Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-49844 PoC — Redis 资源管理错误漏洞

Source
https://github.com/angelusrivera/CVE-2025-49844
Associated Vulnerability
Title:Redis 资源管理错误漏洞 (CVE-2025-49844)
Description:Redis是美国Redis公司的一套开源的使用ANSI C编写、支持网络、可基于内存亦可持久化的日志型、键值(Key-Value)存储数据库,并提供多种语言的API。 Redis 8.2.1及之前版本存在资源管理错误漏洞,该漏洞源于特制Lua脚本可操纵垃圾收集器,触发释放后重用,可能导致远程代码执行。
Description
PoC of RediShell
Readme
# 🚨 CVE-2025-49844 (RediShell) - Complete Guide

## ⚠️ Just for Learning, Not Hacking ;) ⚠️

Hey! This is a simple tool I made to help people check if their Redis servers are vulnerable to the bug. It's not meant for actual attacks - just for learning and protecting your own stuff.

## What's This All About?

Alright my lovely people, here's one of the most interesting fuckups of 2025, `CVE-2025-49844`. Essentially, if someone can run Lua scripts on your Redis server, they can gain access to the memory.

### The Important Stuff
- **How Bad?**: Fucked up (9.9/10)
- **Who's Affected**: Anyone using Redis version 8.2.1 or older
- **What Happens**: Code Execution
- **How They Do It**: Through Lua scripting (which Redis uses for fancy database shit)

## Let's Get Started!

### Step 1: Build This Thing
```bash
# First, get the Go stuff ready
cd scanner
go mod tidy

# Then build the scanner
go build -o rscan redis-scanner.go
```

### Step 2: Check Your Servers
```bash
# Check one server
./rscan -host your-server.com -port 6379

# Check with a password (if you have one)
./rscan -host your-server.com -port 6379 -auth yourpassword

# Check a bunch at once
./rscan -host server1.com,server2.com,server3.com

# Or check from a file
./rscan -file hosts.txt
```

### Step 3: Fix What's Broken
```bash
# Turn off Lua scripting (this stops the attack)
redis-cli ACL SETUSER default -@scripting

# Or just update Redis to the newest version
```

## What Do the Results Mean?

- 🚨 **DANGER!** - Your Redis is vulnerable (old version + Lua scripts work)
- 🛡️ **Good!** - Your Redis is protected (Lua disabled or newer version)
- ✅ **Great!** - Your Redis is safe (version 8.2.2 or newer)
- ❌ **Oops!** - Can't connect or something went wrong

## How This Memory Bug Works

### The Problem
This is what is called a "use-after-free" bug. Essentially, Redis has a memory management system that sometimes gets confused about what memory it's already cleaned up.

**How It Should Work:**
1. 📝 Redis creates some data in memory
2. 🔍 Uses that data for something
3. 🗑️ Cleans up the memory when it's done
4. ✅ Everything is safe and sound

**How It Actually Works (The Bug):**
1. 📝 Redis creates some data in memory
2. 🔍 Uses that data for something
3. 🗑️ Cleans up the memory
4. 🔍 **Tries to use the data again** (but it's already gone!)
5. 💥 **Everything breaks** which is the exploited for funsies ;)

### How Hackers Use This
- **What They Target**: Redis's Lua scripting system
- **Commands They Use**: `EVAL` and `EVALSHA` (these run Lua scripts)
- **What They Want**: To overwrite memory and run arbitrary code
## How to Fix This

### Do This Right Now (First 24 Hours)
1. **Find all your Redis servers** (you might have more than you think)
2. **Check their versions** (anything 8.2.1 or older is fucked, you will need to update!)
3. **Turn off Lua scripts** (this stops the attack immediately)
4. **Plan your upgrade** (this is the real fix)

### Quick Fix (Stop the Attack Now!)
```bash
# Turn off Lua scripts (this stops the attack)
redis-cli ACL SETUSER default -@scripting

# Or edit your redis.conf file and add this line:
disable-commands eval evalsha

# Then restart Redis
sudo systemctl restart redis
```

### Lock Down Your Network
```bash
# Only allow specific IPs to connect to Redis
iptables -A INPUT -p tcp --dport 6379 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 6379 -j DROP

# Make Redis only listen on specific network interfaces
bind 127.0.0.1 10.0.0.100
```

### Set Up Proper Passwords
```bash
# Set a strong password
redis-cli CONFIG SET requirepass "fuckredis1234ilovehacking!"

# Create users with limited permissions
redis-cli ACL SETUSER appuser on >password +@read +@write -@scripting
redis-cli ACL SETUSER readonly on >password +@read -@scripting
```

### Update Redis (The Real Fix)
```bash
# Backup your data first (always do this!)
sudo cp -r /var/lib/redis /var/lib/redis.backup.$(date +%Y%m%d)

# Update Redis to the fixed version
# On Ubuntu/Debian:
sudo apt update && sudo apt install redis-server=8.2.2*

# On CentOS/RHEL:
sudo yum update redis

# Check that it worked
redis-server --version
```

## Test That Your Fix Actually Works

### Make Sure Scripts Are Blocked
```bash
# This should fail if your fix is working
redis-cli -a "YourPassword" EVAL "return 'test'" 0
# Should say: (error) ERR unknown command 'EVAL'
```

### Check Your Network Security
```bash
# See if Redis is accessible from the network
nmap -p 6379 your-redis-server

# Test if password is required
redis-cli -h your-redis-server -p 6379 ping
# Should ask for password
```

## How to Spot This Attack

### Signs in Your Network
- Increased patterns of Lua script usage
- Someone sending really big or complicated scripts
- Lots of scripts running really fast
- Scripts that are obviously suspicious

