New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incomplete OLE stream + Incorrect OLE FAT, sector index out of range #27

Closed
decalage2 opened this Issue Oct 28, 2015 · 2 comments

Comments

Projects
None yet
1 participant
@decalage2
Owner

decalage2 commented Oct 28, 2015

Originally reported by: Unknown Name (Bitbucket: ganado, GitHub: ganado)


Hello!

I've encountered a parsing error on malware sample. (I could open this file with SSView)

First, incomplete OLE stream error while opening unicode named vba script.

_VBA_PROJECT_CUR/VBA/Лист1

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 753, in __init__
    raise IOError('incomplete OLE stream')
IOError: incomplete OLE stream

and out of range error while opening other vba files ...

"_VBA_PROJECT_CUR/VBA/dir"

Traceback (most recent call last):
  File "/Users/mmt_edu/bin/malware_analysis_homework2.py", line 459, in run
    ofp = ole.openstream(olepath)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1911, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 1814, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/site-packages/olefile/olefile.py", line 763, in __init__
    raise IOError('incorrect OLE FAT, sector index out of range')
IOError: incorrect OLE FAT, sector index out of range

Attached is xls file(malware sample), for reproducing the bug.

I am using python 2.7.10, olefile 0.42

Thanks for wonderful project.


@decalage2

This comment has been minimized.

Show comment
Hide comment
@decalage2

decalage2 Nov 1, 2015

Owner

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):


After a lot of troubleshooting, I found the issue: the sample file is slightly malformed. Its header sets the "mini sector cutoff size" to 0, whereas the only allowed value is 4096. If I fix this value in olefile, then all streams can be read without error.

I will publish a new version with that fix soon.

Owner

decalage2 commented Nov 1, 2015

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):


After a lot of troubleshooting, I found the issue: the sample file is slightly malformed. Its header sets the "mini sector cutoff size" to 0, whereas the only allowed value is 4096. If I fix this value in olefile, then all streams can be read without error.

I will publish a new version with that fix soon.

@decalage2

This comment has been minimized.

Show comment
Hide comment
@decalage2

decalage2 Nov 5, 2015

Owner

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):


fixed issue #27 by correcting the MiniFAT sector cutoff size if invalid, slight changes in _OleDirectoryEntry

Owner

decalage2 commented Nov 5, 2015

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):


fixed issue #27 by correcting the MiniFAT sector cutoff size if invalid, slight changes in _OleDirectoryEntry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment