Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete OLE stream + Incorrect OLE FAT, sector index out of range #27

Closed
decalage2 opened this issue Oct 28, 2015 · 2 comments
Closed

Incomplete OLE stream + Incorrect OLE FAT, sector index out of range #27

decalage2 opened this issue Oct 28, 2015 · 2 comments
Labels
bug major

Comments

@decalage2
Copy link
Owner

Originally reported by: Unknown Name (Bitbucket: ganado, GitHub: ganado)

Hello!

I've encountered a parsing error on malware sample. (I could open this file with SSView)

First, incomplete OLE stream error while opening unicode named vba script.

_VBA_PROJECT_CUR/VBA/Лист1

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 753, in __init__
    raise IOError('incomplete OLE stream')
IOError: incomplete OLE stream

and out of range error while opening other vba files ...

"_VBA_PROJECT_CUR/VBA/dir"

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 763, in __init__
    raise IOError('incorrect OLE FAT, sector index out of range')
IOError: incorrect OLE FAT, sector index out of range

Attached is xls file(malware sample), for reproducing the bug.

I am using python 2.7.10, olefile 0.42

Thanks for wonderful project.
@decalage2
Copy link
Owner Author

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):

After a lot of troubleshooting, I found the issue: the sample file is slightly malformed. Its header sets the "mini sector cutoff size" to 0, whereas the only allowed value is 4096. If I fix this value in olefile, then all streams can be read without error.

I will publish a new version with that fix soon.

@decalage2
Copy link
Owner Author

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):

fixed issue #27 by correcting the MiniFAT sector cutoff size if invalid, slight changes in _OleDirectoryEntry

@decalage2 decalage2 mentioned this issue May 12, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug major
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@decalage2