From fe32beb75ea262c5af44264535e84f4743a4e7d2 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Fri, 31 May 2019 19:10:10 -0700 Subject: [PATCH] Add hipreport-android.sh The desktop version of the HIP report doesn't work on Android in part because the here-doc appears to exceed the size of the read buffer in Android's rather primitive /system/bin/sh. This is a rather confusing bug to identify and diagnose. Include an alternate script with minimal contents (hipreport-minimal.sh) which is suitable for use on Android. Signed-off-by: Daniel Lenski --- Makefile.am | 3 +- trojans/hipreport-android.sh | 58 ++++++++++++++++++++++++++++++++++++ trojans/hipreport.sh | 5 ++++ www/hip.xml | 7 +++-- 4 files changed, 70 insertions(+), 3 deletions(-) create mode 100755 trojans/hipreport-android.sh diff --git a/Makefile.am b/Makefile.am index f81eddb6..4fcefee0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -137,7 +137,8 @@ EXTRA_DIST += $(shell cd "$(top_srcdir)" && \ DISTCLEANFILES = $(pkgconfig_DATA) -pkglibexec_SCRIPTS = trojans/csd-post.sh trojans/csd-wrapper.sh trojans/hipreport.sh trojans/tncc-wrapper.py +pkglibexec_SCRIPTS = trojans/csd-post.sh trojans/csd-wrapper.sh trojans/tncc-wrapper.py \ + trojans/hipreport.sh trojans/hipreport-android.sh # main.c includes version.c openconnect-main.$(OBJEXT): version.c diff --git a/trojans/hipreport-android.sh b/trojans/hipreport-android.sh new file mode 100755 index 00000000..2527c1c6 --- /dev/null +++ b/trojans/hipreport-android.sh @@ -0,0 +1,58 @@ +#!/system/bin/sh + +# These values may need to be extracted from the official HIP report, if made-up values are not accepted. +PLATFORM_VERSION="4.3" +PLATFORM_NAME="Android-x86" +HOSTID="deadbeef-dead-beef-dead-beefdeadbeef" + +# Read command line arguments into variables +COOKIE= +IP= +IPV6= +MD5= + +while [ "$1" ]; do + if [ "$1" = "--cookie" ]; then shift; COOKIE="$1"; fi + if [ "$1" = "--client-ip" ]; then shift; IP="$1"; fi + if [ "$1" = "--client-ipv6" ]; then shift; IPV6="$1"; fi + if [ "$1" = "--md5" ]; then shift; MD5="$1"; fi + shift +done + +if [ -z "$COOKIE" -o -z "$MD5" -o -z "$IP$IPV6" ]; then + echo "Parameters --cookie, --md5, and --client-ip and/or --client-ipv6 are required" >&2 + exit 1; +fi + +# Extract username and domain and computer from cookie +USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p') +DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p') +COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p') + +# Timestamp in the format expected by GlobalProtect server +NOW=$(date +'%m/%d/%Y %H:%M:%S') + +# WARNING: Replacing this with a here-doc (cat <' +echo " $MD5" +echo " $USER" +echo " $DOMAIN" +echo " $COMPUTER" +echo " $HOSTID" +echo " $IP" +echo " $IPV6" +echo " $NOW" +echo ' ' +echo ' ' +echo ' 4.0.2-19' +echo " $PLATFORM_NAME $PLATFORM_VERSION" +echo ' Google' +echo " $DOMAIN.internal" +echo " $COMPUTER" +echo " $HOSTID" +echo ' ' +echo ' ' +echo '' diff --git a/trojans/hipreport.sh b/trojans/hipreport.sh index 9ac04b56..4ff55d4d 100755 --- a/trojans/hipreport.sh +++ b/trojans/hipreport.sh @@ -16,6 +16,11 @@ # exactly what this is the md5 digest *of*, but all that # really matters is that the value in the HIP report # submission should match the value in the HIP report check. +# +# This hipreport.sh does not work as-is on Android. The large here-doc +# (cat <Generating/spoofing a HIP report -

An example hipreport.sh script is included in the -OpenConnect distribution, in the trojans/ subdirectory.

+

Two example scripts are included in the OpenConnect distribution, +in the trojans/ subdirectory: hipreport.sh (which +reproduces the behavior of a GlobalProtect Windows client) and +hipreport-android.sh (a report with minimal contents +suitable for use on an Android device).

Depending on how picky your GlobalProtect VPN is, it may be necessary to spoof or alter some of the parameters -- 2.49.0