### Signs on Your Server
- Redis keeps crashing or restarting
- Memory usage jumping up and/or down
- Redis making strange network connections
- Files being accessed that shouldn't be

### Check Your Logs
```bash
# Look for weird Lua script activity
grep -i "eval\|evalsha" /var/log/redis/redis.log

# Check for failed login attempts
grep -i "auth" /var/log/redis/redis.log

# Look for script errors
grep -i "script" /var/log/redis/redis.log
```

## How Hard Is This to Exploit?

### It's Pretty Complicated (if you don't know what's going on)
- You need to understand how Redis works inside
- **Memory Tricks**: You have to mess with how Redis manages memory
- **Lua Skills**: You need to be good at writing Lua scripts
- **Perfect Timing**: You have to trigger the bug at exactly the right moment

### What Real Exploits Look Like
1. **Create Weird Memory Patterns**: Write Lua scripts that make Redis arrange memory in specific ways
2. **Trick the Cleanup Process**: Make Redis clean up memory at the wrong time
3. **Break the Memory**: Cause Redis to use memory that's already been deleted
4. **Run Your Code**: Use the broken memory to execute whatever you want

## How Bad Is This Really?

### What Happens If You Get Hacked
- **Complete Takeover**: Hackers can run anything they want on your server
- **All Your Data**: They can see everything in your Redis database
- **Spread to Other Servers**: They might use your server to attack other things
- **Stay Hidden**: They can keep access even after you think you fixed it

### What This Means for Your Business
- **Data Leaked**: All your sensitive information could be stolen
- **Everything Breaks**: Your Redis service might stop working
- **Legal Trouble**: You might get fined for not protecting data
- **Nobody Trusts You**: Customers might leave if they find out

## Lets get technical

### What Parts of Redis Are Broken
- Lua scripting engine (`eval` and `evalsha` commands)
- How Redis manages memory
- The garbage collection system (cleans up unused memory)

### How the Memory Gets Broken
The bug happens when:
- You create specific patterns of objects in Lua
- You mess with how Redis counts references to memory
- You force Redis to clean up memory at the wrong time
- You exploit the timing of when Redis manages memory

### Which Versions Are Affected
- Redis version 8.2.1 and older
- Any version that has Lua scripting turned on
- This bug has been around for about 13 years (yikes!)

## What Exploits Look Like (For Learning)

### Basic Structure (This Won't Actually Work)
```lua
-- This is just to show you what the structure looks like
local function create_memory_pattern()
    -- Create objects that mess with Redis's memory cleanup
    local objects = {}
    for i = 1, 1000 do
        objects[i] = {data = "pattern_" .. i}
    end
    return objects
end

local function trigger_gc()
    -- Force Redis to clean up memory at the wrong time
    collectgarbage("collect")
    -- This is where the memory bug happens
end

-- Main attack structure
local objects = create_memory_pattern()
-- Mess with memory references
-- Force garbage collection
-- Use the broken memory to run code
```

## How to Protect Yourself

### Lock Down Your Network
- Set up firewall rules
- Don't let Redis talk to the whole internet
- Watch your network traffic
- Turn on logging

### Control Who Can Access
- Use strong passwords
- Set up user permissions (ACLs)
- Only give people the access they need
- Check who has access regularly

### Watch for Problems
- Look at your logs
- Monitor how Redis is performing
- Watch for weird behavior
- Have a plan for when things go wrong

## Want to Test This Safely?

If you want to see how this works without breaking anything real, you can use Docker:

```bash
# Start a test Redis (this one is vulnerable)
docker run -d --name redis-test -p 6379:6379 redis:6.0

# Test it
cd scanner
./rscan -host localhost -port 6379

# Stop the vulnerable one and start a fixed one
docker stop redis-test
docker run -d --name redis-fixed -p 6379:6379 redis:6.0 redis-server --rename-command EVAL "" --rename-command EVALSHA ""
./rscan -host localhost -port 6379

# Clean up when you're done
docker stop redis-fixed && docker rm redis-fixed
```

## Fancy Stuff (If You Want It)

### All the Options
```bash
cd scanner
./rscan --help
```

### Scanning Multiple Servers
Create a `hosts.txt` file like this:
```
# Put your servers here
server1.com
server2.com:6380
192.168.1.100
redis.example.com:6379
```

### Make It Faster
```bash
# Use more workers to scan faster (if you have lots of servers)
./rscan -host server1.com,server2.com -workers 20
```

## What You Need

- **Go 1.21+** (to build the scanner)
- **redis-cli** (to connect to Redis)
- **Docker** (optional, for safe testing)

### If Your Upgrade Breaks Everything
```bash
# Rollback to your backup
sudo systemctl stop redis
sudo rm -rf /var/lib/redis
sudo cp -r /var/lib/redis.backup.$(date +%Y%m%d) /var/lib/redis
sudo systemctl start redis
```

## Legal Stuff

This is just for learning and protecting your own stuff. Don't use it to hack other people's servers - that's illegal. Don't be dumb.

## Sources !!

- [Official CVE Page](https://nvd.nist.gov/vuln/detail/CVE-2025-49844)
- [Wiz Research Blog](https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844)
- [Redis Security Docs](https://redis.io/security)
- [CVE Details](https://www.cvedetails.com/cve/CVE-2025-49844/)
File Snapshot

 [4.0K]  /data/pocs/8f1c3b7728b39ef5a9469365729b9de5390ee0d1
├── [ 10K]  README.md
└── [4.0K]  scanner
    ├── [ 228]  go.mod
    ├── [2.1K]  go.sum
    ├── [ 452]  hosts.txt
    ├── [ 645]  README.md
    ├── [6.4M]  rscan
    └── [ 10K]  rscan.go

2 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.