Add files via upload

Author: patterniha

config.json

@@ -0,0 +1,24 @@
+{
+  "fake_sni": "random",
+  "full_fake_sni_length": "29-32",
+  "fake_sni_tld": ".com",
+
+  "listen_host": "0.0.0.0",
+  "listen_port": 12430,
+  "listen_trojan_password": "domain_fronting_pass",
+
+  "main_gateway_host": "127.0.0.1",
+  "main_gateway_port": 12431,
+  "main_gateway_trojan_password": "main_gateway_pass",
+
+  "bypass_gateway_host": "127.0.0.1",
+  "bypass_gateway_port": 12432,
+  "bypass_gateway_trojan_password": "bypass_gateway_pass",
+
+  "issuer_certificate_path": "certificate.crt",
+  "issuer_private_key_path": "private.key",
+  "issuer_private_key_pass": null,
+
+  "instant_certificate_temp_file_path": ".instant_certificate"
+
+}

controller.py

@@ -0,0 +1,110 @@
+import ssl
+import string
+import random
+import secrets
+from util.instant_cert_ctx import InstantCertServerSideCtx
+from util.proxy_protocols import struct_pure_tcp_trojan
+from util.tls_parser import parse_tls_client_hello
+from util.timer import Timer
+from transports.wrapped_transport import WrappedTransport
+from transports.tcp_stream_transport import TcpStreamTransport
+from tcp_relays.final_relays.bypass_relay import BypassRelay
+from tcp_relays.final_relays.one_repeater import OneRepeater
+from tcp_relays.final_relays.domain_fronter import DomainFronter
+from initialize import issuer_private_key_pass, issuer_private_key_path, issuer_cert_path, \
+    main_gateway_host, \
+    main_gateway_port, main_gateway_trojan_hashed_password, bypass_gateway_host, bypass_gateway_port, \
+    bypass_gateway_trojan_hashed_password, local_connect_timeout, \
+    loopback_connect_host, listen_port, upgrade_incoming_timeout, upgrade_incoming_handshake_timeout, \
+    upgrade_incoming_shutdown_timeout, others_connect_upgrade_timeout, others_connect_upgrade_handshake_timeout, \
+    others_connect_upgrade_shutdown_timeout, incoming_write_timeout, outgoing_write_timeout, \
+    private_domain_front_trojan_hashed_password, fake_sni, fake_sni_tld, pure_fake_sni_length_min, \
+    pure_fake_sni_length_max, incoming_wait_for_cancel_timeout, instant_certificate_temp_file_path
+
+
+class Controller:
+    icc = InstantCertServerSideCtx(issuer_cert_path, issuer_private_key_path, issuer_private_key_pass,
+                                   instant_certificate_temp_file_path)
+
+    @staticmethod
+    def get_fake_sni():
+        if fake_sni != "random":
+            return fake_sni
+        n = random.randint(pure_fake_sni_length_min, pure_fake_sni_length_max)
+        return (''.join(secrets.choice(string.ascii_lowercase + string.digits) for _ in range(n))) + fake_sni_tld
+
+    @classmethod
+    async def on_repeater_domain_front_request(cls, incoming_tp: WrappedTransport[TcpStreamTransport],
+                                               incoming_parsed_tj, incoming_payload: bytes):
+
+        try:
+            parsed_tls = parse_tls_client_hello(incoming_payload)
+        except Exception:
+            gateway_trojan = struct_pure_tcp_trojan(bypass_gateway_trojan_hashed_password,
+                                                    incoming_parsed_tj["remote_address_type"],
+                                                    incoming_parsed_tj["remote_address"],
+                                                    incoming_parsed_tj["remote_port"])
+            bypass_relay = BypassRelay(incoming_tp, None, bypass_gateway_host, bypass_gateway_port,
+                                       gateway_trojan, 3, incoming_payload,
+                                       None, None,
+                                       list(), bytearray(), bytearray(),
+                                       None, None, Timer(), local_connect_timeout, incoming_write_timeout,
+                                       outgoing_write_timeout)
+            print("Non-TLS Request Bypassed", incoming_parsed_tj["remote_address_type"], incoming_parsed_tj["remote_address"],
+                  incoming_parsed_tj["remote_port"], incoming_payload)
