Path: blob/master/modules/auxiliary/scanner/memcached/memcached_amp.rb
19758 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Capture8include Msf::Auxiliary::UDPScanner9include Msf::Auxiliary::DRDoS1011def initialize12super(13'Name' => 'Memcached Stats Amplification Scanner',14'Description' => %q(15This module can be used to discover Memcached servers which expose the16unrestricted UDP port 11211. A basic "stats" request is executed to check17if an amplification attack is possible against a third party.18),19'Author' => [20'Marek Majkowski', # Cloudflare blog and base payload21'xistence <xistence[at]0x90.nl>', # Metasploit scanner module22'Jon Hart <[email protected]>', # Metasploit scanner module23],24'License' => MSF_LICENSE,25'DisclosureDate' => 'Feb 27 2018',26'References' => [27['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],28['CVE', '2018-1000115']29]30)3132register_options([33Opt::RPORT(11211)34])35end3637def build_probe38# Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt39@memcached_probe ||= [40rand(2**16), # random request ID410, # sequence number421, # number of datagrams in this sequence430, # reserved; must be 044"stats\r\n"45].pack("nnnna*")46end4748def scanner_process(data, shost, sport)49# Check the response data for a "STAT" response50if data =~ /\x0d\x0aSTAT\x20/51@results[shost] ||= []52@results[shost] << data53end54end5556# Called after the scan block57def scanner_postscan(batch)58@results.keys.each do |host|59response_map = { @memcached_probe => @results[host] }60report_service(61host: host,62proto: 'udp',63port: rport,64name: 'memcached'65)6667peer = "#{host}:#{rport}"68vulnerable, proof = prove_amplification(response_map)69what = 'memcached stats amplification'70if vulnerable71print_good("#{peer} - Vulnerable to #{what}: #{proof}")72report_vuln(73host: host,74port: rport,75proto: 'udp',76name: what,77refs: references78)79else80vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")81end82end83end84end858687