Home Explore Help
Sign In
vimacs
/
openconnect
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: h3cssl
Branches Tags
openconnect
/
trojans
/
csd-wrapper.sh

csd-wrapper.sh 4.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149 
  1. #!/bin/bash
    2. 

  2. # Cisco Anyconnect CSD wrapper for OpenConnect
    3. 

  3. #
    4. 

  4. # [05 May 2015] Written by Nikolay Panin <nick_panin@mail.ru>:
    5. 

  5. #   - source: https://gist.github.com/l0ki000/56845c00fd2a0e76d688
    6. 

  6. # [27 Oct 2017] Updated by Daniel Lenski <dlenski@gmail.com>:
    7. 

  7. #   - use -url argument
    8. 

  8. #   - kill cstub after timeout
    9. 

  9. #   - fix small typos:
    10. 

  10. # [31 May 2018] Updated by Daniel Lenski <dlenski@gmail.com>:
    11. 

  11. #   - use curl with --pinnedpubkey to rely on sha256 hash of peer cert passed by openconnect
    12. 

  12. 

  13. TIMEOUT=30
    14. 

  14. URL="https://${CSD_HOSTNAME}/CACHE"
    15. 

  15. HOSTSCAN_DIR="$HOME/.cisco/hostscan"
    16. 

  16. LIB_DIR="$HOSTSCAN_DIR/lib"
    17. 

  17. BIN_DIR="$HOSTSCAN_DIR/bin"
    18. 

  18. 

  19. # cURL 7.39 (https://bugzilla.redhat.com/show_bug.cgi?id=1195771)
    20. 

  20. # is required to support pin-based certificate validation. Must set this
    21. 

  21. # to false if using an older version of cURL.
    22. 

  22. 

  23. INSECURE=false
    24. 

  24. if [[ "$INSECURE" == "true" ]]; then
    25. 

  25.     echo "*********************************************************************" >&2
    26. 

  26.     echo "WARNING: running insecurely; will not validate CSD server certificate" >&2
    27. 

  27.     echo "*********************************************************************" >&2
    28. 

  28.     PINNEDPUBKEY="-k"
    29. 

  29. else
    30. 

  30.     PINNEDPUBKEY="${CSD_SHA256:+"-k --pinnedpubkey sha256//$CSD_SHA256"}"
    31. 

  31. fi
    32. 

  32. 

  33. BINS=("cscan" "cstub" "cnotify")
    34. 

  34. 

  35. # parsing command line
    36. 

  36. shift
    37. 

  37. 

  38. URL=
    39. 

  39. TICKET=
    40. 

  40. STUB=
    41. 

  41. GROUP=
    42. 

  42. CERTHASH=
    43. 

  43. LANGSELEN=
    44. 

  44. 

  45. while [ "$1" ]; do
    46. 

  46.     if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
    47. 

  47.     if [ "$1" == "-stub" ];     then shift; STUB=$1; fi
    48. 

  48.     if [ "$1" == "-group" ];    then shift; GROUP=$1; fi
    49. 

  49.     if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
    50. 

  50.     if [ "$1" == "-url" ];      then shift; URL=$(echo $1|tr -d '"'); fi # strip quotes
    51. 

  51.     if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
    52. 

  52.     shift
    53. 

  53. done
    54. 

  54. 

  55. ARCH=$(uname -m)
    56. 

  56. 

  57. if [[ "$ARCH" == "x86_64" ]]
    58. 

  58. then
    59. 

  59.     ARCH="linux_x64"
    60. 

  60. else
    61. 

  61.     ARCH="linux_i386"
    62. 

  62. fi
    63. 

  63. 

  64. # creating dirs
    65. 

  65. for dir in $HOSTSCAN_DIR $LIB_DIR $BIN_DIR ; do
    66. 

  66.     if [[ ! -f $dir ]]
    67. 

  67.     then
    68. 

  68.         mkdir -p $dir
    69. 

  69.     fi
    70. 

  70. done
    71. 

  71. 

  72. # getting manifest, and checking binaries
    73. 

  73. curl $PINNEDPUBKEY -s "${URL}/sdesktop/hostscan/$ARCH/manifest" -o "$HOSTSCAN_DIR/manifest"
    74. 

  74. 

  75. # generating md5.sum with full paths from manifest
    76. 

  76. export HOSTSCAN_DIR=$HOSTSCAN_DIR
    77. 

  77. while read HASHTYPE FILE EQU HASHVAL; do
    78. 

