-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module Redis Unauthenticated Code Execution #12107
Conversation
To do: 1. Check env of system and compiler. 2. Add a compiled so file to be compatible with windows and mac. 3. Add doc.
Rex.sleep(2) | ||
register_file_for_cleanup("./#{module_file}") | ||
#redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb') | ||
#redis_command('MODULE', 'UNLOAD', "#{@module_init_name}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please take note this cleanup, I commented the last two Redis commands, for it's always failed.
The reason is once a new session started, the Redis would get blocked and give no response to any request, which leads the command for cleanup to always failed.
To clean it successfully, we have to wait for the session ends. Actually, I did not know how to do it. :-(
Hey, @Green-m! Haven't seen you in the Framework PR queue in a while, welcome back :) |
@ccondon-r7 Nice to see you again! |
I'm currently working on this pull request. Thanks for the patience! |
Another excellent module from @Green-m. Thanks for waiting. |
Release NotesThe redis_unanth_rce module has been added to the framework. It exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x. |
Description
This module exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x
Vulnerable Application
Vulnerable Application Link
https://hub.docker.com/_/redis/
Vulnerable Application Installation Setup.
Options
IF
CUSTOM
set to true, this exploit would generate a source code file, and compile it to a redis module file during running, which is more undetectable.It's only worked on linux system.
For other scenarios, such as lack of gcc, or others opreate systems, framework could not compile the source for sucessful exploit, it uses the pre-compiled redis module to accomplish this exploit.
Verification Steps
set CUSTOM true (available only on linux)
Set CUSTOM false (available on all system)