From 7e4274fc97ba1d4bcefac0359738c2301be81136 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Taneli=20Lepp=C3=A4?= Date: Mon, 4 Oct 2021 20:37:53 +0200 Subject: [PATCH 1/2] Added reMarkable 2.10 authentication support. --- README.md | 148 ++++++++++++++++++++----------------- client/client-conn.go | 5 +- client/client_auth.go | 47 ++++++++++++ go.mod | 2 + proxy/cmd/main.go | 37 ++++++++-- proxy/message-listeners.go | 25 ++++++- proxy/proxy.go | 60 ++++++++++++++- proxy/vnc-session.go | 19 +++-- server/client-messages.go | 9 ++- 9 files changed, 259 insertions(+), 93 deletions(-) diff --git a/README.md b/README.md index 855ab1d..c86f293 100644 --- a/README.md +++ b/README.md @@ -1,66 +1,82 @@ -# VncProxy [![CircleCI](https://circleci.com/gh/amitbet/vncproxy/tree/master.svg?style=shield)](https://circleci.com/gh/amitbet/vncproxy/tree/master) [![MIT Licensed](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/CircleCI-Public/circleci-demo-go/master/LICENSE.md) - -An RFB proxy, written in go that can save and replay FBS files -* Supports all modern encodings & most useful pseudo-encodings -* Supports multiple VNC client connections & multi servers (chosen by sessionId) -* Supports being a "websockify" proxy (for web clients like NoVnc) -* Produces FBS files compatible with [tightvnc's rfb player](https://www.tightvnc.com/rfbplayer.php) (while using tight's default 3Byte color format) -* Can also be used as: - * A screen recorder vnc-client - * A replay server to show fbs recordings to connecting clients - -- Tested on tight encoding with: - - Tightvnc (client + java client + server) - - FBS player (tightVnc Java player) - - NoVnc(web client) => use -wsPort to open a websocket - - ChickenOfTheVnc(client) - - VineVnc(server) - - TigerVnc(client) - - Qemu vnc(server) - - -### Executables (see releases) -* proxy - the actual recording proxy, supports listening to tcp & ws ports and recording traffic to fbs files -* recorder - connects to a vnc server as a client and records the screen -* player - a toy player that will replay a given fbs file to all incoming connections - -## Usage: - recorder -recFile=./recording.rbs -targHost=192.168.0.100 -targPort=5903 -targPass=@@@@@ - player -fbsFile=./myrec.fbs -tcpPort=5905 - proxy -recDir=./recordings/ -targHost=192.168.0.100 -targPort=5903 -targPass=@@@@@ -tcpPort=5903 -wsPort=5905 -vncPass=@!@!@! - -### Code usage examples -* player/main.go (fbs recording vnc client) -    * Connects as client, records to FBS file -* proxy/proxy_test.go (vnc proxy with recording) - * Listens to both Tcp and WS ports - * Proxies connections to a hard-coded localhost vnc server - * Records session to an FBS file -* player/player_test.go (vnc replay server) - * Listens to Tcp & WS ports - * Replays a hard-coded FBS file in normal speed to all connecting vnc clients - -## **Architecture** - -![Image of Arch](https://github.com/amitbet/vncproxy/blob/master/architecture/proxy-arch.png?raw=true) - -Communication to vnc-server & vnc-client are done in the RFB binary protocol in the standard ways. -Internal communication inside the proxy is done by listeners (a pub-sub system) that provide a stream of bytes, parsed by delimiters which provide information about RFB message start & type / rectangle start / communication closed, etc. -This method allows for minimal delays in transfer, while retaining the ability to buffer and manipulate any part of the protocol. - -For the client messages which are smaller, we send fully parsed messages going trough the same listener system. -Currently client messages are used to determine the correct pixel format, since the client can change it by sending a SetPixelFormatMessage. - -Tracking the bytes that are read from the actual vnc-server is made simple by using the RfbReadHelper (implements io.Reader) which sends the bytes to the listeners, this negates the need for manually keeping track of each byte read in order to write it into the recorder. - -RFB Encoding-reader implementations do not decode pixel information, since this is not required for the proxy implementation. - - -This listener system was chosen over direct use of channels, since it allows the listening side to decide whether or not it wants to run in parallel, in contrast having channels inside the server/client objects which require you to create go routines (this creates problems when using go's native websocket implementation) - -The Recorder uses channels and runs in parallel to avoid hampering the communication through the proxy. - - -![Image of Arch](https://github.com/amitbet/vncproxy/blob/master/architecture/player-arch.png?raw=true) - -The code is based on several implementations of go-vnc including the original one by *Mitchell Hashimoto*, and the recentely active fork by *Vasiliy Tolstov*. +# VncProxy [![CircleCI](https://circleci.com/gh/amitbet/vncproxy/tree/master.svg?style=shield)](https://circleci.com/gh/amitbet/vncproxy/tree/master) [![MIT Licensed](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/CircleCI-Public/circleci-demo-go/master/LICENSE.md) + +An RFB proxy, written in go that can save and replay FBS files +* Supports all modern encodings & most useful pseudo-encodings +* Supports multiple VNC client connections & multi servers (chosen by sessionId) +* Supports being a "websockify" proxy (for web clients like NoVnc) +* Produces FBS files compatible with [tightvnc's rfb player](https://www.tightvnc.com/rfbplayer.php) (while using tight's default 3Byte color format) +* Can also be used as: + * A screen recorder vnc-client + * A replay server to show fbs recordings to connecting clients + * Authentication proxy for reMarkable tablet (2.10+) + +- Tested on tight encoding with: + - Tightvnc (client + java client + server) + - FBS player (tightVnc Java player) + - NoVnc(web client) => use -wsPort to open a websocket + - ChickenOfTheVnc(client) + - VineVnc(server) + - TigerVnc(client) + - Qemu vnc(server) + + +### Executables (see releases) +* proxy - the actual recording proxy, supports listening to tcp & ws ports and recording traffic to fbs files +* recorder - connects to a vnc server as a client and records the screen +* player - a toy player that will replay a given fbs file to all incoming connections + +## Usage: + recorder -recFile=./recording.rbs -targHost=192.168.0.100 -targPort=5903 -targPass=@@@@@ + player -fbsFile=./myrec.fbs -tcpPort=5905 + proxy -recDir=./recordings/ -targHost=192.168.0.100 -targPort=5903 -targPass=@@@@@ -tcpPort=5903 -wsPort=5905 -vncPass=@!@!@! + +### Code usage examples +* player/main.go (fbs recording vnc client) +    * Connects as client, records to FBS file +* proxy/proxy_test.go (vnc proxy with recording) + * Listens to both Tcp and WS ports + * Proxies connections to a hard-coded localhost vnc server + * Records session to an FBS file +* player/player_test.go (vnc replay server) + * Listens to Tcp & WS ports + * Replays a hard-coded FBS file in normal speed to all connecting vnc clients + +### Examples of using with reMarkable +* Simply run the proxy with the `-reMarkable DEVICE_ID` flag +* To get the `DEVICE_ID`: + * Log into reMarkable via SSH + * Extract the `devicetoken` string (exclude the `@ByteArray` wrapper) the string from `/etc/remarkable.conf` + * Run the following Python snippet to decrypt the `devicetoken`: + ``` + pip3 install --user PyJWT + python3 -c 'import sys,jwt;t=jwt.decode(sys.argv[1],options={"verify_signature":False});print(t)' '(DEVICE TOKEN HERE)' + ``` + * In output, you should get a string starting with `auth0|`. The whole string is your device ID which