Security
Headlines
HeadlinesLatestCVEs

Headline

Memcached Stats Amplification Scanner

This Metasploit module can be used to discover Memcached servers which expose the unrestricted UDP port 11211. A basic “stats” request is executed to check if an amplification attack is possible against a third party.

Packet Storm
#memcached#git#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Exploit::Capture  include Msf::Auxiliary::UDPScanner  include Msf::Auxiliary::DRDoS  def initialize    super(      'Name'        => 'Memcached Stats Amplification Scanner',      'Description' => %q(          This module can be used to discover Memcached servers which expose the          unrestricted UDP port 11211. A basic "stats" request is executed to check          if an amplification attack is possible against a third party.      ),      'Author'      =>        [          'Marek Majkowski', # Cloudflare blog and base payload          'xistence <xistence[at]0x90.nl>', # Metasploit scanner module          'Jon Hart <[email protected]>', # Metasploit scanner module        ],      'License'     => MSF_LICENSE,      'DisclosureDate' => 'Feb 27 2018',      'References'  =>          [            ['URL', 'https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/'],            ['CVE', '2018-1000115']          ]    )    register_options([      Opt::RPORT(11211)    ])  end  def build_probe    # Memcached stats probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt    @memcached_probe ||= [      rand(2**16), # random request ID      0, # sequence number      1, # number of datagrams in this sequence      0, # reserved; must be 0      "stats\r\n"    ].pack("nnnna*")  end  def scanner_process(data, shost, sport)    # Check the response data for a "STAT" response    if data =~ /\x0d\x0aSTAT\x20/      @results[shost] ||= []      @results[shost] << data    end  end  # Called after the scan block  def scanner_postscan(batch)    @results.keys.each do |host|      response_map = { @memcached_probe => @results[host] }      report_service(        host: host,        proto: 'udp',        port: rport,        name: 'memcached'      )      peer = "#{host}:#{rport}"      vulnerable, proof = prove_amplification(response_map)      what = 'memcached stats amplification'      if vulnerable        print_good("#{peer} - Vulnerable to #{what}: #{proof}")        report_vuln(          host: host,          port: rport,          proto: 'udp',          name: what,          refs: references        )      else        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")      end    end  endend

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution