漏洞平台

POC详情： 5fb047e313aaff657b5abee49e2470456a508dbf

来源

https://github.com/pedrorichil/CVE-2025-49844

关联漏洞

标题： Redis 资源管理错误漏洞 (CVE-2025-49844)
描述：Redis是美国Redis公司的一套开源的使用ANSI C编写、支持网络、可基于内存亦可持久化的日志型、键值（Key-Value）存储数据库，并提供多种语言的API。 Redis 8.2.1及之前版本存在资源管理错误漏洞，该漏洞源于特制Lua脚本可操纵垃圾收集器，触发释放后重用，可能导致远程代码执行。

介绍

# CVE-2025-49844 (RediShell) - Lab Environment

A practical lab environment for testing and understanding the critical **CVE-2025-49844 (RediShell)** vulnerability in Redis.

## ⚠️ WARNING

**This is for educational purposes only!**
- Only use on systems you own or have explicit permission to test
- Never expose to the internet
- Never use in production environments

## About the Vulnerability

- **CVE ID**: CVE-2025-49844
- **Name**: RediShell
- **CVSS Score**: 10.0 (Critical)
- **Type**: Use-After-Free (UAF) in Lua Interpreter
- **Impact**: Remote Code Execution (RCE)
- **Discovered by**: Wiz Research Team

### Vulnerable Versions

All Redis versions before:
- Redis 8.2.2
- Redis 8.0.4
- Redis 7.4.6
- Redis 7.2.11

This lab uses **Redis 7.2.0** (vulnerable version).

## Quick Start

### Prerequisites

```bash
# Install Docker and Docker Compose
sudo apt-get update
sudo apt-get install docker.io docker-compose

# Install Python dependencies
pip install redis colorama
```

### Setup and Run

```bash
# 1. Start vulnerable Redis instance
docker-compose up -d

# 2. Wait a few seconds for Redis to start
sleep 5

# 3. Verify Redis is running
docker-compose ps

# 4. Run the exploit
python3 exploit_poc.py -H localhost -p 6380 -m all
```

## Usage

### Basic Commands

```bash
# Check vulnerability only
python3 exploit_poc.py -H localhost -p 6380 -m check

# Run basic UAF test
python3 exploit_poc.py -H localhost -p 6380 -m basic

# Test sandbox escape
python3 exploit_poc.py -H localhost -p 6380 -m sandbox

# Test advanced memory corruption
python3 exploit_poc.py -H localhost -p 6380 -m advanced

# Run all tests
python3 exploit_poc.py -H localhost -p 6380 -m all

# With authentication
python3 exploit_poc.py -H localhost -p 6380 -a "password" -m all
```

### Docker Management

```bash
# View logs
docker-compose logs -f

# Connect to Redis CLI
docker-compose exec redis-vulnerable redis-cli

# Stop the lab
docker-compose down

# Remove everything (including volumes)
docker-compose down -v
```

## Expected Output

### Successful Test (Vulnerable Version)

```
╔═══════════════════════════════════════════════════════════╗
║          CVE-2025-49844 (RediShell) PoC                  ║
║          Use-After-Free in Redis Lua Interpreter         ║
║          CVSS Score: 10.0 (CRITICAL)                     ║
╚═══════════════════════════════════════════════════════════╝

[*] Testing connection to localhost:6380...
[+] Connected successfully!
[i] Redis Version: 7.2.0
[*] Checking if Lua scripting is enabled...
[+] Lua scripting is enabled!

[*] Checking vulnerability status...
[i] Detected Redis version: 7.2.0
[!] VULNERABLE: This version is affected by CVE-2025-49844
[!] Update to the latest patched version immediately!

[*] Attempting basic UAF trigger...
[+] Lua script executed: UAF pattern executed
[!] UAF pattern triggered (simplified demo)

[*] Testing Lua sandbox boundaries...
[*] Testing os.execute...
[+] Protected: os.execute blocked
[*] Testing io.popen...
[+] Protected: io.popen blocked
[*] Testing loadfile...
[+] Protected: loadfile blocked
[*] Testing package.loadlib...
[+] Protected: package.loadlib blocked

[*] Attempting memory corruption pattern...
[+] Memory corruption pattern executed: Memory corruption pattern completed
[!] In vulnerable versions, this could lead to RCE!

============================================================
[*] PoC execution completed
============================================================
```

