersion)
+    hdr << Util.pack16(@_uByteOrder)
+    hdr << Util.pack16(@_uSectorShift)
+    hdr << Util.pack16(@_uMiniSectorShift)
+    if (@_uMajorVersion == 0x04)
+      hdr << "\x00" * 6 # reserved bytes
+      hdr << Util.pack32(@_csectDir)
+    else
+      hdr << "\x00" * 10 # reserved bytes
+    end
+
+    fs_count = @_csectFat
+    fs_count ||= 0
+    hdr << Util.pack32(fs_count)
+
+    dir_start = @_sectDirStart
+    dir_start ||= SECT_END
+    hdr << Util.pack32(dir_start)
+
+    hdr << Util.pack32(@_signature)
+    hdr << Util.pack32(@_ulMiniSectorCutoff)
+    hdr << Util.pack32(@_sectMiniFatStart)
+    hdr << Util.pack32(@_csectMiniFat)
+    hdr << Util.pack32(@_sectDifStart)
+    hdr << Util.pack32(@_csectDif)
+    hdr << Util.pack32array(@_sectFat)
+
+    fd.seek(0, ::IO::SEEK_SET)
+    fd.write(hdr)
+  end
+
+end
+
+end
+end

data/lib/rex/ole/minifat.rb

@@ -0,0 +1,74 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class MiniFAT < DIFAT
+
+  #
+  # low-level functions
+  #
+  def read
+    @entries = []
+
+    visited = []
+    sect = @stg.header._sectMiniFatStart
+    @stg.header._csectMiniFat.times { |idx|
+      break if sect == SECT_END
+
+      if (visited.include?(sect))
+        raise RuntimeError, 'Sector chain loop detected (0x%08x)' % sect
+      end
+      visited << sect
+
+      buf = @stg.read_sector(sect, @stg.header.sector_size)
+      @stg.header.idx_per_sect.times { |idx|
+        @entries << Util.get32(buf, (idx*4))
+      }
+      sect = @stg.next_sector(sect)
+    }
+  end
+
+  def allocate_sector
+    idx = @entries.index(SECT_FREE)
+
+    if (not idx)
+      # add a sector worth
+      idx = @entries.length
+      @stg.header.idx_per_sect.times {
+        @entries << SECT_FREE
+      }
+    end
+
+    # default mini-sectors to end of chain
+    @entries[idx] = SECT_END
+    idx
+  end
+
+  def write
+    return if (@entries.length < 1)
+
+    mf_start = nil
+    mfs_count = 0
+    prev_sect = nil
+    copy = @entries.dup
+    while (copy.length > 0)
+      part = copy.slice!(0, @stg.header.idx_per_sect)
+      sbuf = Util.pack32array(part)
+      idx = @stg.write_sector(sbuf, nil, prev_sect)
+      mfs_count += 1
+      mf_start ||= idx
+    end
+    @stg.header._sectMiniFatStart = mf_start
+    @stg.header._csectMiniFat = mfs_count
+  end
+
+end
+
+end
+end