garrettskj / ac_patcher Goto Github PK
View Code? Open in Web Editor NEWAnyConnect Patcher for Freedom
License: GNU General Public License v3.0
AnyConnect Patcher for Freedom
License: GNU General Public License v3.0
Does patch 4.10.03104, but the VPN doesn't start after patching.
Patching Completed Successfully,
But, It Failed to start process vpnagentd
radare2 5.1.1 0 @ darwin-x86-64 git.
commit: HEAD build: 2021-02-16__00:59:55
Found method @ 0x1000c0c66
Looks like it's called from: 0x1000605bd
Patching Completed Successfully
The VPN Service is not available. Exiting.
Mar 3 23:50:32 com.apple.xpc.launchd[1] (com.apple.ReportCrash.Root[1864]): Binary is improperly signed.
Mar 3 23:50:32 ReportCrash[1866]: objc[1866]: Class CrashReport is implemented in both /System/Library/PrivateFrameworks/CrashReporterSupport.framework/Versions/A/CrashReporterSupport and /System/Library/CoreServices/ReportCrash. One of the two will be used. Which one is undefined.
Hi all,
I just tried to run this script in hope it will fix all my pain. But wonder not happen :(
In the result a new file was built, but size of the file is bigger than I expect (about 4 GB. 😮 )
❯ ls -lah vpn*
.rwxr-xr-x rgainanov wheel 4.0G an hour ago vpnagentd
.rwxr-xr-x root wheel 2.7M 13 minutes ago vpnagentd.orig
❯ ./vpnagentd.orig --version
Cisco Systems VPN Agent (version 5.0.05040 )
Copyright (C) 1998-2010 All Rights Reserved.
There is a log of my attempt:
# ./anyconnect_patch.py
WARNING: bin_strings buffer is too big (0xfffffffffff04710). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
WARNING: bin_strings buffer is too big (0xfffffffffff023b2). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
WARNING: bin_strings buffer is too big (0xffffffffffee74a8). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
Opening and analyzing, 15 seconds...
Value from 0x00000000 to 0x002bc3c0
aav: 0x00000000-0x002bc3c0 in 0x0-0x2bc3c0
aav: 0x00000000-0x002bc3c0 in 0x100007f8c-0x1001093b8
aav: 0x00000000-0x002bc3c0 in 0x10010c000-0x10010e839
aav: 0x00000000-0x002bc3c0 in 0x10010e840-0x10010ed00
Value from 0x100007f8c to 0x1001093b8
aav: 0x100007f8c-0x1001093b8 in 0x0-0x2bc3c0
aav: 0x100007f8c-0x1001093b8 in 0x100007f8c-0x1001093b8
aav: 0x100007f8c-0x1001093b8 in 0x10010c000-0x10010e839
aav: 0x100007f8c-0x1001093b8 in 0x10010e840-0x10010ed00
Value from 0x10010c000 to 0x10010e839
aav: 0x10010c000-0x10010e839 in 0x0-0x2bc3c0
aav: 0x10010c000-0x10010e839 in 0x100007f8c-0x1001093b8
aav: 0x10010c000-0x10010e839 in 0x10010c000-0x10010e839
aav: 0x10010c000-0x10010e839 in 0x10010e840-0x10010ed00
Value from 0x10010e840 to 0x10010ed00
aav: 0x10010e840-0x10010ed00 in 0x0-0x2bc3c0
aav: 0x10010e840-0x10010ed00 in 0x100007f8c-0x1001093b8
aav: 0x10010e840-0x10010ed00 in 0x10010c000-0x10010e839
aav: 0x10010e840-0x10010ed00 in 0x10010e840-0x10010ed00
WARNING : block size exceeding max block size at 0x0016f5e4
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00135d6c
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00132dd0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0013acb0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0013c628
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028f938
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028dda4
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00290144
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028fe18
[+] Try changing it with e anal.bb.maxsize
Found method StartInterface @ 0x1000d6610
WARNING: bin_strings buffer is too big (0xfffffffffff04710). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
WARNING: bin_strings buffer is too big (0xfffffffffff023b2). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
WARNING: bin_strings buffer is too big (0xffffffffffee74a8). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
