Redis XACKDEL Stack Buffer Overflow RCE

Repository is a standalone exploit research project for CVE-2025-62507, a claimed stack buffer overflow in Redis 8.2.x/8.2.0 reachable through the XACKDEL command. The repo contains two primary exploit implementations in scripts/: exploit_x86.py and exploit_arm64.py. Both speak Redis directly over raw TCP using RESP, prepare a test stream/group, then send an oversized XACKDEL request with many crafted stream IDs to overflow the stack and hijack control flow. The x86 exploit is the clearest operational payload. It computes absolute gadget addresses from operator-supplied redis/libc/stack bases, uses gadgets pop rdi; ret, pop rsi; ret, pop rdx; ret, and call rsp, calls libc mprotect to mark stack memory executable, and places shellcode on the stack. That shellcode calls libc system() with a hardcoded reverse-shell command to 172.17.0.1:4444. The ARM64 exploit is more elaborate, using a documented gadget chain (G5, G_SET_X2_7, LDR_X0_CLEAN, LDR_X1_CLEAN, MOV_X3_X19, BLR_X3) to set up mprotect(stack_page, 0x20000, 7) and then jump into shellcode. Supporting repository structure includes: binaries/ helper scripts for gadget and symbol extraction (pwntools/capstone/ROPgadget-based), docker-compose-vulnerable.yml for a host-networked Redis 8.2.0 lab container with ptrace enabled, scripts/gdb_with_symbols.sh for live debugging, and extensive docs/ writeups describing stack layout, gadget offsets, reproduction steps, and ROP-chain rationale. The empty gadget text files appear to be placeholders or outputs for prior analysis. Overall, this is not merely a detector or crash PoC; it is an operational exploit lab with hardcoded RCE payload behavior, but it depends on externally obtained memory addresses rather than containing its own leak primitive.

This repository is a small multi-file exploit lab centered on Redis vulnerabilities, primarily CVE-2025-49844 ('RediShell') and secondarily CVE-2025-62507. It is not part of a known exploit framework. The structure includes several Python exploit variants, one Node.js PoC, a standalone Lua repro script, a helper script for brute-forcing a PIE base address, and Docker artifacts for spinning up an intentionally insecure Redis test environment. The Redis 2025-49844 content focuses on Lua interpreter abuse via EVAL. Multiple files build nearly identical Lua heap-spray / re-entrant garbage-collection scripts using newproxy, loadstring, collectgarbage, and repeated allocations to try to trigger a use-after-free and restore restricted functions such as os.execute or print. The more advanced Python variants analyze a local redis-server ELF with pwntools, compute symbol offsets such as luaEngineInitEngine or luaopen_base, and then send raw RESP EVAL requests to a remote Redis instance. Some variants proceed to a second stage that attempts command execution with a hardcoded bash reverse shell to an attacker-supplied IP and port. The helper script find_base.py tries to brute-force the PIE base address by repeatedly sending EVAL payloads and checking for a successful RESP bulk-string response. The Node.js file POC.js is a more feature-rich Redis client/PoC wrapper. It implements RESP encoding/parsing manually over a TCP socket, supports authentication, and exposes modes such as check/basic/sandbox/advanced/custom/sh/all. Based on the visible code and README, it is intended to test connectivity, verify Lua availability, attempt simplified UAF/sandbox-escape behaviors, and optionally run a shell-oriented payload. This makes the repository operational rather than a pure readme or detector. The Dockerfile and docker-compose.yml create a lab Redis instance with protected-mode disabled, bind 0.0.0.0, and expose Redis externally. This is clearly for local testing and makes the target reachable on host port 6380. A separate file, CVE-2025-62507_Crash_Working_PoC_BufferOverflow.py, is the clearest working exploit artifact in the repo. It connects to Redis on TCP/6379, creates a stream/consumer group with XGROUP CREATE mystream mygroup 0-0 MKSTREAM, then sends an XACKDEL command with an excessive number of crafted stream IDs to overflow a fixed-length vector and crash the server. This is a network-reachable crash PoC for Redis and appears more reliable than the RediShell RCE attempts. Overall, the repository’s purpose is exploratory exploit development against Redis: testing whether CVE-2025-49844 can yield sandbox escape/RCE and documenting that the authors more reliably achieved crashes than code execution, while also including a separate working crash PoC for CVE-2025-62507.