should + be passed to be `-reMarkable` flag. +* After you should be able to connect to the reMarkable via the proxy with a normal + VNC client (tested with TightVNC) + +## **Architecture** + +![Image of Arch](https://github.com/amitbet/vncproxy/blob/master/architecture/proxy-arch.png?raw=true) + +Communication to vnc-server & vnc-client are done in the RFB binary protocol in the standard ways. +Internal communication inside the proxy is done by listeners (a pub-sub system) that provide a stream of bytes, parsed by delimiters which provide information about RFB message start & type / rectangle start / communication closed, etc. +This method allows for minimal delays in transfer, while retaining the ability to buffer and manipulate any part of the protocol. + +For the client messages which are smaller, we send fully parsed messages going trough the same listener system. +Currently client messages are used to determine the correct pixel format, since the client can change it by sending a SetPixelFormatMessage. + +Tracking the bytes that are read from the actual vnc-server is made simple by using the RfbReadHelper (implements io.Reader) which sends the bytes to the listeners, this negates the need for manually keeping track of each byte read in order to write it into the recorder. + +RFB Encoding-reader implementations do not decode pixel information, since this is not required for the proxy implementation. + + +This listener system was chosen over direct use of channels, since it allows the listening side to decide whether or not it wants to run in parallel, in contrast having channels inside the server/client objects which require you to create go routines (this creates problems when using go's native websocket implementation) + +The Recorder uses channels and runs in parallel to avoid hampering the communication through the proxy. + + +![Image of Arch](https://github.com/amitbet/vncproxy/blob/master/architecture/player-arch.png?raw=true) + +The code is based on several implementations of go-vnc including the original one by *Mitchell Hashimoto*, and the recentely active fork by *Vasiliy Tolstov*. diff --git a/client/client-conn.go b/client/client-conn.go index 9fa2008..956a10a 100644 --- a/client/client-conn.go +++ b/client/client-conn.go @@ -4,11 +4,12 @@ import ( "bytes" "encoding/binary" "fmt" - "github.com/amitbet/vncproxy/common" - "github.com/amitbet/vncproxy/logger" "io" "net" "unicode" + + "github.com/amitbet/vncproxy/common" + "github.com/amitbet/vncproxy/logger" ) // A ServerMessage implements a message sent from the server to the client. diff --git a/client/client_auth.go b/client/client_auth.go index 7af6c06..f1d4d9d 100644 --- a/client/client_auth.go +++ b/client/client_auth.go @@ -1,9 +1,13 @@ package client import ( + "bytes" "crypto/des" + "crypto/sha256" "encoding/binary" "io" + + "github.com/amitbet/vncproxy/logger" ) // ClientAuthNone is the "none" authentication. See 7.2.1 @@ -110,3 +114,46 @@ func (p *PasswordAuth) encrypt(key string, bytes []byte) ([]byte, error) { return crypted, nil } + +// RemarkableAuth is the authentication method used by reMarkable tablet's +// Screen Sharing feature +type RemarkableAuth struct { + RemarkableTimestamp uint64 + RemarkableDeviceId string +} + +func (p *RemarkableAuth) SecurityType() uint8 { + return 100 +} + +func (p *RemarkableAuth) Handshake(c io.ReadWriteCloser) error { + userIdHash := sha256.Sum256([]byte(p.RemarkableDeviceId)) + + var tsBuf []byte + pb := bytes.NewBuffer(tsBuf) + err := binary.Write(pb, binary.BigEndian, p.RemarkableTimestamp) + if err != nil { + return err + } + logger.Debugf("Hash with timestamp: %x", pb.Bytes()) + userIdAndTs := append(pb.Bytes(), userIdHash[:]...) + logger.Debugf("Hash with timestamp and user ID hash: %x", userIdAndTs) + + challenge := sha256.Sum256(userIdAndTs) + var challengeLength uint32 = uint32(len(challenge)) + logger.Debugf("Writing challenge length: %v", challengeLength) + if err := binary.Write(c, binary.BigEndian, challengeLength); err != nil { + return err + } + logger.Debugf("Writing challenge: %x", challenge) + if err := binary.Write(c, binary.BigEndian, challenge); err != nil { + return err + } + + // Some reason there is another security result... we're just gonna ignore this. + var securityResult uint8 + if err = binary.Read(c, binary.BigEndian, &securityResult); err != nil { + return err + } + return nil +} diff --git a/go.mod b/go.mod index ebb757d..77f3a1a 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,5 @@ module github.com/amitbet/vncproxy require golang.org/x/net v0.0.0-20181129055619-fae4c4e3ad76 + +go 1.13 diff --git a/proxy/cmd/main.go b/proxy/cmd/main.go index 4a5c839..4806849 100644 --- a/proxy/cmd/main.go +++ b/proxy/cmd/main.go @@ -4,6 +4,8 @@ import ( "flag" "os" "path/filepath" + "strconv" + "strings" "github.com/amitbet/vncproxy/logger" vncproxy "github.com/amitbet/vncproxy/proxy" @@ -20,7 +22,9 @@ func main() { var targetVncHost = flag.String("targHost", "", "target vnc server host (deprecated, use -target)") var targetVncPass = flag.String("targPass", "", "target vnc password") var logLevel = flag.String("logLevel", "info", "change logging level") - + var reMarkable = flag.String("reMarkable", "", "reMarkable device ID (enable reMarkable 2.10+ support)") + var overrideEncodings = flag.String("overrideEncodings", "", "force a specific set of encodings to be sent to the target vnc server (encoding types separated by comma)") + var tls = flag.Bool("tls", false, "use TLS connection (turned on automatically if reMarkable)") flag.Parse() logger.SetLogLevel(*logLevel) @@ -48,18 +52,31 @@ func main() { if *wsPort != "" { wsURL = "http://0.0.0.0:" + string(*wsPort) + "/" } + var overrideEncodingsList []uint32 + if *overrideEncodings != "" { + for _, enc := range strings.Split(*overrideEncodings, ",") { + encI, err := strconv.Atoi(enc) + if err != nil { + panic(err) + } + overrideEncodingsList = append(overrideEncodingsList, uint32(encI)) + } + } proxy := &vncproxy.VncProxy{ WsListeningURL: wsURL, // empty = not listening on ws TCPListeningURL: tcpURL, ProxyVncPassword: *vncPass, //empty = no auth SingleSession: &vncproxy.VncSession{ - Target: *targetVnc, - TargetHostname: *targetVncHost, - TargetPort: *targetVncPort, - TargetPassword: *targetVncPass, //"vncPass", - ID: "dummySession", - Status: vncproxy.SessionStatusInit, - Type: vncproxy.SessionTypeProxyPass, + Target: *targetVnc, + TargetHostname: *targetVncHost, + TargetPort: *targetVncPort, + TargetPassword: *targetVncPass, //"vncPass", + ID: "dummySession", + Status: vncproxy.SessionStatusInit, + Type: vncproxy.SessionTypeProxyPass, + RemarkableDeviceId: *reMarkable, + TLS: *reMarkable != "" || *tls, + OverrideEncodings: overrideEncodingsList, }, // to be used when not using sessions UsingSessions: false, //false = single session - defined in the var above } @@ -75,6 +92,10 @@ func main() { } else { logger.Info("FBS recording is turned off") } + if *reMarkable != "" { + logger.Info("reMarkable 2.10+ support turned on") + proxy.Remarkable = true + } proxy.StartListening() } diff --git a/proxy/message-listeners.go b/proxy/message-listeners.go index fa4591b..e9cb1fc 100644 --- a/proxy/message-listeners.go +++ b/proxy/message-listeners.go @@ -8,7 +8,9 @@ import ( ) type ClientUpdater struct { - conn *client.ClientConn + conn *client.ClientConn + suppressedMessageTypes []common.ClientMessageType + overrideEncodings []common.EncodingType } // Consume recieves vnc-server-bound messages (Client messages) and updates the server part of the proxy @@ -19,8 +21,15 @@ func (cc *ClientUpdater) Consume(seg *common.RfbSegment) error { case common.SegmentFullyParsedClientMessage: clientMsg := seg.Message.