Value from 0x00000000 to 0x002bc3c0
aav: 0x00000000-0x002bc3c0 in 0x0-0x2bc3c0
aav: 0x00000000-0x002bc3c0 in 0x100007f8c-0x1001093b8
aav: 0x00000000-0x002bc3c0 in 0x10010c000-0x10010e839
aav: 0x00000000-0x002bc3c0 in 0x10010e840-0x10010ed00
Value from 0x100007f8c to 0x1001093b8
aav: 0x100007f8c-0x1001093b8 in 0x0-0x2bc3c0
aav: 0x100007f8c-0x1001093b8 in 0x100007f8c-0x1001093b8
aav: 0x100007f8c-0x1001093b8 in 0x10010c000-0x10010e839
aav: 0x100007f8c-0x1001093b8 in 0x10010e840-0x10010ed00
Value from 0x10010c000 to 0x10010e839
aav: 0x10010c000-0x10010e839 in 0x0-0x2bc3c0
aav: 0x10010c000-0x10010e839 in 0x100007f8c-0x1001093b8
aav: 0x10010c000-0x10010e839 in 0x10010c000-0x10010e839
aav: 0x10010c000-0x10010e839 in 0x10010e840-0x10010ed00
Value from 0x10010e840 to 0x10010ed00
aav: 0x10010e840-0x10010ed00 in 0x0-0x2bc3c0
aav: 0x10010e840-0x10010ed00 in 0x100007f8c-0x1001093b8
aav: 0x10010e840-0x10010ed00 in 0x10010c000-0x10010e839
aav: 0x10010e840-0x10010ed00 in 0x10010e840-0x10010ed00
WARNING : block size exceeding max block size at 0x0016f5e4
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00135d6c
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00132dd0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0013acb0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0013c628
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028f938
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028dda4
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00290144
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028fe18
[+] Try changing it with e anal.bb.maxsize
Opening and finding the method now, 15 seconds...
Looks like it's called from: ['0x100070f54']
WARNING: bin_strings buffer is too big (0xfffffffffff04710). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
WARNING: bin_strings buffer is too big (0xfffffffffff023b2). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
WARNING: bin_strings buffer is too big (0xffffffffffee74a8). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2)
Value from 0x00000000 to 0x002bc3c0
aav: 0x00000000-0x002bc3c0 in 0x0-0x2bc3c0
aav: 0x00000000-0x002bc3c0 in 0x100007f8c-0x1001093b8
aav: 0x00000000-0x002bc3c0 in 0x10010c000-0x10010e839
aav: 0x00000000-0x002bc3c0 in 0x10010e840-0x10010ed00
Value from 0x100007f8c to 0x1001093b8
aav: 0x100007f8c-0x1001093b8 in 0x0-0x2bc3c0
aav: 0x100007f8c-0x1001093b8 in 0x100007f8c-0x1001093b8
aav: 0x100007f8c-0x1001093b8 in 0x10010c000-0x10010e839
aav: 0x100007f8c-0x1001093b8 in 0x10010e840-0x10010ed00
Value from 0x10010c000 to 0x10010e839
aav: 0x10010c000-0x10010e839 in 0x0-0x2bc3c0
aav: 0x10010c000-0x10010e839 in 0x100007f8c-0x1001093b8
aav: 0x10010c000-0x10010e839 in 0x10010c000-0x10010e839
aav: 0x10010c000-0x10010e839 in 0x10010e840-0x10010ed00
Value from 0x10010e840 to 0x10010ed00
aav: 0x10010e840-0x10010ed00 in 0x0-0x2bc3c0
aav: 0x10010e840-0x10010ed00 in 0x100007f8c-0x1001093b8
aav: 0x10010e840-0x10010ed00 in 0x10010c000-0x10010e839
aav: 0x10010e840-0x10010ed00 in 0x10010e840-0x10010ed00
WARNING : block size exceeding max block size at 0x0016f5e4
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00135d6c
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00132dd0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0013acb0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0013c628
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028f938
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028dda4
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00290144
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0028fe18
[+] Try changing it with e anal.bb.maxsize
Patching Completed Successfully
Now patching FileSignature verification
Opening and analyzing, 15 seconds...
