Multiple {string-len} instances doesn't work about binwalk HOT 6 CLOSED

Generally, you can't have multiple string-len keywords which take strings from the file without opening yourself up to keyword injection from a maliciously crafted file. This goes for any keyword that takes a string argument.

I think a solution that would work for you (at least in this use case) is to create a signature like this:

 >>4 lelong x {file-size:%d-{string-len}}
 >>20 string x {offset-adjust:21+{string-len:%s}}

Binwalk could then safely process the {string-len:%s} keyword but also replace all {string-len} keywords with the string length. I can implement this easily if it is acceptable.

from binwalk.

Ok, it make sense and it will be great if it will work the same way as {raw-replace}. Now I am facing the problem with zero length string. _parse_string_len function doesn't strip the following: {string-len:}

Traceback (most recent call last):
  File "/usr/local/bin/binwalk", line 483, in <module>
    main()
  File "/usr/local/bin/binwalk", line 413, in main
    plugins_blacklist=plugin_blacklist)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/__init__.py", line 364, in scan
    callback=callback)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/__init__.py", line 575, in single_scan
    smart = self.smart.parse(magic_result)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/smartsignature.py", line 83, in parse
    results['adjust'] = self._get_math_arg(data, 'adjust')
  File "/usr/local/lib/python2.7/dist-packages/binwalk/smartsignature.py", line 192, in _get_math_arg
    value = MathExpression(arg).value
  File "/usr/local/lib/python2.7/dist-packages/binwalk/common.py", line 126, in __init__
    self.value = self.evaluate(self.expression)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/common.py", line 131, in evaluate
    return self._eval(ast.parse(expr).body[0].value)
  File "/usr/lib/python2.7/ast.py", line 37, in parse
    return compile(source, filename, mode, PyCF_ONLY_AST)
  File "<unknown>", line 1
    21+{string-len:

from binwalk.

This should be fixed now, as well as another bug I found in _parse_string_len.

Also added support for {string-len}, which works the same as {raw-replace}.

from binwalk.

It seems something is still broken.

I have the following magic:

16 lelong 0

20 string x Filename: %s
20 string x {file-name:%s}
4 lelong x {file-size:%d-{string-len}}
20 string x {offset-adjust:21+{string-len:%s}}

When it comes to _parse_string_len i have the following data passed to the function:
"Filename: index.html {file-name:index.html} {offset-adjust:21+{string-len:index.html}}"

After _parse_string_len execution I have the following "data":
"Filename: index.html {file-name:index.html} {offset-adjust:21+"

Hopefully it make sense for you.

from binwalk.

string-len now works the same as raw-replace, which means that {string-len:%s} and everything after it is removed and not replaced with the actual length of the string.

Instead, all instances of {string-len} are replaced with the length of the string. Changing your signature to something like the following should give you the correct offset-adjust value:

 >16 lelong 0
 >>20 string x Filename: %s
 >>20 string x {file-name:%s}
 >>4 lelong x {file-size:%d-{string-len}}{offset-adjust:21+{string-len}}
 >>20 string x {string-len:%s}

This works for me, let me know if you still have issues.

from binwalk.

Ok, got it. Now it works like a charm.

from binwalk.