1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
/* Copyright (C) 2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/** \file
*
* \author Giuseppe Longo <giuseppe@glongo.it>
*
* \brief Decompress files transferred via HTTP corresponding to file_data
* keyword.
*
*/
#include "suricata-common.h"
#include "suricata.h"
#include "detect-engine.h"
#include "app-layer-htp.h"
#include "util-file-decompression.h"
#include "util-file-swf-decompression.h"
#include "util-misc.h"
#include "util-print.h"
#define SWF_ZLIB_MIN_VERSION 0x06
#define SWF_LZMA_MIN_VERSION 0x0D
int FileIsSwfFile(const uint8_t *buffer, uint32_t buffer_len)
{
if (buffer_len >= 3 && buffer[1] == 'W' && buffer[2] == 'S') {
if (buffer[0] == 'F')
return FILE_SWF_NO_COMPRESSION;
else if (buffer[0] == 'C')
return FILE_SWF_ZLIB_COMPRESSION;
else if (buffer[0] == 'Z')
return FILE_SWF_LZMA_COMPRESSION;
else
return FILE_IS_NOT_SWF;
}
return FILE_IS_NOT_SWF;
}
/**
* \brief This function decompresses a buffer with zlib/lzma algorithm
*
* \param buffer compressed buffer
* \param buffer_len compressed buffer length
* \param decompressed_buffer buffer that store decompressed data
* \param decompressed_buffer_len decompressed data length
* \param swf_type decompression algorithm to use
* \param decompress_depth how much decompressed data we want to store
* \param compress_depth how much compressed data we want to decompress
*
* \retval 1 if decompression works
* \retval 0 an error occurred, and event set
*/
int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
DetectEngineThreadCtx *det_ctx,
InspectionBuffer *out_buffer,
int swf_type,
uint32_t decompress_depth,
uint32_t compress_depth)
{
int r = 0;
int compression_type = FileIsSwfFile(buffer, buffer_len);
if (compression_type == FILE_SWF_NO_COMPRESSION) {
return 0;
}
uint32_t offset = 0;
if (compression_type == FILE_SWF_ZLIB_COMPRESSION) {
/* compressed data start from the 4th bytes */
offset = 8;
} else if (compression_type == FILE_SWF_LZMA_COMPRESSION) {
/* compressed data start from the 17th bytes */
offset = 17;
}
if (buffer_len <= offset) {
DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_LENGTH);
return 0;
}
uint32_t compressed_data_len = 0;
if (compress_depth > 0 && compress_depth <= buffer_len - offset) {
compressed_data_len = compress_depth;
} else {
compressed_data_len = buffer_len - offset;
}
/* get swf version */
uint8_t swf_version = FileGetSwfVersion(buffer, buffer_len);
if (compression_type == FILE_SWF_ZLIB_COMPRESSION &&
swf_version < SWF_ZLIB_MIN_VERSION)
{
DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION);
return 0;
}
if (compression_type == FILE_SWF_LZMA_COMPRESSION &&
swf_version < SWF_LZMA_MIN_VERSION)
{
DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION);
return 0;
}
/* get flash decompressed file length */
uint32_t decompressed_swf_len = FileGetSwfDecompressedLen(buffer, buffer_len);
if (decompressed_swf_len == 0) {
decompressed_swf_len = MIN_SWF_LEN;
}
/* if decompress_depth is 0, keep the flash file length */
uint32_t decompressed_data_len = (decompress_depth == 0) ? decompressed_swf_len : decompress_depth;
decompressed_data_len += 8;
/* make sure the inspection buffer has enough space */
InspectionBufferCheckAndExpand(out_buffer, decompressed_data_len);
if (out_buffer->size < decompressed_data_len) {
DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_NO_MEM);
return 0;
}
out_buffer->len = decompressed_data_len;
/*
* FWS format
* | 4 bytes | 4 bytes | n bytes |
* | 'FWS' + version | script len | data |
*/
out_buffer->buf[0] = 'F';
out_buffer->buf[1] = 'W';
out_buffer->buf[2] = 'S';
out_buffer->buf[3] = swf_version;
memcpy(out_buffer->buf + 4, &decompressed_swf_len, 4);
memset(out_buffer->buf + 8, 0, decompressed_data_len - 8);
if ((swf_type == HTTP_SWF_COMPRESSION_ZLIB || swf_type == HTTP_SWF_COMPRESSION_BOTH) &&
compression_type == FILE_SWF_ZLIB_COMPRESSION)
{
/* the first 8 bytes represents the fws header, see 'FWS format' above.
* data will start from 8th bytes
*/
r = FileSwfZlibDecompression(det_ctx,
(uint8_t *)buffer + offset, compressed_data_len,
out_buffer->buf + 8, out_buffer->len - 8);
if (r == 0)
goto error;
} else if ((swf_type == HTTP_SWF_COMPRESSION_LZMA || swf_type == HTTP_SWF_COMPRESSION_BOTH) &&
compression_type == FILE_SWF_LZMA_COMPRESSION)
{
/* we need to setup the lzma header */
/*
* | 5 bytes | 8 bytes | n bytes |
* | LZMA properties | Uncompressed length | Compressed data |
*/
compressed_data_len += 13;
uint8_t compressed_data[compressed_data_len];
/* put lzma properties */
memcpy(compressed_data, buffer + 12, 5);
/* put lzma end marker */
memset(compressed_data + 5, 0xFF, 8);
/* put compressed data */
memcpy(compressed_data + 13, buffer + offset, compressed_data_len - 13);
/* the first 8 bytes represents the fws header, see 'FWS format' above.
* data will start from 8th bytes
*/
r = FileSwfLzmaDecompression(det_ctx,
compressed_data, compressed_data_len,
out_buffer->buf + 8, out_buffer->len - 8);
if (r == 0)
goto error;
} else {
goto error;
}
/* all went well so switch the buffer's inspect pointer/size
* to use the new data. */
out_buffer->inspect = out_buffer->buf;
out_buffer->inspect_len = out_buffer->len;
return 1;
error:
return 0;
}
|