Metasploit-framework: Exploit -ERR unknown command 'MODULE'
Steps to reproduce
- Setup server with redis 4.0.9
- Open Wireshark with IP of server
- Open metasploit
- use exploit/linux/redis/redis_unauth_exec
- Setup RHOST as remote host, SRVHOST as localhost and LHOST as localhost
- run
- Look at wireshark TCP Stream
- -ERR unknown command 'MODULE'
The server is from HackTheBox VM Postman.
Expected behavior
Exploit says 4.x / 5.x. My redis server says 4.0.9. Payload should go through. Reverse shell should be working.
Current behavior
In Metasploit :
Started reverse TCP handler on [LOCAL_IP]:4444
Exploit completed, but no session was created.
From redis itself (Wireshark) :
-ERR unknown command 'MODULE'.
System stuff
Metasploit version
Framework: 5.0.59-dev
Console : 5.0.59-dev
I installed Metasploit with:
- [X] Kali package via apt
- [ ] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)
OS
Kali Linux
VBoucher
All 12 comments
You need to set the LHOST and SRVHOST to ip addresses that are reachable from your target.
space-r7
on 12 Nov 2019
I did. I set LHOST and SRVHOST to my ip address, which is reachable from my target. (Not "localhost"... sorry about that)
VBoucher
on 13 Nov 2019
This exploit does not work with the postman ctf. There is another way.
blindpanic
on 14 Nov 2019
Alright but shouldn't this exploit be renamed so that it excludes this version? The current name is 4.X / 5.X but 4.0.9 it part of 4.X. Should the version be more specific?
VBoucher
on 14 Nov 2019
@blindpanic is saying the exploit does not work with the CTF. Let's try to avoid any spoilers here, thanks.
wvu-r7
on 14 Nov 2019
Found another way. I don't think you understood my comment (which wasn't about giving any spoiler) but nevermind.
VBoucher
on 14 Nov 2019
@VBoucher: Yes, you are correct, the version should probably be more specific. The version range that's affected is likely in the advisory somewhere. It'd be a worthy update to the documentation.
wvu-r7
on 14 Nov 2019
The module should also be renamed from redis_unauth_exec, as it is not an unauthenticated exploit (#12143).
bcoles
on 14 Nov 2019
The "bug" mentioned in this issue has nothing to do with the versioning. The Postman machine on HTB had a specific configuration to prevent the attack as stated by 0xdf in his blogpost.
There is no need to update the documentation.
lyghtnox
on 14 Mar 2020
Thanks for confirming, @lyghtnox. My comment was more general than that.
While there may not be a need to update the documentation to exclude 4.0.9, which you've proven to be a false negative, we absolutely should be as specific as we can in listing affected versions. This goes for all modules.
"4.x and 5.x" may be accurate, but it's not precise, and it can lead to situations like this. The functionality this module abuses was added in a specific version or commit. @Green-m may know better.
wvu-r7
on 14 Mar 2020
The answer is precisely 4.0.0: https://redis.io/commands/module-load.
Available since 4.0.0.
Since Redis 6 is in beta, the documentation can perhaps be updated to say "since 4.0.0" if the functionality persists in version 6. If the functionality is removed, we should update for that, too.
wvu-r7
on 14 Mar 2020
@wvu-r7 Thank you for catching that! I did not see this until yesterday. I would update it for more precise.
Green-m
on 16 Mar 2020
Related issues
verapex
路
3Comments
XSecr3t
路
3Comments
wvu-r7
路
3Comments
jecoliho
路
3Comments
idetest41
路
3Comments
Most helpful comment
This exploit does not work with the postman ctf. There is another way.