diff --git a/.github/workflows/on-demand.yml b/.github/workflows/on-demand.yml index b8be6b1..86a79da 100644 --- a/.github/workflows/on-demand.yml +++ b/.github/workflows/on-demand.yml @@ -22,6 +22,7 @@ jobs: with: dockerfile: Dockerfile docker: + name: Docker Build needs: static-analysis runs-on: ubuntu-latest steps: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 445e75f..b0562a2 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -20,6 +20,7 @@ jobs: with: dockerfile: Dockerfile docker: + name: Docker Build needs: static-analysis runs-on: ubuntu-latest steps: @@ -35,7 +36,7 @@ jobs: name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build and push + name: Build uses: docker/build-push-action@v5 with: context: . diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml index 873b392..0f5f8df 100644 --- a/.github/workflows/release-tag.yml +++ b/.github/workflows/release-tag.yml @@ -7,6 +7,7 @@ on: jobs: docker: + name: Docker Build runs-on: ubuntu-latest steps: - diff --git a/Dockerfile b/Dockerfile index 34c6779..3634313 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,20 @@ -FROM alpine:3.18.4 +FROM alpine:3.19.1 RUN \ # Update and install system applications apk add --update --no-cache \ - bind-tools=9.18.19-r0 \ - certbot=2.6.0-r0 \ - curl=8.4.0-r0 \ - libcap=2.69-r0 \ - lua-resty-core=0.1.26-r0 \ - nginx=1.24.0-r7 \ - nginx-mod-http-fancyindex=1.24.0-r7 \ - nginx-mod-http-headers-more=1.24.0-r7 \ - nginx-mod-http-lua=1.24.0-r7 \ - openssl=3.1.4-r1 \ - shadow=4.13-r4 \ - tini=0.19.0-r1 && \ + bind-tools=9.18.24-r1 \ + certbot=2.7.4-r0 \ + curl=8.5.0-r0 \ + libcap=2.69-r1 \ + lua-resty-core=0.1.27-r0 \ + nginx=1.24.0-r16 \ + nginx-mod-http-fancyindex=1.24.0-r16 \ + nginx-mod-http-headers-more=1.24.0-r16 \ + nginx-mod-http-lua=1.24.0-r16 \ + openssl=3.1.4-r6 \ + shadow=4.14.2-r0 \ + tini=0.19.0-r2 && \ # Remove default NGINX vHosts and websites rm -f /etc/nginx/sites-enabled/default && \ rm -f /etc/nginx/sites-available/default && \ @@ -42,6 +42,9 @@ RUN \ groupmod -g 10001 nginx && \ usermod -u 10000 nginx +# Copy LICENSE to container +COPY LICENSE /LICENSE + # Copy NGINX global settings to container COPY nginx/nginx.conf /etc/nginx/templates/ COPY nginx/general.conf /etc/nginx/templates/ diff --git a/LICENSE b/LICENSE index 644d8ef..d7d0cd7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2020-2023 Al Azif, https://github.com/Al-Azif/exploit-host-http +Copyright (c) 2020-2024 Al Azif, https://github.com/Al-Azif/exploit-host-http Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the diff --git a/README.md b/README.md index 6806afc..7e07e57 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Exploit Host HTTP -Purpose made HTTP Docker file setup for hosting exploits for the web browser for Sony PlayStation devices and the Nintendo WiiU/Switch. This essentially has to be used with the [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS) component. It's possible to use it "standalone", but will require something to make the browser send the correct `Host` header with it's HTTP(S) requests. +Purpose made HTTP Docker file setup for hosting exploits for the web browser for Sony PlayStation devices and the Nintendo Wii/WiiU/Switch. This essentially has to be used with