This module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
vulnerability was introduced by Debian and Ubuntu Redis packages that
insufficiently sanitized the Lua environment. The maintainers failed to
disable the package interface, allowing attackers to load arbitrary libraries.
On a typical `redis` deployment (not docker), this module achieves execution
as the `redis` user. Debian/Ubuntu packages run Redis using systemd with the
"MemoryDenyWriteExecute" permission, which limits some of what an attacker can
do. For example, staged meterpreter will fail when attempting to use mprotect.
As such, stageless meterpreter is the preferred payload.
Redis can be configured with authentication or not. This module will work with
either configuration (provided you provide the correct authentication details).
This vulnerability could theoretically be exploited across a few architectures:
i386, arm, ppc, etc. However, the module only supports x86_64, which is likely
to be the most popular version.
- Reginaldo Silva
cmd, x86, x64