Commit 9f01ec8fa841244b39607f98f8cb20892f6d003b
1 parent
2356048d
rtfobj: fixed issue #273, bytes constants instead of str
Showing
2 changed files
with
6 additions
and
5 deletions
oletools/rtfobj.py
| ... | ... | @@ -84,8 +84,9 @@ http://www.decalage.info/python/oletools |
| 84 | 84 | # 2018-04-27 PL: - extract and display the CLSID of OLE objects |
| 85 | 85 | # 2018-04-30 PL: - handle "\'" obfuscation trick - issue #281 |
| 86 | 86 | # 2018-05-10 PL: - fixed issues #303 #307: several destination cwords were incorrect |
| 87 | +# 2018-05-17 PL: - fixed issue #273: bytes constants instead of str | |
| 87 | 88 | |
| 88 | -__version__ = '0.53dev9' | |
| 89 | +__version__ = '0.53dev11' | |
| 89 | 90 | |
| 90 | 91 | # ------------------------------------------------------------------------------ |
| 91 | 92 | # TODO: |
| ... | ... | @@ -701,7 +702,7 @@ class RtfObjParser(RtfParser): |
| 701 | 702 | log.debug('*** Not an OLE 1.0 Object') |
| 702 | 703 | |
| 703 | 704 | def bin(self, bindata): |
| 704 | - if self.current_destination.cword == 'objdata': | |
| 705 | + if self.current_destination.cword == b'objdata': | |
| 705 | 706 | # TODO: keep track of this, because it is unusual and indicates potential obfuscation |
| 706 | 707 | # trick: hexlify binary data, add it to hex data |
| 707 | 708 | self.current_destination.data += binascii.hexlify(bindata) |
| ... | ... | @@ -723,7 +724,7 @@ class RtfObjParser(RtfParser): |
| 723 | 724 | # print(hexdigits) |
| 724 | 725 | # move the index two bytes forward |
| 725 | 726 | self.index += 2 |
| 726 | - if self.current_destination.cword == 'objdata': | |
| 727 | + if self.current_destination.cword == b'objdata': | |
| 727 | 728 | # Here's the tricky part: there is a bug in the MS Word RTF parser at least |
| 728 | 729 | # until Word 2016, that removes the last hex digit before the \'hh control |
| 729 | 730 | # symbol, ONLY IF the number of hex digits read so far is odd. |
| ... | ... | @@ -888,7 +889,7 @@ def process_file(container, filename, data, output_dir=None, save_object=False): |
| 888 | 889 | ole_color = 'red' |
| 889 | 890 | # Detect OLE2Link exploit |
| 890 | 891 | # http://www.kb.cert.org/vuls/id/921560 |
| 891 | - if rtfobj.class_name == 'OLE2Link': | |
| 892 | + if rtfobj.class_name == b'OLE2Link': | |
| 892 | 893 | ole_color = 'red' |
| 893 | 894 | ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' |
| 894 | 895 | else: | ... | ... |
setup.py
| ... | ... | @@ -43,7 +43,7 @@ import os, fnmatch |
| 43 | 43 | #--- METADATA ----------------------------------------------------------------- |
| 44 | 44 | |
| 45 | 45 | name = "oletools" |
| 46 | -version = '0.53dev10' | |
| 46 | +version = '0.53dev11' | |
| 47 | 47 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 48 | 48 | long_desc = open('oletools/README.rst').read() |
| 49 | 49 | author = "Philippe Lagadec" | ... | ... |