Commit 9f01ec8fa841244b39607f98f8cb20892f6d003b
1 parent
2356048d
rtfobj: fixed issue #273, bytes constants instead of str
Showing
2 changed files
with
6 additions
and
5 deletions
oletools/rtfobj.py
| @@ -84,8 +84,9 @@ http://www.decalage.info/python/oletools | @@ -84,8 +84,9 @@ http://www.decalage.info/python/oletools | ||
| 84 | # 2018-04-27 PL: - extract and display the CLSID of OLE objects | 84 | # 2018-04-27 PL: - extract and display the CLSID of OLE objects |
| 85 | # 2018-04-30 PL: - handle "\'" obfuscation trick - issue #281 | 85 | # 2018-04-30 PL: - handle "\'" obfuscation trick - issue #281 |
| 86 | # 2018-05-10 PL: - fixed issues #303 #307: several destination cwords were incorrect | 86 | # 2018-05-10 PL: - fixed issues #303 #307: several destination cwords were incorrect |
| 87 | +# 2018-05-17 PL: - fixed issue #273: bytes constants instead of str | ||
| 87 | 88 | ||
| 88 | -__version__ = '0.53dev9' | 89 | +__version__ = '0.53dev11' |
| 89 | 90 | ||
| 90 | # ------------------------------------------------------------------------------ | 91 | # ------------------------------------------------------------------------------ |
| 91 | # TODO: | 92 | # TODO: |
| @@ -701,7 +702,7 @@ class RtfObjParser(RtfParser): | @@ -701,7 +702,7 @@ class RtfObjParser(RtfParser): | ||
| 701 | log.debug('*** Not an OLE 1.0 Object') | 702 | log.debug('*** Not an OLE 1.0 Object') |
| 702 | 703 | ||
| 703 | def bin(self, bindata): | 704 | def bin(self, bindata): |
| 704 | - if self.current_destination.cword == 'objdata': | 705 | + if self.current_destination.cword == b'objdata': |
| 705 | # TODO: keep track of this, because it is unusual and indicates potential obfuscation | 706 | # TODO: keep track of this, because it is unusual and indicates potential obfuscation |
| 706 | # trick: hexlify binary data, add it to hex data | 707 | # trick: hexlify binary data, add it to hex data |
| 707 | self.current_destination.data += binascii.hexlify(bindata) | 708 | self.current_destination.data += binascii.hexlify(bindata) |
| @@ -723,7 +724,7 @@ class RtfObjParser(RtfParser): | @@ -723,7 +724,7 @@ class RtfObjParser(RtfParser): | ||
| 723 | # print(hexdigits) | 724 | # print(hexdigits) |
| 724 | # move the index two bytes forward | 725 | # move the index two bytes forward |
| 725 | self.index += 2 | 726 | self.index += 2 |
| 726 | - if self.current_destination.cword == 'objdata': | 727 | + if self.current_destination.cword == b'objdata': |
| 727 | # Here's the tricky part: there is a bug in the MS Word RTF parser at least | 728 | # Here's the tricky part: there is a bug in the MS Word RTF parser at least |
| 728 | # until Word 2016, that removes the last hex digit before the \'hh control | 729 | # until Word 2016, that removes the last hex digit before the \'hh control |
| 729 | # symbol, ONLY IF the number of hex digits read so far is odd. | 730 | # symbol, ONLY IF the number of hex digits read so far is odd. |
| @@ -888,7 +889,7 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | @@ -888,7 +889,7 @@ def process_file(container, filename, data, output_dir=None, save_object=False): | ||
| 888 | ole_color = 'red' | 889 | ole_color = 'red' |
| 889 | # Detect OLE2Link exploit | 890 | # Detect OLE2Link exploit |
| 890 | # http://www.kb.cert.org/vuls/id/921560 | 891 | # http://www.kb.cert.org/vuls/id/921560 |
| 891 | - if rtfobj.class_name == 'OLE2Link': | 892 | + if rtfobj.class_name == b'OLE2Link': |
| 892 | ole_color = 'red' | 893 | ole_color = 'red' |
| 893 | ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' | 894 | ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)' |
| 894 | else: | 895 | else: |
setup.py
| @@ -43,7 +43,7 @@ import os, fnmatch | @@ -43,7 +43,7 @@ import os, fnmatch | ||
| 43 | #--- METADATA ----------------------------------------------------------------- | 43 | #--- METADATA ----------------------------------------------------------------- |
| 44 | 44 | ||
| 45 | name = "oletools" | 45 | name = "oletools" |
| 46 | -version = '0.53dev10' | 46 | +version = '0.53dev11' |
| 47 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" | 47 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 48 | long_desc = open('oletools/README.rst').read() | 48 | long_desc = open('oletools/README.rst').read() |
| 49 | author = "Philippe Lagadec" | 49 | author = "Philippe Lagadec" |