search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.92k stars 563 forks source link

Password protected XLM crashes olevba #574

Open Maijin opened 4 years ago

Maijin commented 4 years ago

Affected tool: olevba

Describe the bug Password protected XLM crashes olevba

File/Malware sample to reproduce the bug Please attach the file in a password protected zip archive, or provide a link where it can be downloaded (e.g. Hybrid Analysis, preferably not VirusTotal which requires paid access). If not possible, please provide a hash.

3fbc4f03bd9e52de5042b656f87c11d44128246e657eb65cb2944c490df86948.zip

Password is "CaseExport"

How To Reproduce the bug olevba hash

Expected behavior

Console output / Screenshots

olevba 0.56dev5 on Python 2.7.17 - http://decalage.info/python/oletools
INFO     Opening OLE file 3fbc4f03bd9e52de5042b656f87c11d44128246e657eb65cb2944c490df86948
INFO     Check whether OLE file is PPT
DEBUG    using open OleFileIO
DEBUG    File appears not to be a ppt file (In stream "root" for field "listdir" found value "[u'\x05documentsummaryinformation', u'\x05summaryinformation', u'workbook']" but expected Current User!)
===============================================================================
FILE: 3fbc4f03bd9e52de5042b656f87c11d44128246e657eb65cb2944c490df86948
Type: OLE
DEBUG    VBA_Parser.find_vba_projects
DEBUG    Checking DirEntry #0
DEBUG    Checking DirEntry #1
DEBUG    Reading data from stream u'Workbook' - size: 715637 bytes
DEBUG    Read 715637 bytes
DEBUG    '\t\x08\x10\x00\x00\x06\x05\x00T8\xcd\x07\xc9\x00\x02\x00\x06\x08\x00\x00/\x00\xc8\x00\x01\x00\x04\x00\x02\x00\x0c\x00\x00\x00~\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x01h\x00\x00\x04\x80\x00\x00\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00M\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00 \x00E\x00n\x00h\x00a\x00n\x00'...[much more data]...'\x8f\xfc1\x98\xc8\x01x\xc4DW\xf4\x17\xb5\x99\x00\x02\x00\x0c?g\x08\x17\x00\x9e@\x8a\xf1\xa0\t\xb0\x14\xf9>\x9d\xc2 4\xb6S0[\xfd(\xc6\x18\xf2\n\x00\x00\x00'
DEBUG    Checking DirEntry #2
DEBUG    Reading data from stream u'\x05SummaryInformation' - size: 4096 bytes
DEBUG    Read 4096 bytes
DEBUG    "\xfe\xff\x00\x00\x06\x03\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xe0\x85\x9f\xf2\xf9Oh\x10\xab\x91\x08\x00+'\xb3\xd90\x00\x00\x00\x98\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x00@\x00\x00\x00\x04\x00\x00\x00H\x00\x00\x00\x08\x00\x00\x00T\x00\x00\x00\x12\x00\x00\x00`\x00\x00\x00\x0c\x00\x00\x00x\x00\x00\x00\r\x00\x00\x00"...[much more data]...'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #3
DEBUG    Reading data from stream u'\x05DocumentSummaryInformation' - size: 4096 bytes
DEBUG    Read 4096 bytes
DEBUG    '\xfe\xff\x00\x00\x06\x03\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\xd5\xcd\xd5\x9c.\x1b\x10\x93\x97\x08\x00+,\xf9\xae0\x00\x00\x00\xec\x01\x00\x00\t\x00\x00\x00\x01\x00\x00\x00P\x00\x00\x00\x0f\x00\x00\x00X\x00\x00\x00\x17\x00\x00\x00d\x00\x00\x00\x0b\x00\x00\x00l\x00\x00\x00\x10\x00\x00\x00t\x00\x00\x00\x13\x00\x00\x00'...[much more data]...'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Found Excel stream 'Workbook'
DEBUG    Running BIFF plugin from oledump
'\x82\x15\x98!'
ERROR    Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/oletools-0.56.dev5-py2.7.egg/oletools/olevba.py", line 3258, in detect_xlm_macros
    self.xlm_macros = biff_plugin.Analyze()
  File "/usr/local/lib/python2.7/site-packages/oletools-0.56.dev5-py2.7.egg/oletools/thirdparty/oledump/plugin_biff.py", line 1737, in Analyze
    value = DecodeRKValue(data2[formatsize:])
  File "/usr/local/lib/python2.7/site-packages/oletools-0.56.dev5-py2.7.egg/oletools/thirdparty/oledump/plugin_biff.py", line 1305, in DecodeRKValue
    raise Exception('DecodeRKValue')
Exception: DecodeRKValue
No VBA macros found.

DEBUG    Checking for encryption (normal)
DEBUG    is_encrypted
DEBUG    Checking for encryption using msoffcrypto
DEBUG    Checking encryption passwords []
DEBUG    Trying to decrypt with password 'VelvetSweatshop'
DEBUG    Version: 4 2
DEBUG    126
DEBUG    {'cspName': u'Microsoft Enhanced Cryptographic Provider v1.0\x00', 'flags': 12, 'keySize': 128, 'sizeExtra': 0, 'algIdHash': 32772, 'algId': 26625, 'providerType': 1, 'reserved1': 0, 'reserved2': 0}
DEBUG    {'encryptedVerifier': 'l\xc3\xca\xdd,\xda\x1eA\x88\x1d\x81/\x11q\xcd\xbf', 'verifierHashSize': 20, 'saltSize': 16, 'salt': '\x19\x95\xbb\r\x1a\xc4L\x99\x14\x8dW9\xdck\n\x1d', 'encryptedVerifierHash': '\xaf\x06G\xb4;\x00\x9d\x8c\xc5\xdd4g?[\xfd\x92{\xf3\x95!'}
[1]    17557 abort      olevba --loglevel=debug
c-rosenberg commented 4 years ago

I also see crashes with other Office formats:

# python3 /opt/oletools/oletools/olevba.py -a -j docx-encrypted.docx
[
    {
        "script_name": "olevba",
        "version": "0.56dev5",
        "url": "http://decalage.info/python/oletools",
        "type": "MetaInformation"
    },
    {
        "container": null,
        "file": "docx-encrypted.docx",
        "json_conversion_successful": true,
        "analysis": null,
        "code_deobfuscated": null,
        "do_deobfuscate": false,
        "type": "OLE",
        "macros": []
    },
ERROR    Decrypt failed, run with debug output to get details
ERROR    Problems with encryption in main: Given passwords could not decrypt office file docx-encrypted.docx, use option -p to specify the password
Traceback (most recent call last):
  File "/opt/oletools/oletools/olevba.py", line 4366, in main
    curr_return_code = process_file(filename, data, container, options)
  File "/opt/oletools/oletools/olevba.py", line 4260, in process_file
    raise crypto.WrongEncryptionPassword(filename)
oletools.common.errors.WrongEncryptionPassword: Given passwords could not decrypt office file docx-encrypted.docx, use option -p to specify the password

# echo $?
9

While the return code is correct and useful, the JSON is missing the last closing bracket and leads to errors while parsing.