the [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS) component. It's possible to use it "standalone", but will require something to make the browser send the correct `Host` header with it's HTTP(S) requests. ## Features @@ -16,7 +16,7 @@ When used in conjunction with [Exploit Host DNS](https://github.com/Al-Azif/expl ## Usage -This is setup to work right out of the box with [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS). However there are lots of options for your individual hosting wants/needs. I'll only show the basic usage here. +This is setup to work right out of the box with [Exploit Host DNS](https://github.com/Al-Azif/exploit-host-DNS). There are a lot of options for your individual hosting wants/needs; however, I'll only show the basic usage here. ### Command Line @@ -26,7 +26,7 @@ This command will always pull the latest image from Docker Hub, run on the main ### Composer -This composer file will do the same as the commands above. +This composer file will do the same as the command above. ```yml --- @@ -47,21 +47,21 @@ Start the compose file by calling `docker compose up -d` from the same location ## Options (Environment Variables) -| Option | Default | Type | Info | -|:--------------------------------|:--------------|:--------|:----------------| -| DEBUG | `false` | boolean | Show debug output for `entrypoint.sh` in the Docker log. | -| ROOT_DOMAIN | `the.gate` | string | | -| NGINX_ACCESS_LOG | `false` | boolean | | -| NGINX_ERROR_LOG | `false` | boolean | | -| NGINX_ERROR_LOG_LEVEL | `warn` | string | | -| REDIRECT_TYPE | `http` | string | | -| HIJACK_URL | `ROOT_DOMAIN` | string | | -| TLS | `self` | string | | -| CF_IP_CORRECTION | `false` | boolean | | -| CF_STRICT | `false` | boolean | | -| OCSP_STAPLING | `false` | boolean | | -| SEVER_HASH_BUCKET_SIZE_OVERRIDE | `false` | boolean | | -| HEALTHCHECK_BYPASS | `false` | boolean | | +| Option | Default | Type | Info | +|:--------------------------------|:--------------|:---------------|:---------| +| DEBUG | `false` | boolean | Show debug output for `entrypoint.sh` in the Docker log. | +| REDIRECT_TYPE | `http` | string | The protocol that is used for the hijacked landing page redirect. Valid values are `http` and `https`. | +| ROOT_DOMAIN | `the.gate` | string | The root domain that is used for hijacked landing page redirect. This is **ONLY** the domain itself. | +| ROOT_DOMAIN_PATH | none | string | Additional path to append to root domain for redirect. If needed you can add an alternative port here as well. | +| HIJACK_URL | none | string | Rather than hosting the hijacked landing page just redirect the request to another domain hosted elsewhere. If this is set, `ROOT_DOMAIN` and `ROOT_DOMAIN_PATH` are ignored. | +| NGINX_ACCESS_LOG | `false` | boolean | Enables the NGINX access log, located at `/var/log/nginx/access.log` | +| NGINX_ERROR_LOG | `false` | boolean | Enables the NGINX error log, located at `/var/log/nginx/error.log` | +| NGINX_ERROR_LOG_LEVEL | `warn` | string | The error log level for the NGINX error log. Valid values are `debug`, `info`, `notice`, `warn`, `error`, `crit`, `alert`, `emerg`. Ignored if `NGINX_ERROR_LOG` is `false` | +| TLS | `self` | string | Valid values are `self`, `letsencrypt`, and `mount`. | +| CF_IP_CORRECTION | `false` | boolean | Automatically correct CloudFlare IP addresses to the real IP address for logging. | +| CF_STRICT | `false` | boolean | | +| OCSP_STAPLING | `false` | boolean | | +| SEVER_HASH_BUCKET_SIZE_OVERRIDE | `false` | boolean | Overrides the `server_names_hash_bucket_size` option in NGINX to be `64`. Some systems have `32` as the default and that is not enough for our usage | ## TODO diff --git a/entrypoint.sh b/entrypoint.sh index f9f4ccd..69ee6e4 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -4,18 +4,17 @@ set -e # Input defaults and text to lower case DEBUG=${DEBUG:-"false"} && DEBUG=$(echo "$DEBUG" | tr "[:upper:]" "[:lower:]") +REDIRECT_TYPE=${REDIRECT_TYPE:-"http"} && REDIRECT_TYPE=$(echo "$REDIRECT_TYPE" | tr "[:upper:]" "[:lower:]") ROOT_DOMAIN=${ROOT_DOMAIN:-"the.gate"} && ROOT_DOMAIN=$(echo "$ROOT_DOMAIN" | tr "[:upper:]" "[:lower:]") +ROOT_DOMAIN_PATH=${ROOT_DOMAIN_PATH:-""} NGINX_ACCESS_LOG=${NGINX_ACCESS_LOG:-"false"} && NGINX_ACCESS_LOG=$(echo "$NGINX_ACCESS_LOG" | tr "[:upper:]" "[:lower:]") NGINX_ERROR_LOG=${NGINX_ERROR_LOG:-"false"} && NGINX_ERROR_LOG=$(echo "$NGINX_ERROR_LOG" | tr "[:upper:]" "[:lower:]") NGINX_ERROR_LOG_LEVEL=${NGINX_ERROR_LOG_LEVEL:-"warn"} && NGINX_ERROR_LOG_LEVEL=$(echo "$NGINX_ERROR_LOG_LEVEL" | tr "[:upper:]" "[:lower:]") -REDIRECT_TYPE=${REDIRECT_TYPE:-"http"} && REDIRECT_TYPE=$(echo "$REDIRECT_TYPE" | tr "[:upper:]" "[:lower:]") -HIJACK_URL=${HIJACK_URL:-"${ROOT_DOMAIN}"} TLS=${TLS:-"self"} && TLS=$(echo "$TLS" | tr "[:upper:]" "[:lower:]") CF_IP_CORRECTION=${CF_IP_CORRECTION:-"false"} && CF_IP_CORRECTION=$(echo "$CF_IP_CORRECTION" | tr "[:upper:]" "[:lower:]") CF_STRICT=${CF_STRICT:-"false"} && CF_STRICT=$(echo "$CF_STRICT" | tr "[:upper:]" "[:lower:]") OCSP_STAPLING=${OCSP_STAPLING:-"false"} && OCSP_STAPLING=$(echo "$OCSP_STAPLING" | tr "[:upper:]" "[:lower:]") SEVER_HASH_BUCKET_SIZE_OVERRIDE=${SEVER_HASH_BUCKET_SIZE_OVERRIDE:-"false"} && SEVER_HASH_BUCKET_SIZE_OVERRIDE=$(echo "$SEVER_HASH_BUCKET_SIZE_OVERRIDE" | tr "[:upper:]" "[:lower:]") -HEALTHCHECK_BYPASS=${HEALTHCHECK_BYPASS:-"false"} && HEALTHCHECK_BYPASS=$(echo "$HEALTHCHECK_BYPASS" | tr "[:upper:]" "[:lower:]") # Input validation if [ "$DEBUG" != "true" ] && [ "$DEBUG" != "false" ]; then @@ -53,20 +52,6 @@ if [ "$REDIRECT_TYPE" != "http" ] && [ "$REDIRECT_TYPE" != "https" ]; then exit 1 fi -if [ -n "$HTTP_REDIRECT_PORT" ]; then - if [ "$HTTP_REDIRECT_PORT" -lt 0 ] || [ "$HTTP_REDIRECT_PORT" -gt 65535 ]; then - echo "[!] Invalid option for HTTP_REDIRECT_PORT, expected 0 through 65535" - exit 1 - fi -fi - -if [ -n "$HTTPS_REDIRECT_PORT" ]; then - if [ "$HTTPS_REDIRECT_PORT" -lt 0 ] || [ "$HTTPS_REDIRECT_PORT" -gt 65535 ]; then - echo "[!] Invalid option for HTTPS_REDIRECT_PORT, expected 0 through 65535" - exit 1 - fi -fi - if [ "$TLS" != "self" ] && [ "$TLS" != "letsencrypt" ] && [ "$TLS" != "mount" ]; then echo "[!] Invalid option for TLS, expected \"self\", \"letsencrypt\", \"mount\"" exit 1 @@ -97,31 +82,15 @@ if [ "$OCSP_STAPLING" != "true" ] && [ "$OCSP_STAPLING" != "false" ]; then exit 1 fi -if [ "$HEALTHCHECK_BYPASS" != "true" ] && [ "$HEALTHCHECK_BYPASS" != "false" ]; then - echo "[!] Invalid option for HEALTHCHECK_BYPASS, expected \"true\" or \"false\"" - exit 1 -fi - if [ "$DEBUG" = "true" ]; then echo "=== DEBUG =====================================================" - if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then - echo "ROOT_DOMAIN » $ROOT_DOMAIN" - else - echo "HIJACK_URL » $HIJACK_URL" - fi + echo "REDIRECT_TYPE » $REDIRECT_TYPE" + echo "ROOT_DOMAIN » $ROOT_DOMAIN" + echo "ROOT_DOMAIN_PATH » $ROOT_DOMAIN_PATH" echo "NGINX_ACCESS_LOG » $NGINX_ACCESS_LOG" echo "NGINX_ERROR_LOG » $NGINX_ERROR_LOG" echo "NGINX_ERROR_LOG_LEVEL » $NGINX_ERROR_LOG_LEVEL" echo "SEVER_HASH_BUCKET_SIZE_OVERRIDE » $SEVER_HASH_BUCKET_SIZE_OVERRIDE" - if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then - echo "REDIRECT_TYPE » $REDIRECT_TYPE" - if [ "$REDIRECT_TYPE" != "http" ] && [ -n "$HTTP_REDIRECT_PORT" ]; then - echo "HTTP_REDIRECT_PORT » $HTTP_REDIRECT_PORT" - fi - if [ "$REDIRECT_TYPE" != "https" ] && [ -n "$HTTPS_REDIRECT_PORT" ]; then - echo "HTTPS_REDIRECT_PORT » $HTTPS_REDIRECT_PORT" - fi - fi echo "TLS » $TLS" if [ -n "$CERTBOT_EMAIL" ]; then echo "CERTBOT_EMAIL » $CERTBOT_EMAIL" @@ -129,7 +98,6 @@ if [ "$DEBUG" = "true" ]; then echo "CF_IP_CORRECTION » $CF_IP_CORRECTION" echo "CF_STRICT » $CF_STRICT" echo "OCSP_STAPLING » $OCSP_STAPLING" - echo "HEALTHCHECK_BYPASS » $HEALTHCHECK_BYPASS" echo "===============================================================" fi @@ -138,14 +106,8 @@ if [ -n "$REDIRECT_TYPE" ]; then export REDIRECT_TYPE=$REDIRECT_TYPE fi -if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then - if [ -n "$HTTP_REDIRECT_PORT" ]; then - export HTTP_REDIRECT_PORT=$HTTP_REDIRECT_PORT - fi - - if [ -n "$HTTPS_REDIRECT_PORT" ]; then - export HTTPS_REDIRECT_PORT=$HTTPS_REDIRECT_PORT - fi +if [ -n "$ROOT_DOMAIN_PATH" ]; then + export ROOT_DOMAIN_PATH=$ROOT_DOMAIN_PATH fi # Delete all files in sites-available and sites-enabled. In case this isn't fresh instance @@ -155,14 +117,7 @@ rm -rf /etc/nginx/sites-enabled/* 2> /dev/null || true # Copy (while overwriting files) from /etc/nginx/templates into /etc/nginx/ cp -rf /etc/nginx/templates/* /etc/nginx -if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then - echo "[-] Using \"$ROOT_DOMAIN\" to host" -else - echo "[-] Redirecting hijacked page to \"$REDIRECT_TYPE://$HIJACK_URL\"" - if [ -f /etc/nginx/sites-available/ROOT_DOMAIN ]; then - rm -f /etc/nginx/sites-available/ROOT_DOMAIN - fi -fi +echo "[-] Using \"$REDIRECT_TYPE://$ROOT_DOMAIN$ROOT_DOMAIN_PATH\" as host" # Setup Cloudflare IP correction if [ "$CF_IP_CORRECTION" = "false" ]; then @@ -218,13 +173,7 @@ done # Replace variables in the files in the `/etc/nginx/sites-available/` directory echo "[-] Replacing variables in vHost files..." for file in /etc/nginx/sites-available/*; do - if [ "$ROOT_DOMAIN" = "$HIJACK_URL" ]; then - sed -i "s/{{ROOT_DOMAIN}}/$ROOT_DOMAIN/g" "$file" - else - # TODO: Escape all? - ESCAPED_URL=$(printf '%s\n' "$HIJACK_URL" | sed -e 's/[]\/$*.^[]/\\&/g'); - sed -i "s/{{ROOT_DOMAIN}}/$ESCAPED_URL/g" "$file" - fi + sed -i "s/{{ROOT_DOMAIN}}/$ROOT_DOMAIN/g" "$file" # TODO: Bind to IPv4 interface if it's available diff --git a/healthcheck.sh b/healthcheck.sh index abdbc82..be0641d 100644 --- a/healthcheck.sh +++ b/healthcheck.sh @@ -1,10 +1,6 @@ #!