RediShell: Use-after-free RCE in Redis Lua scripting

This repository is a small multi-file exploit lab centered on Redis vulnerabilities, primarily CVE-2025-49844 ('RediShell') and secondarily CVE-2025-62507. It is not part of a known exploit framework. The structure includes several Python exploit variants, one Node.js PoC, a standalone Lua repro script, a helper script for brute-forcing a PIE base address, and Docker artifacts for spinning up an intentionally insecure Redis test environment. The Redis 2025-49844 content focuses on Lua interpreter abuse via EVAL. Multiple files build nearly identical Lua heap-spray / re-entrant garbage-collection scripts using newproxy, loadstring, collectgarbage, and repeated allocations to try to trigger a use-after-free and restore restricted functions such as os.execute or print. The more advanced Python variants analyze a local redis-server ELF with pwntools, compute symbol offsets such as luaEngineInitEngine or luaopen_base, and then send raw RESP EVAL requests to a remote Redis instance. Some variants proceed to a second stage that attempts command execution with a hardcoded bash reverse shell to an attacker-supplied IP and port. The helper script find_base.py tries to brute-force the PIE base address by repeatedly sending EVAL payloads and checking for a successful RESP bulk-string response. The Node.js file POC.js is a more feature-rich Redis client/PoC wrapper. It implements RESP encoding/parsing manually over a TCP socket, supports authentication, and exposes modes such as check/basic/sandbox/advanced/custom/sh/all. Based on the visible code and README, it is intended to test connectivity, verify Lua availability, attempt simplified UAF/sandbox-escape behaviors, and optionally run a shell-oriented payload. This makes the repository operational rather than a pure readme or detector. The Dockerfile and docker-compose.yml create a lab Redis instance with protected-mode disabled, bind 0.0.0.0, and expose Redis externally. This is clearly for local testing and makes the target reachable on host port 6380. A separate file, CVE-2025-62507_Crash_Working_PoC_BufferOverflow.py, is the clearest working exploit artifact in the repo. It connects to Redis on TCP/6379, creates a stream/consumer group with XGROUP CREATE mystream mygroup 0-0 MKSTREAM, then sends an XACKDEL command with an excessive number of crafted stream IDs to overflow a fixed-length vector and crash the server. This is a network-reachable crash PoC for Redis and appears more reliable than the RediShell RCE attempts. Overall, the repository’s purpose is exploratory exploit development against Redis: testing whether CVE-2025-49844 can yield sandbox escape/RCE and documenting that the authors more reliably achieved crashes than code execution, while also including a separate working crash PoC for CVE-2025-62507.