+            await bypass_relay.main_loop(incoming_tp)
+            incoming_tp.sync_close()
+            return
+        else:
+            gateway_trojan = struct_pure_tcp_trojan(private_domain_front_trojan_hashed_password,
+                                                    incoming_parsed_tj["remote_address_type"],
+                                                    incoming_parsed_tj["remote_address"],
+                                                    incoming_parsed_tj["remote_port"])
+            one_repeater_relay = OneRepeater(incoming_tp, None, loopback_connect_host, listen_port,
+                                             gateway_trojan, -1, incoming_payload,
+                                             None, None,
+                                             list(), bytearray(), bytearray(),
+                                             None, None, Timer(), local_connect_timeout, incoming_write_timeout,
+                                             outgoing_write_timeout)
+            await one_repeater_relay.main_loop(incoming_tp)
+            incoming_tp.sync_close()
+            return
+
+    @classmethod
+    async def on_private_domain_front_request(cls, incoming_tp: WrappedTransport[TcpStreamTransport],
+                                              incoming_parsed_tj, incoming_payload: bytes):
+
+        try:
+            parsed_tls = parse_tls_client_hello(incoming_payload)
+        except Exception:
+            print("!!!CRITICAL WARNING!!! non-tls in private.", incoming_parsed_tj, incoming_payload)
+            incoming_tp.sync_close()
+            return
+        gateway_trojan = struct_pure_tcp_trojan(main_gateway_trojan_hashed_password,
+                                                incoming_parsed_tj["remote_address_type"],
+                                                incoming_parsed_tj["remote_address"],
+                                                incoming_parsed_tj["remote_port"])
+        upgrade_incoming_magic = {"in_alpn": parsed_tls["alpn"], "in_sni": parsed_tls["sni"], "icc": cls.icc,
+                                  "chosen_alpn": -1, "wait_for_cancel_timeout": incoming_wait_for_cancel_timeout,
+                                  "remote_address_type": incoming_parsed_tj["remote_address_type"],
+                                  "remote_address": incoming_parsed_tj["remote_address"],
+                                  "repeat_command": incoming_payload, "timeout": upgrade_incoming_timeout,
+                                  "sslcontext": -1, "kwargs": {"server_hostname": None,
+                                                               "ssl_handshake_timeout": upgrade_incoming_handshake_timeout,
+                                                               "ssl_shutdown_timeout": upgrade_incoming_shutdown_timeout}}
+        upgrade_outgoing_magic = {"sslcontext": -1, "check_hostname": False, "verify_mode": ssl.CERT_NONE,
+                                  "cadata": None,
+                                  "out_alpn": parsed_tls["alpn"], "timeout": others_connect_upgrade_timeout,
+                                  "kwargs": {"server_hostname": cls.get_fake_sni(),
+                                             "ssl_handshake_timeout": others_connect_upgrade_handshake_timeout,
+                                             "ssl_shutdown_timeout": others_connect_upgrade_shutdown_timeout}}
+        domain_front_relay = DomainFronter(incoming_tp, None, main_gateway_host, main_gateway_port,
+                                           gateway_trojan, -1, None,
+                                           upgrade_incoming_magic, upgrade_outgoing_magic,
+                                           list(), bytearray(), bytearray(),
+                                           None, None, Timer(), local_connect_timeout, incoming_write_timeout,
+                                           outgoing_write_timeout)
+
+        await domain_front_relay.main_loop(incoming_tp)
+        incoming_tp.sync_close()
+        return

initialize.py

@@ -0,0 +1,99 @@
+import json
+import sys
+import os
+import ipaddress
+import traceback
+
+from cryptography.hazmat.primitives import hashes
+
+
+# from util.hostname_validator import is_valid_no_ip_hostname
+
+def _get_loopback_connect_host(f_listen_host):
+    try:
+        if (f_listen_host == "") or (f_listen_host is None) or (f_listen_host == "0.0.0.0"):
+            return "127.0.0.1"
+        try:
+            if ipaddress.ip_address(f_listen_host) == ipaddress.ip_address("::"):
+                return "::1"
+        except ValueError:
+            pass
+        try:
+            if (ipaddress.ip_address(f_listen_host[1:-1]) == ipaddress.ip_address("::")) and (f_listen_host[0] == "[") and (
+                    f_listen_host[-1] == "]"):
+                return "::1"
+        except ValueError:
+            pass
+        return f_listen_host
+    except Exception as e:
+        traceback.print_exc()
+        sys.exit(repr(e))
+
+
+with open(os.path.join(os.path.dirname(sys.argv[0]), "config.json")) as f:
+    _config = json.loads(f.read())
+
+listen_host = _config["listen_host"]
+listen_port = _config["listen_port"]
+loopback_connect_host = _get_loopback_connect_host(listen_host)
+_df = hashes.Hash(hashes.SHA224())
+_df.update(_config["listen_trojan_password"].encode())
+repeater_domain_front_trojan_hashed_password = _df.finalize()
+
+main_gateway_host = _config["main_gateway_host"]
+main_gateway_port = _config["main_gateway_port"]
+_main_gateway_h = hashes.Hash(hashes.SHA224())
+_main_gateway_h.update(_config["main_gateway_trojan_password"].encode())
+main_gateway_trojan_hashed_password = _main_gateway_h.finalize()
+
+bypass_gateway_host = _config["bypass_gateway_host"]
+bypass_gateway_port = _config["bypass_gateway_port"]
+_bypass_gateway_h = hashes.Hash(hashes.SHA224())
+_bypass_gateway_h.update(_config["bypass_gateway_trojan_password"].encode())
+bypass_gateway_trojan_hashed_password = _bypass_gateway_h.finalize()
+
+issuer_cert_path = _config["issuer_certificate_path"]
+issuer_private_key_path = _config["issuer_private_key_path"]
+issuer_private_key_pass = _config["issuer_private_key_pass"]
+
+instant_certificate_temp_file_path = _config["instant_certificate_temp_file_path"]
+
+fake_sni = _config["fake_sni"]
+if fake_sni != "random":
+    # if not is_valid_no_ip_hostname(fake_sni, False, False):
+    #     sys.exit("wrong fake_sni")
+    fake_sni_tld = ""
+    pure_fake_sni_length_min = pure_fake_sni_length_max = -1
+
+else:
+    fake_sni_tld = _config["fake_sni_tld"]
+    # if not is_valid_no_ip_hostname("a" + fake_sni_tld, False, False):
+    #     sys.exit("wrong fake_sni_tld")
+    _fi_s = _config["full_fake_sni_length"].split("-")
+    pure_fake_sni_length_min = int(_fi_s[0]) - len(fake_sni_tld)
+    pure_fake_sni_length_max = int(_fi_s[1]) - len(fake_sni_tld)
+    if pure_fake_sni_length_max < pure_fake_sni_length_min:
+        sys.exit("wrong pure_fake_sni_length")
+    if pure_fake_sni_length_min < 1:
+        sys.exit("wrong pure_fake_sni_length")
+
+#####
+_df2 = hashes.Hash(hashes.SHA224())
+_df2.update("my_private_pass".encode())
+private_domain_front_trojan_hashed_password = _df2.finalize()
+wait_for_trojan_timeout = 2
+local_connect_timeout = 2
+upgrade_incoming_timeout = 2
+upgrade_incoming_handshake_timeout = 2
+upgrade_incoming_shutdown_timeout = 2
+others_connect_upgrade_timeout = 30
+others_connect_upgrade_handshake_timeout = 30
+others_connect_upgrade_shutdown_timeout = 30
+incoming_wait_for_cancel_timeout = 30
+incoming_write_timeout = None
+outgoing_write_timeout = None
+
+if len(frozenset((main_gateway_trojan_hashed_password, bypass_gateway_trojan_hashed_password,
+                  repeater_domain_front_trojan_hashed_password,
+                  private_domain_front_trojan_hashed_password))) != 4:
+    sys.exit("trojan passwords are not unique")

main.py

@@ -0,0 +1,67 @@
+# @patterniha
+import asyncio
+import sys
+import traceback
+from transports.abstract_transport_manager import WrappedTransport
+from transports.tcp_stream_transport import TcpStreamTransport, TransportType
+from util.proxy_protocols import parse_trojan_protocol
+from initialize import listen_host, listen_port, wait_for_trojan_timeout, \
+    repeater_domain_front_trojan_hashed_password, private_domain_front_trojan_hashed_password
+from controller import Controller
+
+
+async def trojan_handler(reader: asyncio.StreamReader, writer: asyncio.StreamWriter):
+    try:
+        incoming_tp = WrappedTransport[TcpStreamTransport](TcpStreamTransport(TransportType.incoming, reader, writer))
+        await asyncio.sleep(0.015625)
+        try:
+            trojan_data = await incoming_tp.read(wait_for_trojan_timeout)
+        except Exception as e:
+            # print("WARNING READ TROJAN FAILED:", repr(e))
+            incoming_tp.sync_close()
+            return
+        except asyncio.CancelledError:
+            print("WARNING READ TROJAN CANCELLED")
+            incoming_tp.sync_close()
+            return
+        try:
+            incoming_parsed_tj = parse_trojan_protocol(trojan_data)
+        except Exception as e:
+            print("WARNING No Trojan Request!, Connection Closed", repr(e), trojan_data)
+            incoming_tp.sync_close()
+            return
+
+        incoming_payload = trojan_data[incoming_parsed_tj["payload_index"]:]
+        if incoming_parsed_tj["transport_protocol"] != "tcp":
+            print("WARNING UDP Request Is Not Supported, Connection Closed", incoming_parsed_tj, incoming_payload)
+            incoming_tp.sync_close()
+            return
+        incoming_trojan_hashed_password = incoming_parsed_tj["trojan_hashed_password"]
+        if incoming_trojan_hashed_password == private_domain_front_trojan_hashed_password:
+            await Controller.on_private_domain_front_request(incoming_tp, incoming_parsed_tj, incoming_payload)
+            incoming_tp.sync_close()
+            return
+        elif incoming_trojan_hashed_password == repeater_domain_front_trojan_hashed_password:
+            await Controller.on_repeater_domain_front_request(incoming_tp, incoming_parsed_tj, incoming_payload)
+            incoming_tp.sync_close()
+            return
+        else:
+            print("WARNING Unauthenticated Request!, Connection Closed", incoming_parsed_tj, incoming_payload)
+            incoming_tp.sync_close()
+            return
+    except Exception as e:
+        traceback.print_exc()
+        sys.exit(repr(e))
+    except asyncio.CancelledError:
+        sys.exit("cancel not allowed!")
+
+
+async def main():
+    server = await asyncio.start_server(
+        trojan_handler, listen_host, listen_port, limit=32767)
+    async with server:
+        print("MMDF started. listening on ", str(listen_host) + ":" + str(listen_port))
+        await server.serve_forever()
+
+
+asyncio.run(main())

