Redis Lua Use-After-Free in Master-Replica Synchronization

DarkReplica is a standalone Python exploit for CVE-2026-23631, described as a Redis post-auth RCE. The repository is not a generic framework module; it is a purpose-built exploit package with a CLI entry point in `dark_replica/__main__.py`, core exploitation logic in `dark_replica/exploit.py`, a minimal fake Redis master implementation under `dark_replica/master_server/`, Lua staging resources under `dark_replica/resources/lua/`, and helper code for crafting Redis RDB payloads and modeling Lua internal structures. Operationally, the exploit connects to a target Redis server using redis-py, optionally authenticates, flushes existing functions/scripts, and then prepares a multi-stage attack. It starts an attacker-controlled TCP server that impersonates a Redis master. The target is forced to replicate from this fake master using `SLAVEOF`, and the fake master handles `PING`, `REPLCONF`, and `PSYNC/SYNC`, replying with `FULLRESYNC` and a crafted RDB payload. That RDB payload contains staged Lua/function content used later in the exploit chain. The Lua stages are central to the exploit. `slow_function.lua` registers a function (`scam` in library `hoax`) that creates coroutine activity, enters an infinite loop to block execution, and manipulates bytecode layout to support the use-after-free trigger. `stage1.lua` performs heap spraying and controlled allocations, builds fake Lua tables/stack objects, stores the operator command payload in memory, and returns useful addresses. `stage2.lua` sprays serialized fake `lua_State` and bytecode objects and registers a function to pin them against garbage collection. `stage3.lua` implements arbitrary read/write primitives using corrupted Lua table metadata, derives the Redis base from `os.clock`, resolves libc via `umask@got.plt`, computes `system`, forges a fake `global_State`, and corrupts a coroutine state so that resuming it reaches a path that invokes `system(command_payload)`. The exploit depends on target-specific symbol offsets supplied in JSON5 format. Example offsets are included for the official `redis:latest` Docker image and Redis 8.6.2. The helper script `extract_offsets.sh` extracts required offsets (`os_clock`, `umask@got.plt`, `umask`, `system`) from Redis and libc ELF files using `readelf`. This indicates the exploit is practical but environment-sensitive rather than fully universal. Repository structure is coherent and purposeful: Python code orchestrates the attack, Lua templates implement memory corruption stages, `rdb/writer.py` builds a valid Redis RDB with function records, and `master_server/client.py` emulates enough of the replication protocol to deliver the malicious payload. Overall, this is a real exploit repository implementing post-auth network-based RCE against vulnerable Redis instances, with an operator-provided command payload and a custom fake-master delivery mechanism.