(common.ClientMessage) logger.Debugf("ClientUpdater.Consume:(vnc-server-bound) got ClientMessage type=%s", clientMsg.Type()) - switch clientMsg.Type() { + switch clientMsg.Type() { + case common.SetEncodingsMsgType: + if len(cc.overrideEncodings) > 0 { + logger.Debugf("ClientUpdater.Consume:(vnc-server-bound) overriding supported encodings with %v", cc.overrideEncodings) + encodingsMsg := clientMsg.(*server.MsgSetEncodings) + encodingsMsg.EncNum = uint16(len(cc.overrideEncodings)) + encodingsMsg.Encodings = cc.overrideEncodings + } case common.SetPixelFormatMsgType: // update pixel format logger.Debugf("ClientUpdater.Consume: updating pixel format") @@ -28,6 +37,18 @@ func (cc *ClientUpdater) Consume(seg *common.RfbSegment) error { cc.conn.PixelFormat = pixFmtMsg.PF } + suppressMessage := false + for _, suppressed := range cc.suppressedMessageTypes { + if suppressed == clientMsg.Type() { + suppressMessage = true + break + } + } + if suppressMessage { + logger.Infof("ClientUpdater.Consume:(vnc-server-bound) Suppressing client message type=%s", clientMsg.Type()) + return nil + } + err := clientMsg.Write(cc.conn) if err != nil { logger.Errorf("ClientUpdater.Consume (vnc-server-bound, SegmentFullyParsedClientMessage): problem writing to port: %s", err) diff --git a/proxy/proxy.go b/proxy/proxy.go index 7651197..48c6d9f 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -1,6 +1,9 @@ package proxy import ( + "bytes" + "crypto/tls" + "encoding/binary" "net" "path" "strconv" @@ -22,10 +25,11 @@ type VncProxy struct { ProxyVncPassword string //empty = no auth SingleSession *VncSession // to be used when not using sessions UsingSessions bool //false = single session - defined in the var above + Remarkable bool sessionManager *SessionManager } -func (vp *VncProxy) createClientConnection(target string, vncPass string) (*client.ClientConn, error) { +func (vp *VncProxy) createClientConnection(target string, vncPass string, tlsEnabled bool, reMarkableDeviceId string) (*client.ClientConn, error) { var ( nc net.Conn err error @@ -35,6 +39,19 @@ func (vp *VncProxy) createClientConnection(target string, vncPass string) (*clie nc, err = net.Dial("unix", target) } else { nc, err = net.Dial("tcp", target) + if tlsEnabled { + logger.Info("Upgrading to TLS connection...") + config := tls.Config{ + InsecureSkipVerify: true, + } + tc := tls.Client(nc, &config) + err = tc.Handshake() + if err != nil { + return nil, err + } + + nc = tc + } } if err != nil { @@ -44,6 +61,31 @@ func (vp *VncProxy) createClientConnection(target string, vncPass string) (*clie var noauth client.ClientAuthNone authArr := []client.ClientAuth{&client.PasswordAuth{Password: vncPass}, &noauth} + var rmTimestamp uint64 + if reMarkableDeviceId != "" { + logger.Info("Enabling reMarkable 2.10+ support") + + authC, err := net.ListenPacket("udp", ":5901") + if err != nil { + return nil, err + } + defer authC.Close() + + buffer := make([]byte, 128) // datagram size 51 bytes + n, addr, err := authC.ReadFrom(buffer) + logger.Debugf("Received datagram from reMarkable (%v, %v bytes)", addr, n) + + pb := bytes.NewBuffer(buffer) + err = binary.Read(pb, binary.BigEndian, &rmTimestamp) + if err != nil { + return nil, err + } + logger.Debugf("reMarkable timestamp is %v", rmTimestamp) + authArr = append(authArr, &client.RemarkableAuth{ + RemarkableTimestamp: rmTimestamp, + RemarkableDeviceId: reMarkableDeviceId, + }) + } clientConn, err := client.NewClientConn(nc, &client.ClientConfig{ @@ -100,7 +142,7 @@ func (vp *VncProxy) newServerConnHandler(cfg *server.ServerConfig, sconn *server target = session.TargetHostname + ":" + session.TargetPort } - cconn, err := vp.createClientConnection(target, session.TargetPassword) + cconn, err := vp.createClientConnection(target, session.TargetPassword, session.TLS, session.RemarkableDeviceId) if err != nil { session.Status = SessionStatusError logger.Errorf("Proxy.newServerConnHandler error creating connection: %s", err) @@ -119,7 +161,16 @@ func (vp *VncProxy) newServerConnHandler(cfg *server.ServerConfig, sconn *server // gets the messages from the server part (from vnc-client), // and write through the client to the actual vnc-server - clientUpdater := &ClientUpdater{cconn} + var clientUpdater *ClientUpdater + clientUpdater = &ClientUpdater{conn: cconn} + if session.RemarkableDeviceId != "" { + clientUpdater.suppressedMessageTypes = []common.ClientMessageType{common.SetPixelFormatMsgType} + } + if len(session.OverrideEncodings) > 0 { + for _, enc := range session.OverrideEncodings { + clientUpdater.overrideEncodings = append(clientUpdater.overrideEncodings, common.EncodingType(enc)) + } + } sconn.Listeners.AddListener(clientUpdater) err = cconn.Connect() @@ -185,6 +236,9 @@ func (vp *VncProxy) StartListening() { NewConnHandler: vp.newServerConnHandler, UseDummySession: !vp.UsingSessions, } + if vp.Remarkable { + cfg.DesktopName = []byte("reMarkable rfb") + } if vp.TCPListeningURL != "" && vp.WsListeningURL != "" { logger.Infof("running two listeners: tcp port: %s, ws url: %s", vp.TCPListeningURL, vp.WsListeningURL) diff --git a/proxy/vnc-session.go b/proxy/vnc-session.go index dd8ac64..6554e6a 100644 --- a/proxy/vnc-session.go +++ b/proxy/vnc-session.go @@ -16,12 +16,15 @@ const ( ) type VncSession struct { - Target string - TargetHostname string - TargetPort string - TargetPassword string - ID string - Status SessionStatus - Type SessionType - ReplayFilePath string + Target string + TargetHostname string + TargetPort string + TargetPassword string + ID string + Status SessionStatus + Type SessionType + ReplayFilePath string + RemarkableDeviceId string + TLS bool + OverrideEncodings []uint32 } diff --git a/server/client-messages.go b/server/client-messages.go index cb8ae08..bd788e6 100644 --- a/server/client-messages.go +++ b/server/client-messages.go @@ -3,6 +3,7 @@ package server import ( "encoding/binary" "io" + "github.com/amitbet/vncproxy/common" ) @@ -313,10 +314,10 @@ func (msg *MsgClientCutText) Write(c io.Writer) error { // MsgClientQemuExtendedKey holds the wire format message, for qemu keys type MsgClientQemuExtendedKey struct { - SubType uint8 // sub type - IsDown uint16 // button down indicator - KeySym uint32 // key symbol - KeyCode uint32 // key code + SubType uint8 // sub type + IsDown uint16 // button down indicator + KeySym uint32 // key symbol + KeyCode uint32 // key code } func (*MsgClientQemuExtendedKey) Type() common.ClientMessageType { From 2293f40fbf176c2d21ded2080b0bb12429954360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Taneli=20Lepp=C3=A4?= Date: Mon, 4 Oct 2021 22:07:23 +0200 Subject: [PATCH 2/2] Added Dockerfile. --- Dockerfile | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..9e35331 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,22 @@ +FROM golang:1.17 + +WORKDIR $GOPATH/src/github.com/amitbet/vncproxy + +RUN mkdir -p $GOPATH/src/github.com/amitbet/vncproxy +COPY . . + +RUN cd $GOPATH/src/github.com/amitbet/vncproxy/recorder/cmd && \ + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o /recorder . +RUN cd $GOPATH/src/github.com/amitbet/vncproxy/proxy/cmd && \ + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o /proxy . +RUN cd $GOPATH/src/github.com/amitbet/vncproxy/player/cmd && \ + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o /player . + +FROM scratch +COPY --from=0 /recorder /recorder +COPY --from=0 /proxy /proxy +COPY --from=0 /player /player + +EXPOSE 5900 + +ENTRYPOINT ["/proxy"] \ No newline at end of file