Green-m
commented
4 years ago @Nicocha30 Thanks for this issue, I have submitted a PR to fix this bug, see #13409
Closed nicocha30 closed 3 years ago
Green-m
commented
4 years ago @Nicocha30 Thanks for this issue, I have submitted a PR to fix this bug, see #13409
nicocha30
commented
4 years ago @Green-m , -z execstack is necessary for module.erb as the shellcode is loaded into the stack : https://github.com/rapid7/metasploit-framework/blob/ffa01f56fcf72c7aba069b2d60d1cc1d219d500a/data/exploits/redis/module.erb#L20
Green-m
commented
4 years ago Yes, you are right. :)
Should I change the source code to load shellcode to memory instead of the stack maybe?
And another weird thing is, I compile without the execstack flag, the payload still works.
nicocha30
commented
4 years ago You could use mprotect to allow execution of memory pages. Does your redis server have executable stack enabled ?
Green-m
commented
4 years ago I am not sure, just pull a docker image from docker hub, is it enabled default? If it is, how to disable it in order to test it?
nicocha30
commented
4 years ago Installed mine on Debian 10. It seems that NX is enabled on the Docker hub.
root@46201999603c:/data# checksec -f /usr/local/bin/redis-server
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 4717 Symbols
No 0 44 /usr/local/bin/redis-serverThe issue might be related to some Kernel hardening on modern systems.
Green-m
commented
4 years ago I got it, so this is not a bug to this module, although there are some solutions to bypass it?
nicocha30
commented
4 years ago You're right! However, I'm not sure that the shell.exec method works correctly.
Green-m
commented
4 years ago Thanks for your patient explaination, I would try to enhance this module to make it bypass NX if possible.
github-actions[bot]
commented
4 years ago Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
github-actions[bot]
commented
3 years ago Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Steps to reproduce
How'd you do it?
use linux/redis/redis_unauth_execagainst a Debian 10 server with redis installed. (tested with Redis server v=5.0.3 sha=00000000:0 malloc=jemalloc-5.1.0 bits=64 build=afa0decbb6de285f)RHOST,LHOST,SRVHOSTexploitExpected behavior
The Redis metasploit module should load on the Redis server.
Current behavior
The module loading fails because the redis exploit module (custom and meterpreter) requires executable stack (
-z execstack).On Debian 10, the
redisserver log contains the following error after trying to load the module :478:S 26 Mar 2020 10:56:58.383 # Module ./ranyc.so failed to load: ./ranyc.so: cannot enable executable stack as shared object requires: Operation not permittedIf we remove
-z execstack, from thedata/exploits/redis/exp/Makefilefile, the module will load without issue (https://github.com/rapid7/metasploit-framework/blob/master/data/exploits/redis/exp/Makefile), and theshell.execRedis command will work.System stuff
Metasploit version
I installed Metasploit with:
OS
Fedora 31