Exemplo n.º 1
0
 def test_garbage2(self):
     t = ZipFile(f("zip_garbage.zip"))
     assert t.handles() is True
     assert not t.f.selected
     files = t.unpack()
     assert len(files) == 1
     assert not files[0].children
     assert files[0].mode == "failed"
Exemplo n.º 2
0
 def test_garbage2(self):
     t = ZipFile(f("zip_garbage.zip"))
     assert t.handles() is True
     assert not t.f.selected
     files = t.unpack()
     assert len(files) == 1
     assert not files[0].children
     assert files[0].mode == "failed"
Exemplo n.º 3
0
    def extract_archive(cls, f):
        logger.debug(f"Extracting {f.filename}")
        content = f.blob

        if f.password:
            # Sflock expects byte string
            pw = f.password.encode("utf-8")
        else:
            pw = None

        if f.extension == "zip":
            if "v5.1" in f.content_guess:
                # Unzip is not capable to process this version, 7z is required (Zip7File)
                archive_file = Zip7File(
                    SflockFile(contents=content, password=pw))
            else:
                archive_file = ZipFile(
                    SflockFile(contents=content, password=pw))
        elif f.extension == "rar":
            archive_file = RarFile(SflockFile(contents=content, password=pw))
        elif f.extension == "tar":
            archive_file = TarFile(SflockFile(contents=content, password=pw))
        else:  # Fallback to zip
            archive_file = Zip7File(SflockFile(contents=content, password=pw))

        files_in_zip = list(archive_file.unpack(password=pw, duplicates=[]))
        extracted_files = []

        for zf in files_in_zip:
            h = HashFactory.get_hashstruct_from_bytes(zf.contents)
            cg = zf.magic
            fn = zf.filename.decode("utf-8")
            ext = fn.rsplit(".", 1)[-1] if "." in fn else ""

            f.extractions.append(
                Extraction(content_guess=cg,
                           extension=ext,
                           description=fn,
                           hash=h))

            file_struct = File(
                content_guess=cg,
                extension=ext,
                encoding='application/octet-stream',  # alternative: "hex"
                filename=fn,
                hash=h,
                blob=zf.contents,
                timestamp=f.timestamp)
            extracted_files.append(file_struct)
            logger.info(f"Extracted {zf.filename}")

            f.is_enriched = True

        return f, extracted_files
Exemplo n.º 4
0
def test_pdf_is_embedded():
    buf = io.BytesIO()
    z = zipfile.ZipFile(buf, "w")
    z.write("tests/files/pdf_docm.pdf")
    z.close()
    m = ZipFile(File(contents=buf.getvalue()))
    files = list(m.unpack())
    assert len(files) == 1
    assert files[0].package == "pdf"
    assert len(files[0].children) == 1
    assert files[0].children[0].package == "doc"
Exemplo n.º 5
0
def get_new_emails(db):
    imaplib.IMAP4.debug = imaplib.IMAP4_SSL.debug = 1

    conn = imaplib.IMAP4_SSL(email_config.cuckoomx.get("server"))
    conn.login(email_config.cuckoomx.get("user"), email_config.cuckoomx.get("password"))
    conn.select("Inbox")

    (retcode, messages) = conn.search(None, "(UNSEEN)")
    if retcode == "OK" and messages:
        for num in messages[0].split(" "):
            if num:
                typ, data = conn.fetch(num,"(RFC822)")
                msg = email.message_from_string(data[0][1])
                if msg:
                    email_dict = dict()
                    email_dict["Attachments"] = list()
                    for k, v in msg.items():
                       email_dict[k] = v

                    if email_dict.get("Subject", ""):
                        print("[+] Procesing email with Subject: {0}".format(email_dict["Subject"]))
                    for part in msg.walk():
                        attachment = False
                        if part.get_filename():
                            filename = part.get_filename()
                            content_type = part.get_content_type()
                            attachment = part.get_payload(decode=True)
                            sha256 = hashlib.sha256(attachment).hexdigest()