## How the Vulnerability Works

### Attack Flow

1. **Connect to Redis** (authenticated or unauthenticated)
2. **Send malicious Lua script** via EVAL command
3. **Trigger Use-After-Free** through garbage collection
4. **Escape Lua sandbox** to access restricted functions
5. **Execute arbitrary native code** outside the sandbox
6. **Gain full host access** for data exfiltration, malware installation, etc.

### Technical Details

The vulnerability exploits a 13-year-old Use-After-Free bug in Redis's Lua interpreter:

- **Memory Corruption**: Improper memory management during garbage collection
- **Sandbox Escape**: Bypass Lua sandbox restrictions
- **Code Execution**: Execute arbitrary system commands
- **Full Compromise**: Complete access to the host system

## Security Recommendations

### 1. Update Immediately

```bash
# Pull latest patched version
docker pull redis:8.2.2
# or
docker pull redis:7.4.6
```

### 2. Secure Configuration

```conf
# /etc/redis/redis.conf

# Enable authentication
requirepass your_strong_password_here

# Restrict network access
bind 127.0.0.1 ::1
protected-mode yes

# Disable dangerous commands
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""
rename-command EVAL ""
rename-command EVALSHA ""

# Enable logging
loglevel notice
logfile /var/log/redis/redis-server.log
```

### 3. Use Redis ACL

```bash
# Disable Lua scripting for specific users
redis-cli ACL SETUSER myuser -@scripting

# Create limited user
redis-cli ACL SETUSER limited on >password ~* +@read +@write -@scripting
```

### 4. Network Security

```bash
# Use firewall rules
sudo ufw allow from 192.168.1.0/24 to any port 6379
sudo ufw deny 6379

# Or use iptables
sudo iptables -A INPUT -p tcp --dport 6379 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 6379 -j DROP
```

## Troubleshooting

### Port Already in Use

```bash
# Check what's using the port
sudo lsof -i :6380

# Or change port in docker-compose.yml
# ports:
#   - "6381:6379"
```

### Python Module Not Found

```bash
# Install required packages
pip install redis colorama

# Or use virtual environment
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
```

### Docker Permission Denied

```bash
# Add user to docker group
sudo usermod -aG docker $USER

# Then logout and login again
```

### Redis Not Starting

```bash
# Check logs
docker-compose logs

# Restart container
docker-compose restart

# Rebuild image
docker-compose up -d --build
```

## Project Structure

```
redis_exploit/
├── Dockerfile              # Redis 7.2.0 vulnerable instance
├── docker-compose.yml      # Docker Compose configuration
├── exploit_poc.py          # Main exploit script
├── requirements.txt        # Python dependencies
├── .gitignore             # Git ignore file
└── README.md              # This file
```

## References

- [Wiz Research Blog - RediShell](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844)
- [BleepingComputer Article](https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-flaw-impacting-thousands-of-instances/)
- [Redis Security Advisory](https://redis.io/blog/security-advisory-cve-2025-49844/)


## Disclaimer

This PoC is simplified and for educational purposes only. The actual CVE-2025-49844 exploit involves complex memory manipulation. Always patch your Redis instances to the latest version!

文件快照


 [4.0K]  /data/pocs/5fb047e313aaff657b5abee49e2470456a508dbf
├── [ 286]  docker-compose.yml
├── [ 728]  Dockerfile
├── [ 14K]  exploit_poc.py
├── [7.0K]  README.md
└── [  29]  requirements.txt

0 directories, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。