/bin/ash # shellcheck shell=dash -if [ "$HEALTHCHECK_BYPASS" = "true" ]; then - exit 0 -fi - # Check Nintendo Landing Pages # Check PlayStation Landing Pages diff --git a/nginx/nginx.conf b/nginx/nginx.conf index bffc933..10833b1 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -8,8 +8,7 @@ pcre_jit on; # Needed to read environmental variable in hijacked-landing-pages env REDIRECT_TYPE; -env HTTP_REDIRECT_PORT; -env HTTPS_REDIRECT_PORT; +env ROOT_DOMAIN_PATH; events { multi_accept on; @@ -78,8 +77,8 @@ http { # Logging Settings ## - access_log off; # /var/log/nginx/nginx-access.log; - error_log /dev/null; # /var/log/nginx/nginx-error.log {{NGINX_ERROR_LOG_LEVEL}}; + access_log off; # /var/log/nginx/access.log; + error_log /dev/null; # /var/log/nginx/error.log {{NGINX_ERROR_LOG_LEVEL}}; ## # Compression Settings diff --git a/nginx/vhosts/hijacked-landing-pages b/nginx/vhosts/hijacked-landing-pages index dd2aa90..a8cc539 100644 --- a/nginx/vhosts/hijacked-landing-pages +++ b/nginx/vhosts/hijacked-landing-pages @@ -26,24 +26,11 @@ server { return os.getenv("REDIRECT_TYPE"); } - set_by_lua_block $HTTP_REDIRECT_PORT { - return os.getenv("HTTP_REDIRECT_PORT"); - } - if ($HTTP_REDIRECT_PORT) { - set $HTTP_REDIRECT_PORT ":$HTTP_REDIRECT_PORT"; + set_by_lua_block $ROOT_DOMAIN_PATH { + return os.getenv("ROOT_DOMAIN_PATH"); } - set_by_lua_block $HTTPS_REDIRECT_PORT { - return os.getenv("HTTPS_REDIRECT_PORT"); - } - if ($HTTPS_REDIRECT_PORT) { - set $HTTPS_REDIRECT_PORT ":$HTTPS_REDIRECT_PORT"; - } - - set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$HTTP_REDIRECT_PORT"; - if ($REDIRECT_TYPE = https) { - set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$HTTPS_REDIRECT_PORT"; - } + set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$ROOT_DOMAIN_PATH"; set $REDIRECT ""; set $REDIRECT "${REDIRECT}"; @@ -107,7 +94,44 @@ server { } location / { - return 403; + return 444; + } + + include general.conf; +} + +server { + charset utf-8; + chunked_transfer_encoding on; + + include error.conf; + error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 @error_html; + + listen 0.0.0.0:80; + listen 0.0.0.0:443 ssl http2; + #{{IPV6}} listen [::]:80; + #{{IPV6}} listen [::]:443 ssl http2; + server_name cfh.wapp.wii.com; + + ssl_certificate /etc/nginx/certs/snakeoil.crt; + ssl_certificate_key /etc/nginx/certs/private/snakeoil.key; + + set_by_lua_block $REDIRECT_TYPE { + return os.getenv("REDIRECT_TYPE"); + } + + set_by_lua_block $ROOT_DOMAIN_PATH { + return os.getenv("ROOT_DOMAIN_PATH"); + } + + set $REDIRECT_URL "$REDIRECT_TYPE://{{ROOT_DOMAIN}}$ROOT_DOMAIN_PATH"; + + location ~* "^/eula/[0-9]{3}/[a-z]{2}\.html" { + return 302 $REDIRECT_URL/; + } + + location / { + return 444; } include general.conf; diff --git a/nginx/vhosts/ps-net-tests b/nginx/vhosts/ps-net-tests index b3a2303..47d7874 100644 --- a/nginx/vhosts/ps-net-tests +++ b/nginx/vhosts/ps-net-tests @@ -56,7 +56,7 @@ server { } location / { - return 403; + return 444; } include general.conf; diff --git a/nginx/vhosts/ps-sys-updates b/nginx/vhosts/ps-sys-updates index 88e5105..65734ab 100644 --- a/nginx/vhosts/ps-sys-updates +++ b/nginx/vhosts/ps-sys-updates @@ -86,7 +86,7 @@ server { } location / { - return 403; + return 444; } include general.conf;