  78.     FILE="${FILE%*)}"
    79. 

  79.     FILE="${FILE#(}"
    80. 

  80.     if grep --extended-regexp --quiet --invert-match ".so|tables.dat" <<< "$FILE"; then
    81. 

  81. 	PATHNAME="${BIN_DIR}/$FILE"
    82. 

  82. 	IS_BIN=yes
    83. 

  83.     else
    84. 

  84. 	PATHNAME="${LIB_DIR}/$FILE"
    85. 

  85. 	IS_BIN=no
    86. 

  86.     fi
    87. 

  87.     DOWNLOAD=yes
    88. 

  88.     case $HASHTYPE in
    89. 

  89. 	MD5)
    90. 

  90. 	    if [ -r "$PATHNAME" ] && md5sum --status -c <<< "$HASHVAL $PATHNAME"; then
    91. 

  91. 		DOWNLOAD=no
    92. 

  92. 	    fi
    93. 

  93. 	    ;;
    94. 

  94. 	SHA1)
    95. 

  95. 	    if [ -r "$PATHNAME" ] && sha1sum --status -c <<< "$HASHVAL $PATHNAME"; then
    96. 

  96. 		DOWNLOAD=no
    97. 

  97. 	    fi
    98. 

  98. 	    ;;
    99. 

  99. 	SHA256)
    100. 

  100. 	    if [ -r "$PATHNAME" ] && sha256sum --status -c <<< "$HASHVAL $PATHNAME"; then
    101. 

  101. 		DOWNLOAD=no
    102. 

  102. 	    fi
    103. 

  103. 	    ;;
    104. 

  104. 	*)
    105. 

  105. 	    echo "Unsupported hash type $HASHTYPE"
    106. 

  106. 	    ;;
    107. 

  107.     esac
    108. 

  108.     if [ "$DOWNLOAD" = "yes" ]; then
    109. 

  109. 	echo "Downloading: $FILE"
    110. 

  110. 	TMPFILE="${PATHNAME}.tmp"
    111. 

  111. 

  112.         curl $PINNEDPUBKEY -s "${URL}/sdesktop/hostscan/$ARCH/$FILE" -o "${TMPFILE}"
    113. 

  113. 

  114.         # some files are in gz (don't understand logic here)
    115. 

  115.         if [[ ! -f "${TMPFILE}" || ! -s "${TMPFILE}" ]]
    116. 

  116.         then
    117. 

  117.             # remove 0 size files
    118. 

  118.             if [[ ! -s ${TMPFILE} ]]; then
    119. 

  119.                 rm ${TMPFILE}
    120. 

  120.             fi
    121. 

  121. 

  122.             echo "Failure on $FILE, trying gz"
    123. 

  123.             FILE_GZ="${FILE}.gz"
    124. 

  124.             curl $PINNEDPUBKEY -s "${URL}/sdesktop/hostscan/$ARCH/$FILE_GZ" -o "${TMPFILE}.gz" &&
    125. 

  125. 		gunzip --verbose --decompress "${TMPFILE}.gz"
    126. 

  126.         fi
    127. 

  127. 

  128. 	if [ -r "${TMPFILE}" ]; then
    129. 

  129. 	    if [ "$IS_BIN" = "yes" ]; then
    130. 

  130. 		chmod +x "${TMPFILE}"
    131. 

  131. 	    fi
    132. 

  132. 	    mv "${TMPFILE}" "${PATHNAME}"
    133. 

  133. 	fi
    134. 

  134.     fi
    135. 

  135. done < $HOSTSCAN_DIR/manifest
    136. 

  136. 

  137. # cstub doesn't care about logging options, sic!
    138. 

  138. #ARGS="-log debug -ticket $TICKET -stub $STUB -group $GROUP -host "$URL" -certhash $CERTHASH"
    139. 

  139. ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -host \"$URL\" -certhash $CERTHASH"
    140. 

  140. 

  141. echo "Launching: $BIN_DIR/cstub $ARGS"
    142. 

  142. $BIN_DIR/cstub $ARGS & CSTUB_PID=$!
    143. 

  143. 

  144. sleep $TIMEOUT
    145. 

  145. if kill -0 $CSTUB_PID 2> /dev/null; then
    146. 

  146.     echo "Killing cstub process after $TIMEOUT seconds"
    147. 

  147.     kill $CSTUB_PID 2> /dev/null || kill -9 $CSTUB_PID 2> /dev/null
    148. 

  148. fi
    149. 

  149.