                            if attachment:
                                #unpack it
                                z = ZipFile(File(contents=attachment, password=email_config.cuckoomx.get("archive_password")))
                                files = list(z.unpack(password=email_config.cuckoomx.get("archive_password"), duplicates=[]))
                                for file in files:
                                    new_file = db.query(CUCKOOMX).filter(CUCKOOMX.sha256 == file.sha256).first()
                                    if new_file is None:
                                        new_file = CUCKOOMX(sha256=file.sha256)

                                        temp_file_path = store_temp_file(file.contents, file.filename)
                                        task_id = main_db.add_path(
                                            file_path=temp_file_path
                                        )
                                        new_file.cuckoo_id = task_id
                                        new_file.email = email_dict.get("From", "")
                                        db.add(new_file)
                                        db.commit()
                                    else:
                                        send_notification(db, new_file)
                #mark as seen
                typ, data = conn.store(num,"+FLAGS","\Seen")

    conn.close()
    conn.logout()
Exemplo n.º 6
0
 def test_zip_encrypted(self):
     assert "Zip archive" in f("zip_encrypted.zip").magic
     z = ZipFile(f("zip_encrypted.zip"))
     assert z.handles() is True
     assert not z.f.selected
     files = list(z.unpack())
     assert len(files) == 1
     assert files[0].relapath == "sflock.txt"
     assert files[0].contents == "sflock_encrypted_zip\n"
     assert files[0].password == "infected"
     assert files[0].magic == "ASCII text"
     assert files[0].parentdirs == []
     assert not files[0].selected
Exemplo n.º 7
0
 def test_zip_encrypted(self):
     assert "Zip archive" in f("zip_encrypted.zip").magic
     z = ZipFile(f("zip_encrypted.zip"))
     assert z.handles() is True
     assert not z.f.selected
     files = list(z.unpack())
     assert len(files) == 1
     assert files[0].relapath == "sflock.txt"
     assert files[0].contents == "sflock_encrypted_zip\n"
     assert files[0].password == "infected"
     assert files[0].magic == "ASCII text"
     assert files[0].parentdirs == []
     assert not files[0].selected
Exemplo n.º 8
0
    def test_nested2(self):
        assert "Zip archive" in f(b"zip_nested2.zip").magic
        z = ZipFile(f(b"zip_nested2.zip"))
        assert z.handles() is True
        assert z.f.selected
        files = list(z.unpack())
        assert len(files) == 1

        assert files[0].relapath == b"deepfoo/foo/bar.txt"
        assert files[0].parentdirs == [b"deepfoo", b"foo"]
        assert files[0].contents == b"hello world\n"
        assert files[0].magic == "ASCII text"
        assert not files[0].selected
Exemplo n.º 9
0
    def test_nested2(self):
        assert "Zip archive" in f("zip_nested2.zip").magic
        z = ZipFile(f("zip_nested2.zip"))
        assert z.handles() is True
        assert not z.f.selected
        files = list(z.unpack())
        assert len(files) == 1

        assert files[0].relapath == "deepfoo/foo/bar.txt"
        assert files[0].parentdirs == ["deepfoo", "foo"]
        assert files[0].contents == "hello world\n"
        assert not files[0].password
        assert files[0].magic == "ASCII text"
        assert not files[0].selected
Exemplo n.º 10
0
    def test_zip_encrypted(self):
        assert "Zip archive" in f("zip_encrypted.zip").magic
        z = ZipFile(f("zip_encrypted.zip"))
        assert z.handles() is True
        files = list(z.unpack())
        assert len(files) == 1
        assert files[0].filepath == "sflock.txt"
        assert files[0].contents == "sflock_encrypted_zip\n"
        assert files[0].password == "infected"
        assert files[0].magic == "ASCII text"
        assert files[0].parentdirs == []