This repository is a mixed Redis exploit lab focused mainly on CVE-2025-49844 ('RediShell') with an additional crash PoC for CVE-2025-62507. It is not tied to a major exploit framework. The structure includes multiple iterative Python exploit attempts, one JavaScript PoC, a Lua repro script, and Docker artifacts for standing up an intentionally insecure Redis test instance. Repository layout and purpose: - Dockerfile + docker-compose.yml: build a Redis 7.2.0 lab container, disable protected mode, bind on 0.0.0.0, and expose Redis on host port 6380. - exploit_poc.py and POC.js: general-purpose PoC clients that connect to Redis, check version/Lua availability, and run staged tests such as basic UAF triggering, sandbox-boundary checks, and more advanced corruption attempts. - exploit.py, exploit_poc_another_one.py, exploit_poc_another_attempt.py, exploit_poc_one_more_attempt.py: more aggressive/manual exploitation attempts for CVE-2025-49844. These scripts craft Lua heap-spray / GC re-entrancy payloads, compute target function addresses from a local redis-server ELF and a supplied base address, then try to restore blocked Lua functions (print, os.execute) or directly execute a reverse shell. - find_base.py: helper script intended to brute-force the PIE base address by repeatedly sending EVAL payloads and checking for a success indicator. - korean_puzzle_piece.lua: standalone Lua repro script for the GC-during-parsing condition. - CVE-2025-62507_Crash_Working_PoC_BufferOverflow.py: separate PoC targeting Redis XACKDEL with an oversized IDS vector to trigger a stack overflow/crash. - README.md: candid notes indicating the author could reproduce crashes but not reliable code execution for CVE-2025-49844, and that CVE-2025-62507 appeared more reliably crashable. Main exploit capabilities: 1. Network interaction with Redis over TCP, usually on localhost:6379 or docker-mapped localhost:6380. 2. Raw RESP command construction and EVAL delivery of attacker-controlled Lua scripts. 3. Lua GC re-entrancy/UAF triggering via newproxy, __gc metamethods, collectgarbage('collect'), loadstring, and heap churn/spraying. 4. Symbol-based targeting of redis-server internals such as luaEngineInitEngine, luaopen_base, and luaopen_os using pwntools ELF parsing and user-supplied base addresses. 5. Post-corruption command execution attempts using os.execute and a bash reverse shell to /dev/tcp/<attacker-ip>/<attacker-port>. 6. Crash-oriented exploitation of XACKDEL by sending more IDs than the static vector length supports. Assessment of exploit quality: - The repository contains real exploit-oriented code, not just documentation. - However, the README and code comments show the CVE-2025-49844 RCE path is experimental and unstable; much of it is best treated as PoC/operational research code rather than a reliable weaponized exploit. - The CVE-2025-62507 script is more straightforward and appears intended primarily to demonstrate a crash/overflow condition rather than full RCE. Overall, this repository is best characterized as an exploit research collection for Redis vulnerabilities, combining lab setup, vulnerability checks, crash reproducers, and several iterative attempts at turning a Redis Lua interpreter memory corruption bug into sandbox escape and remote code execution.

This repository provides two Python proof-of-concept (PoC) exploits for CVE-2025-62507, a buffer overflow vulnerability in Redis (likely version 8.2.x). The main exploit file (CVE-2025-62507-BO-Crash-PoC.py) attempts to achieve remote code execution by sending a carefully crafted payload via the XACKDEL command to a Redis server. The payload is constructed as a series of stream IDs, with the intent to overflow a stack buffer and execute a ROP chain that could spawn a shell. The exploit requires knowledge of specific memory addresses (gadgets) for a successful ROP chain, which are placeholders in the provided code. The secondary script (CVE-2025-62507_Crash_GDB.py) demonstrates a simpler crash scenario, primarily useful for debugging and confirming the overflow condition, especially under GDB. Both scripts use the pwntools library to interact with the target Redis server over the network (default: 127.0.0.1:6379). The README provides context, stack traces, and analysis of the crash, confirming the exploitability of the vulnerability. No hardcoded external endpoints are present; the scripts target a configurable Redis instance. The repository is a functional PoC for DoS and a partial PoC for RCE, requiring further development for a fully weaponized exploit.