Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/memcached/memcached_amp.rb
19758 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Auxiliary::Report
8
include Msf::Exploit::Capture
9
include Msf::Auxiliary::UDPScanner
10
include Msf::Auxiliary::DRDoS
11
12
def initialize
13
super(
14
'Name' => 'Memcached Stats Amplification Scanner',
15
'Description' => %q(
16
This module can be used to discover Memcached servers which expose the
17
unrestricted UDP port 11211. A basic "stats" request is executed to check
18
if an amplification attack is possible against a third party.
19
),
20
'Author' => [
21
'Marek Majkowski', # Cloudflare blog and base payload
22
'xistence <xistence[at]0x90.nl>', # Metasploit scanner module
23
'Jon Hart <[email protected]>', # Metasploit scanner module
24
],
25
'License' => MSF_LICENSE,
26
'DisclosureDate' => 'Feb 27 2018',
27
'References' => [
28
['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],
29
['CVE', '2018-1000115']
30
]
31
)
32
33
register_options([
34
Opt::RPORT(11211)
35
])
36
end
37
38
def build_probe
39
# Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt
40
@memcached_probe ||= [
41
rand(2**16), # random request ID
42
0, # sequence number
43
1, # number of datagrams in this sequence
44
0, # reserved; must be 0
45
"stats\r\n"
46
].pack("nnnna*")
47
end
48
49
def scanner_process(data, shost, sport)
50
# Check the response data for a "STAT" response
51
if data =~ /\x0d\x0aSTAT\x20/
52
@results[shost] ||= []
53
@results[shost] << data
54
end
55
end
56
57
# Called after the scan block
58
def scanner_postscan(batch)
59
@results.keys.each do |host|
60
response_map = { @memcached_probe => @results[host] }
61
report_service(
62
host: host,
63
proto: 'udp',
64
port: rport,
65
name: 'memcached'
66
)
67
68
peer = "#{host}:#{rport}"
69
vulnerable, proof = prove_amplification(response_map)
70
what = 'memcached stats amplification'
71
if vulnerable
72
print_good("#{peer} - Vulnerable to #{what}: #{proof}")
73
report_vuln(
74
host: host,
75
port: rport,
76
proto: 'udp',
77
name: what,
78
refs: references
79
)
80
else
81
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
82
end
83
end
84
end
85
end
86
87