CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/memcached/memcached_amp.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Capture

9
  include Msf::Auxiliary::UDPScanner

10
  include Msf::Auxiliary::DRDoS

11


12
  def initialize

13
    super(

14
      'Name'        => 'Memcached Stats Amplification Scanner',

15
      'Description' => %q(

16
          This module can be used to discover Memcached servers which expose the

17
          unrestricted UDP port 11211. A basic "stats" request is executed to check

18
          if an amplification attack is possible against a third party.

19
      ),

20
      'Author'      =>

21
        [

22
          'Marek Majkowski', # Cloudflare blog and base payload

23
          'xistence <xistence[at]0x90.nl>', # Metasploit scanner module

24
          'Jon Hart <[email protected]>', # Metasploit scanner module

25
        ],

26
      'License'     => MSF_LICENSE,

27
      'DisclosureDate' => 'Feb 27 2018',

28
      'References'  =>

29
          [

30
            ['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],

31
            ['CVE', '2018-1000115']

32
          ]

33
    )

34


35
    register_options([

36
      Opt::RPORT(11211)

37
    ])

38
  end

39


40
  def build_probe

41
    # Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt

42
    @memcached_probe ||= [

43
      rand(2**16), # random request ID

44
      0, # sequence number

45
      1, # number of datagrams in this sequence

46
      0, # reserved; must be 0

47
      "stats\r\n"

48
    ].pack("nnnna*")

49
  end

50


51
  def scanner_process(data, shost, sport)

52
    # Check the response data for a "STAT" response

53
    if data =~ /\x0d\x0aSTAT\x20/

54
      @results[shost] ||= []

55
      @results[shost] << data

56
    end

57
  end

58


59
  # Called after the scan block

60
  def scanner_postscan(batch)

61
    @results.keys.each do |host|

62
      response_map = { @memcached_probe => @results[host] }

63
      report_service(

64
        host: host,

65
        proto: 'udp',

66
        port: rport,

67
        name: 'memcached'

68
      )

69


70
      peer = "#{host}:#{rport}"

71
      vulnerable, proof = prove_amplification(response_map)

72
      what = 'memcached stats amplification'

73
      if vulnerable

74
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")

75
        report_vuln(

76
          host: host,

77
          port: rport,

78
          proto: 'udp',

79
          name: what,

80
          refs: references

81
        )

82
      else

83
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")

84
      end

85
    end

86
  end

87
end

88


89