来源

关联漏洞

描述

Minimal Redis honeypot detecting RediShell (CVE-2025-49844) exploits.

介绍

# RediTrap Honeypot

RediTrap is a minimal Redis honeypot tailored to spot early attempts to exploit
CVE-2025-49844 ("RediShell"), the critical Remote Code Execution vulnerability
described by Wiz Research. The exploit abuses a 13 year old use-after-free bug in
the embedded Lua engine: Redis would store the Lua chunk name without first
anchoring it on the stack, allowing a garbage collection cycle to reclaim the
string while C code still used the pointer. The Redis patch
[`d5728cb`](https://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539)
fixes the issue by pushing the chunk name onto the Lua stack (via
`setsvalue2s`/`incr_top`) before parsing and popping it afterwards, preventing
the stale pointer and closing the RCE primitive.

Because the published exploit path relies on sending malicious Lua scripts via
`EVAL`, `EVALSHA`, or `SCRIPT LOAD`, the honeypot focuses on surfacing those
interactions while pretending to be an unpatched Redis node.

## What it does

- Listens on the Redis TCP port (`6379` by default) and speaks a small RESP
  subset so basic probes succeed (`PING`, `INFO`, `AUTH`, etc.).
- Logs every command to a JSON-lines log file, with extra context for Lua script
  activity (SHA-1 digest, length, token heuristics, preview).
- Flags script-oriented commands as suspicious and returns safe error replies so
  untrusted payloads never execute.
- Mimics older Redis behaviour (for example, rejecting `HELLO`) to encourage
  attackers to continue their workflow.

## Getting started

```bash
python3 reditrap.py --host 0.0.0.0 --port 6379 --log-file logs/redis-honeypot-events.ndjson
```

Use `--verbose` for additional stdout logging during development.

## Container usage

Build a compact image (Alpine base):

```bash
docker build -t reditrap .
# or: podman build -t reditrap .
```

Run it with the Redis port exposed and the log directory mounted on the host:

```bash
mkdir -p honeypot-logs
docker run -d --name reditrap \
  -p 6379:6379 \
  -v "$(pwd)/honeypot-logs:/data" \
  reditrap
```

The container defaults to `--host 0.0.0.0 --port 6379 --log-file
/data/redis-honeypot-events.ndjson`, so logs land on the host at
`honeypot-logs/redis-honeypot-events.ndjson`.

Podman works the same way (add the SELinux flag if applicable):

```bash
podman run -d --name reditrap \
  -p 6379:6379 \
  -v "$(pwd)/honeypot-logs:/data:Z" \
  reditrap
```

Override defaults by appending arguments after the image name, for example:

```bash
docker run --rm -p 6379:6379 reditrap --redis-version 7.0.15 --log-file /data/attempts.ndjson
```

## Inspecting events

Each incoming request becomes an NDJSON entry. Suspicious Lua activity includes
heuristics to make triage easier. For example:

```json
{
  "action": "lua_eval",
  "args": ["return debug.getregistry()", "0"],
  "command": "EVAL",
  "info": {
    "arg_count": 2,
    "heuristics": {
      "length": 26,
      "matched_tokens": ["debug."],
      "preview": "return debug.getregistry()"
    },
    "key_count": "0",
    "script_hash": "763200efa15885c9fa970d45cc2b11711c739c13"
  },
  "remote": {"host": "203.0.113.42", "port": 58231},
  "timestamp": "2025-10-07T15:04:12.123456+00:00"
}
```

Pair the logs with network telemetry to trace the attacking source and decide on
response actions.

## Safety notes

- The honeypot never executes received Lua scripts; it immediately returns an
  error string after logging the attempt.
- Large bulk strings are capped at 8 MiB and arrays at 128 elements to reduce
  memory pressure from malicious clients.
- Run the honeypot inside an isolated network segment and forward Redis port
  traffic to it using firewall rules, port mirroring, or NAT as appropriate for
  your environment.

文件快照

 [4.0K]  /data/pocs/925ca25088f37a402bc55439ed4ff2c317f0926e
├── [ 415]  Dockerfile
├── [1.0K]  LICENSE
├── [3.6K]  README.md
└── [ 16K]  reditrap.py

0 directories, 4 files

备注