Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Exploit::Capture
9
  include Msf::Auxiliary::UDPScanner
10
  include Msf::Auxiliary::DRDoS
11

12
  def initialize
13
    super(
14
      'Name'        => 'Memcached Stats Amplification Scanner',
15
      'Description' => %q(
16
          This module can be used to discover Memcached servers which expose the
17
          unrestricted UDP port 11211. A basic "stats" request is executed to check
18
          if an amplification attack is possible against a third party.
19
      ),
20
      'Author'      =>
21
        [
22
          'Marek Majkowski', # Cloudflare blog and base payload
23
          'xistence <xistence[at]0x90.nl>', # Metasploit scanner module
24
          'Jon Hart <[email protected]>', # Metasploit scanner module
25
        ],
26
      'License'     => MSF_LICENSE,
27
      'DisclosureDate' => 'Feb 27 2018',
28
      'References'  =>
29
          [
30
            ['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],
31
            ['CVE', '2018-1000115']
32
          ]
33
    )
34

35
    register_options([
36
      Opt::RPORT(11211)
37
    ])
38
  end
39

40
  def build_probe
41
    # Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt
42
    @memcached_probe ||= [
43
      rand(2**16), # random request ID
44
      0, # sequence number
45
      1, # number of datagrams in this sequence
46
      0, # reserved; must be 0
47
      "stats\r\n"
48
    ].pack("nnnna*")
49
  end
50

51
  def scanner_process(data, shost, sport)
52
    # Check the response data for a "STAT" response
53
    if data =~ /\x0d\x0aSTAT\x20/
54
      @results[shost] ||= []
55
      @results[shost] << data
56
    end
57
  end
58

59
  # Called after the scan block
60
  def scanner_postscan(batch)
61
    @results.keys.each do |host|
62
      response_map = { @memcached_probe => @results[host] }
63
      report_service(
64
        host: host,
65
        proto: 'udp',
66
        port: rport,
67
        name: 'memcached'
68
      )
69

70
      peer = "#{host}:#{rport}"
71
      vulnerable, proof = prove_amplification(response_map)
72
      what = 'memcached stats amplification'
73
      if vulnerable
74
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
75
        report_vuln(
76
          host: host,
77
          port: rport,
78
          proto: 'udp',
79
          name: what,
80
          refs: references
81
        )
82
      else
83
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
84
      end
85
    end
86
  end
87
end
88

89