{"id":59326,"date":"2024-09-01T03:00:08","date_gmt":"2024-09-01T00:00:08","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180943\/memcached_amp.rb.txt"},"modified":"2024-09-01T03:00:08","modified_gmt":"2024-09-01T00:00:08","slug":"memcached-stats-amplification-scanner","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/memcached-stats-amplification-scanner\/","title":{"rendered":"Memcached Stats Amplification Scanner"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Auxiliary::Report<br \/>include Msf::Exploit::Capture<br \/>include Msf::Auxiliary::UDPScanner<br \/>include Msf::Auxiliary::DRDoS<\/p>\n<p>def initialize<br \/>super(<br \/>&#8216;Name&#8217; =&gt; &#8216;Memcached Stats Amplification Scanner&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q(<br \/>This module can be used to discover Memcached servers which expose the<br \/>unrestricted UDP port 11211. A basic &#8220;stats&#8221; request is executed to check<br \/>if an amplification attack is possible against a third party.<br \/>),<br \/>&#8216;Author&#8217; =&gt;<br \/>[<br \/>&#8216;Marek Majkowski&#8217;, # Cloudflare blog and base payload<br \/>&#8216;xistence &lt;xistence[at]0x90.nl&gt;&#8217;, # Metasploit scanner module<br \/>&#8216;Jon Hart &lt;jon_hart@rapid7.com&gt;&#8217;, # Metasploit scanner module<br \/>],<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;DisclosureDate&#8217; =&gt; &#8216;Feb 27 2018&#8217;,<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[&#8216;URL&#8217;, &#8216;https:\/\/blog.cloudflare.com\/memcrashed-major-amplification-attacks-from-port-11211\/&#8217;],<br \/>[&#8216;CVE&#8217;, &#8216;2018-1000115&#8217;]])<\/p>\n<p>register_options([<br \/>Opt::RPORT(11211)<br \/>])<br \/>end<\/p>\n<p>def build_probe<br \/># Memcached stats probe, per https:\/\/github.com\/memcached\/memcached\/blob\/master\/doc\/protocol.txt<br \/>@memcached_probe ||= [<br \/>rand(2**16), # random request ID<br \/>0, # sequence number<br \/>1, # number of datagrams in this sequence<br \/>0, # reserved; must be 0<br \/>&#8220;stats\\r\\n&#8221;<br \/>].pack(&#8220;nnnna*&#8221;)<br \/>end<\/p>\n<p>def scanner_process(data, shost, sport)<br \/># Check the response data for a &#8220;STAT&#8221; response<br \/>if data =~ \/\\x0d\\x0aSTAT\\x20\/<br \/>@results[shost] ||= []@results[shost] &lt;&lt; data<br \/>end<br \/>end<\/p>\n<p># Called after the scan block<br \/>def scanner_postscan(batch)<br \/>@results.keys.each do |host|<br \/>response_map = { @memcached_probe =&gt; @results[host] }<br \/>report_service(<br \/>host: host,<br \/>proto: &#8216;udp&#8217;,<br \/>port: rport,<br \/>name: &#8216;memcached&#8217;<br \/>)<\/p>\n<p>peer = &#8220;#{host}:#{rport}&#8221;<br \/>vulnerable, proof = prove_amplification(response_map)<br \/>what = &#8216;memcached stats amplification&#8217;<br \/>if vulnerable<br \/>print_good(&#8220;#{peer} &#8211; Vulnerable to #{what}: #{proof}&#8221;)<br \/>report_vuln(<br \/>host: host,<br \/>port: rport,<br \/>proto: &#8216;udp&#8217;,<br \/>name: what,<br \/>refs: references<br \/>)<br \/>else<br \/>vprint_status(&#8220;#{peer} &#8211; Not vulnerable to #{what}: #{proof}&#8221;)<br \/>end<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Captureinclude Msf::Auxiliary::UDPScannerinclude Msf::Auxiliary::DRDoS def initializesuper(&#8216;Name&#8217; =&gt; &#8216;Memcached Stats Amplification Scanner&#8217;,&#8216;Description&#8217; =&gt; %q(This module can be used to discover Memcached servers which expose theunrestricted UDP port 11211. A basic &#8220;stats&#8221; request is executed to checkif an amplification attack is possible against a &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59326","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59326"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59326\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}