This repository is a mixed Redis exploit lab focused mainly on CVE-2025-49844 ('RediShell') with an additional crash PoC for CVE-2025-62507. It is not tied to a major exploit framework. The structure includes multiple iterative Python exploit attempts, one JavaScript PoC, a Lua repro script, and Docker artifacts for standing up an intentionally insecure Redis test instance. Repository layout and purpose: - Dockerfile + docker-compose.yml: build a Redis 7.2.0 lab container, disable protected mode, bind on 0.0.0.0, and expose Redis on host port 6380. - exploit_poc.py and POC.js: general-purpose PoC clients that connect to Redis, check version/Lua availability, and run staged tests such as basic UAF triggering, sandbox-boundary checks, and more advanced corruption attempts. - exploit.py, exploit_poc_another_one.py, exploit_poc_another_attempt.py, exploit_poc_one_more_attempt.py: more aggressive/manual exploitation attempts for CVE-2025-49844. These scripts craft Lua heap-spray / GC re-entrancy payloads, compute target function addresses from a local redis-server ELF and a supplied base address, then try to restore blocked Lua functions (print, os.execute) or directly execute a reverse shell. - find_base.py: helper script intended to brute-force the PIE base address by repeatedly sending EVAL payloads and checking for a success indicator. - korean_puzzle_piece.lua: standalone Lua repro script for the GC-during-parsing condition. - CVE-2025-62507_Crash_Working_PoC_BufferOverflow.py: separate PoC targeting Redis XACKDEL with an oversized IDS vector to trigger a stack overflow/crash. - README.md: candid notes indicating the author could reproduce crashes but not reliable code execution for CVE-2025-49844, and that CVE-2025-62507 appeared more reliably crashable. Main exploit capabilities: 1. Network interaction with Redis over TCP, usually on localhost:6379 or docker-mapped localhost:6380. 2. Raw RESP command construction and EVAL delivery of attacker-controlled Lua scripts. 3. Lua GC re-entrancy/UAF triggering via newproxy, __gc metamethods, collectgarbage('collect'), loadstring, and heap churn/spraying. 4. Symbol-based targeting of redis-server internals such as luaEngineInitEngine, luaopen_base, and luaopen_os using pwntools ELF parsing and user-supplied base addresses. 5. Post-corruption command execution attempts using os.execute and a bash reverse shell to /dev/tcp/<attacker-ip>/<attacker-port>. 6. Crash-oriented exploitation of XACKDEL by sending more IDs than the static vector length supports. Assessment of exploit quality: - The repository contains real exploit-oriented code, not just documentation. - However, the README and code comments show the CVE-2025-49844 RCE path is experimental and unstable; much of it is best treated as PoC/operational research code rather than a reliable weaponized exploit. - The CVE-2025-62507 script is more straightforward and appears intended primarily to demonstrate a crash/overflow condition rather than full RCE. Overall, this repository is best characterized as an exploit research collection for Redis vulnerabilities, combining lab setup, vulnerability checks, crash reproducers, and several iterative attempts at turning a Redis Lua interpreter memory corruption bug into sandbox escape and remote code execution.

This repository is a small single-file proof-of-concept exploit for CVE-2025-49844 targeting Redis 8.2.1. The structure is minimal: one main Python exploit script (CVE-2025-49844.py), a short README, and a requirements file. The Python script is the clear entry point and contains the full exploit chain, target metadata structures, shellcode generation logic, CLI handling, and execution flow. The exploit is not a scanner or detector; it is an active RCE PoC. Its stated purpose is to exploit a Redis Lua use-after-free condition and deliver a reverse shell. The code imports the redis Python client to communicate with the target Redis server and uses iced-x86 to dynamically assemble native x86-64 shellcode. The shellcode builder includes a reverse-shell routine that prepares a sockaddr structure from an operator-supplied IPv4 address and port, creates a TCP socket, connects back to the listener, duplicates file descriptors, and executes /bin/sh. The code also references low-level runtime addresses such as luaAlloc, mprotect, and pthread_create, indicating the exploit performs memory corruption and control-flow pivoting rather than simple command injection. The command-line interface supports specifying the Redis target host and port (-H/-P) and the callback listener host and port (-l/-p). Defaults are 127.0.0.1:6379 for Redis and 127.0.0.1:4444 for the reverse shell. The README confirms the repository’s purpose as a reverse-shell PoC and points to an original upstream PoC. Overall, this is an operational exploit PoC for remote network-based exploitation of a vulnerable Redis instance. It contains a real payload, requires a vulnerable target and a reachable attacker listener, and is designed to achieve code execution with a reverse shell rather than merely demonstrating a crash or checking exposure.

This repository contains a proof-of-concept exploit for CVE-2025-49844 (RediShell), targeting specific vulnerable versions of Redis. The main file, exploit.py, is a Python script that connects to a Redis instance, checks if it is vulnerable based on its version, and then delivers a custom 64-bit shellcode payload via a Lua script. The payload is designed to open a reverse shell from the Redis server to an attacker-controlled machine, granting remote command execution. The exploit requires the attacker to specify their own IP and port to receive the shell. The README notes that this is an AI-generated, untested PoC, and the exploit is based on a conceptual approach. The repository structure is simple, with a single exploit script and a README. The exploit leverages the Redis Lua scripting engine and memory manipulation to hijack execution flow and run arbitrary shellcode.

This repository is a proof-of-concept exploit for CVE-2025-49844 (RediShell), targeting the x86-64 Linux build of Redis 8.2.1 as distributed in the official Docker image. The repository contains 10 files, with the main exploit logic implemented in 'main.py' (37kB) and a demonstration script in 'demonstration.py'. The exploit leverages a vulnerability in Redis's Lua scripting engine to inject and execute arbitrary x86-64 shellcode. It supports two main capabilities: executing arbitrary shell commands on the Redis server, or establishing a reverse shell to an attacker-specified IP and port. The exploit is delivered via the Redis protocol (TCP port 6379), and the default configuration targets a local Redis instance for testing. The repository includes Docker and Compose files to facilitate local testing with the correct Redis version. The exploit is a functional proof-of-concept, not weaponized, and is intended for research and demonstration purposes.

This repository contains a Python exploit (redis_exploit.py) targeting CVE-2025-49844, a use-after-free (UAF) vulnerability in Redis. The exploit connects to a specified Redis server (default localhost:6379), checks for vulnerable versions (7.2 < 7.2.11, 7.4 < 7.4.6, 8.0 < 8.0.4, 8.2 < 8.2.2), and requires Lua scripting to be enabled. It performs heap spraying, creates UAF objects via Lua scripts, triggers the UAF, leaks memory, locates ROP gadgets, builds and executes shellcode, and can establish a reverse shell to an attacker-specified host and port. The exploit is operational and provides remote code execution and persistence capabilities. The repository includes a README with usage instructions, a requirements.txt for dependencies, and a license file. No hardcoded external endpoints are present; the exploit targets user-specified Redis instances over the network.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-49844 (RediShell), a critical use-after-free vulnerability in the Redis Lua interpreter. The main exploit logic is implemented in 'exploit_poc.py', a Python script that connects to a target Redis server (default localhost:6379, configurable via command-line), checks for Lua scripting support, and executes crafted Lua scripts to trigger the vulnerability. The script supports multiple modes: basic UAF trigger, sandbox escape attempts, and advanced memory corruption demonstration. The payloads are Lua scripts executed via the Redis EVAL command. The repository includes a Dockerfile and docker-compose.yml to set up a vulnerable Redis 7.2.0 instance with insecure settings (protected mode off, open to the network) for testing. No hardcoded IPs or domains are present, but the exploit targets TCP endpoints (default Redis port). The repository is structured for educational and authorized testing purposes, with clear warnings against unauthorized use. The exploit is a PoC and does not provide a weaponized or fully automated attack chain.

This repository contains a Python-based exploit for CVE-2025-49844, a Use-After-Free (UAF) vulnerability in the Redis Lua interpreter. The main exploit logic resides in 'redis_exploit.py', which implements a multi-stage attack: it connects to a target Redis server, checks for vulnerability, detects architecture, performs heap spraying, creates UAF objects, leaks memory to bypass ASLR, constructs a ROP chain to bypass DEP/NX, and finally executes arbitrary shellcode. The exploit can establish a reverse shell to the attacker's machine and optionally create a persistent backdoor. The exploit is configurable via command-line arguments for target host, port, authentication, and reverse shell parameters. The README provides detailed usage instructions, supported Redis versions, and detection guidance. The repository is operational and suitable for real-world exploitation of vulnerable Redis instances.

This repository provides a practical lab and proof-of-concept (PoC) exploit for CVE-2025-49844 (RediShell), a critical use-after-free vulnerability in the Redis Lua interpreter that can lead to remote code execution. The repository includes a Dockerfile and docker-compose.yml to set up a vulnerable Redis 7.2.0 instance with intentionally insecure settings (protected-mode disabled, bound to 0.0.0.0, port 6379 exposed as 6380). The main exploit logic resides in 'exploit_poc.py', a Python script that connects to the Redis instance, checks for the vulnerability, and executes various Lua scripts to trigger the UAF, test sandbox boundaries, and demonstrate memory corruption. The exploit is interactive and supports multiple modes (check, basic, sandbox, advanced, all), with optional authentication. The README.md provides detailed setup, usage instructions, and security recommendations. The exploit is a proof-of-concept and does not include a weaponized payload, but demonstrates the core vulnerability and its potential impact. No hardcoded IPs or domains are present; the default target is localhost:6380 as configured in the lab. The repository is structured for educational and testing purposes, not for real-world attacks.