From 74ec9f00e754bafbce95cfbe950ffa40435cf8bc Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Tue, 6 Mar 2018 17:54:00 -0800
Subject: [PATCH] Add WIP memcached UDP version scanner

---
 .../memcached/memcached_udp_version.rb        | 60 +++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 modules/auxiliary/scanner/memcached/memcached_udp_version.rb

diff --git a/modules/auxiliary/scanner/memcached/memcached_udp_version.rb b/modules/auxiliary/scanner/memcached/memcached_udp_version.rb
new file mode 100644
index 0000000000..e047b412b9
--- /dev/null
+++ b/modules/auxiliary/scanner/memcached/memcached_udp_version.rb
@@ -0,0 +1,60 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Capture
+  include Msf::Auxiliary::UDPScanner
+
+  def initialize
+    super(
+      'Name'        => 'Memcached UDP Version Scanner',
+      'Description' => %q(
+          This module can be used to discover Memcached servers which expose the
+          unrestricted UDP port 11211. A basic "version" request is executed to obtain
+          the version of memcached.
+      ),
+      'Author'      =>
+        [
+          'Jon Hart <jon_hart@rapid7.com>' # Metasploit scanner module
+        ],
+      'License'     => MSF_LICENSE,
+      'DisclosureDate' => 'Jul 23, 2003',
+      'References'  =>
+          [
+            ['URL', 'https://github.com/memcached/memcached/blob/master/doc/protocol.txt'],
+          ]
+    )
+
+    register_options([
+      Opt::RPORT(11211)
+    ])
+  end
+
+  def build_probe
+    # Memcached version probe, per https://github.com/memcached/memcached/blob/master/doc/protocol.txt
+    @memcached_probe ||= [
+      rand(2**16), # random request ID
+      0, # sequence number
+      1, # number of datagrams in this sequence
+      0, # reserved; must be 0
+      "version\r\n"
+    ].pack("nnnna*")
+  end
+
+  def scanner_process(data, shost, sport)
+    # Check the response data for a "STAT" repsonse
+    if /VERSION (?<version>[\d\.]+)\r\n/ =~ data
+      print_good("#{shost}:#{sport}/udp memcached version #{version}")
+      report_service(
+        host: shost,
+        proto: 'udp',
+        port: rport,
+        info: version,
+        name: 'memcached'
+      )
+    end
+  end
+end