Closed nicocha30 closed 3 years ago
@Nicocha30 Thanks for this issue, I have submitted a PR to fix this bug, see #13409
@Green-m , -z execstack is necessary for module.erb as the shellcode is loaded into the stack : https://github.com/rapid7/metasploit-framework/blob/ffa01f56fcf72c7aba069b2d60d1cc1d219d500a/data/exploits/redis/module.erb#L20
Yes, you are right. :)
Should I change the source code to load shellcode to memory instead of the stack maybe?
And another weird thing is, I compile without the execstack flag, the payload still works.
You could use mprotect to allow execution of memory pages. Does your redis server have executable stack enabled ?
I am not sure, just pull a docker image from docker hub, is it enabled default? If it is, how to disable it in order to test it?
Installed mine on Debian 10. It seems that NX is enabled on the Docker hub.
root@46201999603c:/data# checksec -f /usr/local/bin/redis-server
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 4717 Symbols
No 0 44 /usr/local/bin/redis-server
The issue might be related to some Kernel hardening on modern systems.
I got it, so this is not a bug to this module, although there are some solutions to bypass it?
You're right! However, I'm not sure that the shell.exec method works correctly.
Thanks for your patient explaination, I would try to enhance this module to make it bypass NX if possible.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Steps to reproduce
How'd you do it?
use linux/redis/redis_unauth_exec
against a Debian 10 server with redis installed. (tested with Redis server v=5.0.3 sha=00000000:0 malloc=jemalloc-5.1.0 bits=64 build=afa0decbb6de285f)RHOST
,LHOST
,SRVHOST
exploit
Expected behavior
The Redis metasploit module should load on the Redis server.
Current behavior
The module loading fails because the redis exploit module (custom and meterpreter) requires executable stack (
-z execstack
).On Debian 10, the
redis
server log contains the following error after trying to load the module :478:S 26 Mar 2020 10:56:58.383 # Module ./ranyc.so failed to load: ./ranyc.so: cannot enable executable stack as shared object requires: Operation not permitted
If we remove
-z execstack
, from thedata/exploits/redis/exp/Makefile
file, the module will load without issue (https://github.com/rapid7/metasploit-framework/blob/master/data/exploits/redis/exp/Makefile), and theshell.exec
Redis command will work.System stuff
Metasploit version
I installed Metasploit with:
OS
Fedora 31