tcp_relays/final_relays/bypass_relay.py

@@ -0,0 +1,13 @@
+from tcp_relays.swiss_knife_relay import SwissKnifeRelay
+
+
+class BypassRelay(SwissKnifeRelay):
+
+    def _init(self):
+        pass
+
+    async def incoming_main_loop_read_data_event(self, data: bytes) -> None:
+        await self.outgoing_write(data)
+
+    async def outgoing_main_loop_read_data_event(self, data: bytes) -> None:
+        await self.incoming_write(data)

tcp_relays/final_relays/domain_fronter.py

@@ -0,0 +1,61 @@
+import asyncio
+import ssl
+from util.proxy_protocols import parse_trojan_protocol
+
+from tcp_relays.final_relays.bypass_relay import BypassRelay
+
+
+class DomainFronter(BypassRelay):
+
+    async def incoming_upgrade(self, timeout,
+                               sslcontext, *,
+                               server_hostname, ssl_handshake_timeout, ssl_shutdown_timeout):
+        self.relay_correct_usage_check()
+        try:
+            to_return = await self.incoming_tp.upgrade(timeout,
+                                                       sslcontext, server_hostname=server_hostname,
+                                                       ssl_handshake_timeout=ssl_handshake_timeout,
+                                                       ssl_shutdown_timeout=ssl_shutdown_timeout)
+
+        except ssl.SSLError as e:
+            p_tj = parse_trojan_protocol(self.gateway_trojan)
+            print("INBOUND SSL ERROR: ", repr(e), "sni: ", self.upgrade_incoming_magic["in_sni"], "fake_sni: ",
+                  self.upgrade_outgoing_magic["kwargs"]["server_hostname"], "alpn: ",
+                  self.upgrade_incoming_magic["in_alpn"], "selected_alpn: ", self.upgrade_incoming_magic["chosen_alpn"],
+                  "address_type: ", p_tj["remote_address_type"],
+                  "address: ", p_tj["remote_address"], "port: ", p_tj["remote_port"], "client_hello: ",
+                  self.upgrade_incoming_magic["repeat_command"])
+            self.relay_close()
+        except Exception as e:
+            self.relay_close()
+        except asyncio.CancelledError:
+            self.relay_close()
+        else:
+            self.relay_correct_usage_check()
+            return to_return
+
+    async def outgoing_upgrade(self, timeout,
+                               sslcontext, *,
+                               server_hostname, ssl_handshake_timeout, ssl_shutdown_timeout):
+        self.relay_correct_usage_check()
+        try:
+            to_return = await self.outgoing_tp.upgrade(timeout,
+                                                       sslcontext, server_hostname=server_hostname,
+                                                       ssl_handshake_timeout=ssl_handshake_timeout,
+                                                       ssl_shutdown_timeout=ssl_shutdown_timeout)
+
+        except ssl.SSLError as e:
+            p_tj = parse_trojan_protocol(self.gateway_trojan)
+            print("OUTBOUND SSL ERROR: ", repr(e), "sni: ", self.upgrade_incoming_magic["in_sni"], "fake_sni: ",
+                  self.upgrade_outgoing_magic["kwargs"]["server_hostname"], "alpn: ",
+                  self.upgrade_incoming_magic["in_alpn"],
+                  "address_type: ", p_tj["remote_address_type"],
+                  "address: ", p_tj["remote_address"], "port: ", p_tj["remote_port"])
+            self.relay_close()
+        except Exception as e:
+            self.relay_close()
+        except asyncio.CancelledError:
+            self.relay_close()
+        else:
+            self.relay_correct_usage_check()
+            return to_return