        s = f("zip_encrypted.zip").get_signature()
        assert s == {"family": "zip", "mode": "", "unpacker": "zipfile"}
Exemplo n.º 11
0
    def test_zip_encrypted(self):
        assert "Zip archive" in f("zip_encrypted.zip").magic
        z = ZipFile(f("zip_encrypted.zip"))
        assert z.handles() is True
        files = list(z.unpack())
        assert len(files) == 1
        assert files[0].filepath == "sflock.txt"
        assert files[0].contents == "sflock_encrypted_zip\n"
        assert files[0].password == "infected"
        assert files[0].magic == "ASCII text"
        assert files[0].parentdirs == []

        s = f("zip_encrypted.zip").get_signature()
        assert s == {"family": "zip", "mode": "", "unpacker": "zipfile"}
Exemplo n.º 12
0
    def test_nested2(self):
        assert "Zip archive" in f("zip_nested2.zip").magic
        z = ZipFile(f("zip_nested2.zip"))
        assert z.handles() is True
        files = list(z.unpack())
        assert len(files) == 1

        assert files[0].filepath == "deepfoo/foo/bar.txt"
        assert files[0].parentdirs == ["deepfoo", "foo"]
        assert files[0].contents == "hello world\n"
        assert not files[0].password
        assert files[0].magic == "ASCII text"

        s = f("zip_nested2.zip").get_signature()
        assert s == {"family": "zip", "mode": "", "unpacker": "zipfile"}
Exemplo n.º 13
0
    def test_nested2(self):
        assert "Zip archive" in f("zip_nested2.zip").magic
        z = ZipFile(f("zip_nested2.zip"))
        assert z.handles() is True
        files = list(z.unpack())
        assert len(files) == 1

        assert files[0].filepath == "deepfoo/foo/bar.txt"
        assert files[0].parentdirs == ["deepfoo", "foo"]
        assert files[0].contents == "hello world\n"
        assert not files[0].password
        assert files[0].magic == "ASCII text"

        s = f("zip_nested2.zip").get_signature()
        assert s == {"family": "zip", "mode": "", "unpacker": "zipfile"}
Exemplo n.º 14
0
 def test_zip_plain(self):
     assert "Zip archive" in f(b"zip_plain.zip").magic
     z = ZipFile(f(b"zip_plain.zip"))
     assert z.handles() is True
     assert z.f.selected
     assert z.f.preview is True
     files = list(z.unpack())
     assert len(files) == 1
     assert not files[0].filepath
     assert files[0].relapath == b"sflock.txt"
     assert files[0].contents == b"sflock_plain_zip\n"
     assert files[0].password == "infected"
     assert files[0].magic == "ASCII text"
     assert files[0].parentdirs == []
     assert not files[0].selected
     assert files[0].preview is True
Exemplo n.º 15
0
    def test_zip_encrypted2(self):
        assert "Zip archive" in f("zip_encrypted2.zip").magic
        z = ZipFile(f("zip_encrypted2.zip"))
        assert z.handles() is True
        assert not z.f.selected
        files = list(z.unpack())
        assert len(files) == 1
        assert files[0].mode == "failed"
        assert files[0].description == "Error decrypting file"
        assert files[0].magic is ""
        assert files[0].parentdirs == []
        assert not files[0].selected

        z = ZipFile(f("zip_encrypted2.zip"))
        assert z.handles() is True
        assert not z.f.selected
        files = list(z.unpack("sflock"))
        assert len(files) == 1
        assert files[0].relapath == "sflock.txt"
        assert files[0].contents == "sflock_encrypted_zip\n"
        assert files[0].password == "sflock"
        assert files[0].magic == "ASCII text"
        assert files[0].parentdirs == []
        assert not files[0].selected
Exemplo n.º 16
0
    def test_zip_encrypted2(self):
        assert "Zip archive" in f("zip_encrypted2.zip").magic
        z = ZipFile(f("zip_encrypted2.zip"))
        assert z.handles() is True
        assert not z.f.selected
        files = list(z.unpack())
        assert len(files) == 1
        assert files[0].mode == "failed"
        assert files[0].description == "Error decrypting file"
        assert files[0].magic is ""
        assert files[0].parentdirs == []
        assert not files[0].selected