Value from 0x00000000 to 0x100070f59
Skipping huge range
Skipping huge range
Found method VerifyFileSignatureCollective::IsValid @
Value from 0x00000000 to 0x100070f59
Skipping huge range
Skipping huge range
Opening and finding the method now, 15 seconds...
Looks like it's called from: ['']
Patching Failed, maybe already done?
I run it in Docker with this compose-file:
version: "2.4"
services:
anyhack:
build:
context: .
dockerfile: Dockerfile
command: sleep 6000
volumes:
- ${PWD}:/srv
The patching completed successfully, but VPN doesn't starting.
hello @garrettskj
I propose to improve for dependency installation for ac_patcher
I spent a lot of time for installation dependencies to my workstation and this was very difficult.
I think, we can use container to install dependencies
PR #11
Thank you for the code made public. Is there any option to make this MacOS compatible?
Hi Garrett,
nice patch and good job, would be nice to work cause with confinement it's hard to use my docker containers.
My company uses 3.1 version anyconnect and i tried your patch
Unfortunately it's not working
First i tried with old version of radare2 (2.3) on ubuntu
Second i update radare2 to 4.6
In both cases the vpnagentd has errors
Run File: ../../vpn/Agent/MainThread.cpp Line: 341 Invoked Function: CHostConfigMgr::StartInterfaceMonitoring Return Code: 130974320
What version of radare2 do u used ?
Eric
Outputs
with 2.3
sudo python3 anyconnect_patch.sh
WARNING : block size exceeding max block size at 0x000187ac
[+] Try changing it with e anal.bb.maxsize
Found method @ 0x000212d0
WARNING : block size exceeding max block size at 0x000187ac
[+] Try changing it with e anal.bb.maxsize
Looks like it's called from: 0x76465
WARNING : block size exceeding max block size at 0x000187ac
[+] Try changing it with e anal.bb.maxsize
Patching Completed Successfully
with 4.6
sudo python3 anyconnect_patch.sh
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
Invalid address from 0x000272fb
Invalid address from 0x00048e23
Invalid address from 0x00048715
Invalid address from 0x000554b7
Invalid address from 0x000800fe
Invalid address from 0x00088a49
Found method @ 0x000212d0
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
Invalid address from 0x000272fb
Invalid address from 0x00048e23
Invalid address from 0x00048715
Invalid address from 0x000554b7
Invalid address from 0x000800fe
Invalid address from 0x00088a49
Looks like it's called from: 0x76465
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
Invalid address from 0x000272fb
Invalid address from 0x00048e23
Invalid address from 0x00048715
Invalid address from 0x000554b7
Invalid address from 0x000800fe
Invalid address from 0x00088a49
Patching Completed Successfully
Job for vpnagentd.service failed because the control process exited with error code.
See "systemctl status vpnagentd.service" and "journalctl -xe" for details.
The patching completed successfully, but AnyConnect UI Completely freezes
First of all, thank you for this genius solution. I've found that it only intermittently connects. Sometimes when I try, it works, and other times, I get the error that it failed to establish a connection, after clicking the "Accept" on the banner notification. I believe the auth is working, but it dies after that very last step. I've also had intermittent issues when it successfully connects, where vpnagentd keeps overwriting /etc/resolv.conf even when I: chattr +i /etc/resolv.conf.
It's entirely possible this is something on the VPN server side, but I wanted to see if you had any ideas.
Using version 4.9.01095
EDIT: Added debug output.
vpn.txt
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.