SHARE
TWEET

MemCache Amp Scanner

wtfbbq Feb 27th, 2018 (edited) 2,711 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //this might work or might not. just a simple memcache reflection scanner
  2. //
  3. //Memcached Reflection Scanner Proof of Concept
  4. //
  5. //compile: gcc scan.c -o scan -pthread
  6.  
  7. #include <pthread.h>
  8. #include <unistd.h>
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <string.h>
  12. #include <sys/socket.h>
  13. #include <netinet/in.h>
  14. #include <signal.h>
  15. #include <sys/time.h>
  16. #include <sys/types.h>
  17. #include <math.h>
  18. #include <ctype.h>
  19. #include <errno.h>
  20. #include <arpa/inet.h>
  21. #include <netinet/ip.h>
  22. #include <netinet/udp.h>
  23.  
  24. volatile int running_threads = 0;
  25. volatile int found_srvs = 0;
  26. volatile unsigned long per_thread = 0;
  27. volatile unsigned long start = 0;
  28. volatile unsigned long scanned = 0;
  29. volatile int sleep_between = 0;
  30. volatile int bytes_sent = 0;
  31. volatile unsigned long hosts_done = 0;
  32. FILE *fd;
  33. char payload[] =
  34. "\x00\x01\x00\x00\x00\x01\x00\x00stats\r\n";
  35.  
  36. size = sizeof(payload);
  37.  
  38. void *flood(void *par1)
  39. {
  40.     running_threads++;
  41.     int thread_id = (int)par1;
  42.     unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
  43.     unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
  44.     unsigned long w;
  45.     int y;
  46.     unsigned char buf[65536];
  47.     memset(buf, 0x01, 15);
  48.     int sizeofpayload = 15;
  49.     int sock;
  50.     if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
  51.         perror("cant open socket");
  52.         exit(-1);
  53.     }
  54.     for(w=ntohl(start_ip);w<htonl(end);w++)
  55.     {
  56.         struct sockaddr_in servaddr;
  57.         bzero(&servaddr, sizeof(servaddr));
  58.         servaddr.sin_family = AF_INET;
  59.         servaddr.sin_addr.s_addr=htonl(w);
  60.         servaddr.sin_port=htons(11211);
  61.         sendto(sock,payload,size,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
  62.         bytes_sent+=size;
  63.         scanned++;
  64.         hosts_done++;
  65.     }
  66.     close(sock);
  67.     running_threads--;
  68.     return;
  69. }
  70.  
  71. void sighandler(int sig)
  72. {
  73.     fclose(fd);
  74.     printf("\n");
  75.     exit(0);
  76. }
  77.  
  78. void *recievethread()
  79. {
  80.     printf("\n");
  81.     int saddr_size, data_size, sock_raw;
  82.     struct sockaddr_in saddr;
  83.     struct in_addr in;
  84.  
  85.     unsigned char *buffer = (unsigned char *)malloc(65536);
  86.     sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
  87.     if(sock_raw < 0)
  88.     {
  89.         printf("Socket Error\n");
  90.         exit(1);
  91.     }
  92.     while(1)
  93.     {
  94.         saddr_size = sizeof saddr;
  95.         data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
  96.         if(data_size <0 )
  97.         {
  98.             printf("Recvfrom error , failed to get packets\n");
  99.             exit(1);
  100.         }
  101.         struct iphdr *iph = (struct iphdr*)buffer;
  102.         if(iph->protocol == 17)
  103.         {
  104.             unsigned short iphdrlen = iph->ihl*4;
  105.             struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
  106.             unsigned char* payload = buffer + iphdrlen + 15;
  107.             if(ntohs(udph->source) == 11211)
  108.             {
  109.                 int body_length = data_size - iphdrlen - 15;
  110.                 if (body_length > 40)
  111.                 {
  112.                 found_srvs++;
  113.                 fprintf(fd,"%s %d\n",inet_ntoa(saddr.sin_addr),body_length);
  114.                 fflush(fd);
  115.                 }
  116.             }
  117.         }
  118.     }
  119.     close(sock_raw);
  120. }
  121. int main(int argc, char *argv[ ])
  122. {
  123.     if(argc < 6){
  124.     fprintf(stderr, "Invalid parameters!\n");
  125.     fprintf(stdout, "Usage: %s <ip range start (1.0.0.0)> <ip range end (255.255.255.255)> <outfile> <threads> <scan delay in ms>\n", argv[0]);
  126.     exit(-1);
  127.     }
  128.     fd = fopen(argv[3], "a");
  129.     sleep_between = atoi(argv[5]);
  130.     signal(SIGINT, &sighandler);
  131.     int threads = atoi(argv[4]);
  132.     pthread_t thread;
  133.     pthread_t listenthread;
  134.     pthread_create( &listenthread, NULL, &recievethread, NULL);
  135.     char *str_start = malloc(18);
  136.     memset(str_start, 0, 18);
  137.     str_start = argv[1];
  138.     char *str_end = malloc(18);
  139.     memset(str_end, 0, 18);
  140.     str_end = argv[2];
  141.     start = inet_addr(str_start);
  142.     per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
  143.     unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
  144.     int i;
  145.     for(i = 0;i<threads;i++){
  146.         pthread_create( &thread, NULL, &flood, (void *) i);
  147.     }
  148.     sleep(1);
  149.     printf("Scan in Progress \n");
  150.     char *temp = (char *)malloc(17);
  151.     memset(temp, 0, 17);
  152.     sprintf(temp, "Found");
  153.     printf("%-16s", temp);
  154.     memset(temp, 0, 17);
  155.     sprintf(temp, "IP/s");
  156.     printf("%-16s", temp);
  157.     memset(temp, 0, 17);
  158.     sprintf(temp, "Bytes/s");
  159.     printf("%-16s", temp);
  160.     memset(temp, 0, 17);
  161.     sprintf(temp, "Threads");
  162.     printf("%-16s", temp);
  163.     memset(temp, 0, 17);
  164.     sprintf(temp, "Percent Done");
  165.     printf("%s", temp);
  166.     printf("\n");
  167.     char *new;
  168.     new = (char *)malloc(16*6);
  169.     while (running_threads > 0)
  170.     {
  171.         printf("\r");
  172.         memset(new, '\0', 16*6);
  173.         sprintf(new, "%s|%-15lu", new, found_srvs);
  174.         sprintf(new, "%s|%-15d", new, scanned);
  175.         sprintf(new, "%s|%-15d", new, bytes_sent);
  176.         sprintf(new, "%s|%-15d", new, running_threads);
  177.         memset(temp, 0, 17);
  178.         int percent_done=((double)(hosts_done)/(double)(toscan))*100;
  179.         sprintf(temp, "%d%%", percent_done);
  180.         sprintf(new, "%s|%s", new, temp);
  181.         printf("%s", new);
  182.         fflush(stdout);
  183.         bytes_sent=0;
  184.         scanned = 0;
  185.         sleep(1);
  186.     }
  187.     printf("\n");
  188.     fclose(fd);
  189.     return 0;
  190. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top