        z = ZipFile(f("zip_encrypted2.zip"))
        assert z.handles() is True
        assert not z.f.selected
        files = list(z.unpack("sflock"))
        assert len(files) == 1
        assert files[0].relapath == "sflock.txt"
        assert files[0].contents == "sflock_encrypted_zip\n"
        assert files[0].password == "sflock"
        assert files[0].magic == "ASCII text"
        assert files[0].parentdirs == []
        assert not files[0].selected
Exemplo n.º 17
0
 def test_garbage(self):
     t = ZipFile(f("garbage.bin"))
     assert t.handles() is False
     assert not t.f.selected
     assert not t.unpack()
     assert t.f.mode == "failed"
Exemplo n.º 18
0
 def test_garbage(self):
     t = ZipFile(f("garbage.bin"))
     assert t.handles() is False
     assert not t.f.selected
     assert t.unpack() == []
     assert t.f.mode == Errors.INVALID_ARCHIVE
Exemplo n.º 19
0
 def test_garbage(self):
     t = ZipFile(f("garbage.bin"))
     assert t.handles() is False
     assert not t.f.selected
     assert not t.unpack()
     assert t.f.mode == "failed"
Exemplo n.º 20
0
 def test_partial(self):
     t = ZipFile(f(b"partial.zip"))
     assert t.handles()
     assert not t.unpack()
Exemplo n.º 21
0
 def test_docx1(self):
     t = ZipFile(f(b"doc_1.docx_"))
     assert t.handles()
Exemplo n.º 22
0
 def test_partial(self):
     # Has PK header, but is an invalid archive.
     t = ZipFile(f("partial.zip"))
     assert not t.handles()
     assert not t.unpack()
Exemplo n.º 23
0
    def test_zip_encrypted2(self):
        assert "Zip archive" in f("zip_encrypted2.zip").magic
        z = ZipFile(f("zip_encrypted2.zip"))
        assert z.handles() is True
        assert not z.f.selected

        with pytest.raises(DecryptionFailedError) as e:
            z.unpack()
        assert e.value.state == Errors.DECRYPTION_FAILED

        z = ZipFile(f("zip_encrypted2.zip"))
        assert z.handles() is True
        assert not z.f.selected
        files = list(z.unpack(password="******"))
        assert len(files) == 1
        assert files[0].relapath == "sflock.txt"
        assert files[0].contents == b"sflock_encrypted_zip\n"
        assert files[0].password == "sflock"
        assert files[0].magic == "ASCII text"
        assert files[0].parentdirs == []
        assert not files[0].selected

        z = ZipFile(f("zip_encrypted2.zip"))
        assert z.handles() is True
        assert not z.f.selected
        files = list(z.unpack(password=["sflock"]))
        assert len(files) == 1
        assert files[0].relapath == "sflock.txt"
        assert files[0].contents == b"sflock_encrypted_zip\n"
        assert files[0].password == "sflock"
        assert files[0].magic == "ASCII text"
        assert files[0].parentdirs == []
        assert not files[0].selected
Exemplo n.º 24
0
 def test_zip_suffix(self):
     assert "Zip archive" in f(b"zip_suffix.docx").magic
     z = ZipFile(f(b"zip_suffix.docx"))
     assert z.handles() is True
     assert z.f.package == "zip"
     assert z.f.preview is True
Exemplo n.º 25
0
    def test_garbage(self):
        t = ZipFile(f("garbage.bin"))
        assert t.handles() is False

        with pytest.raises(UnpackException):
            t.unpack()