Create sitecore_xp_cve_2025_27218.rb

[machang-r7]

Module exploits CVE-2025-27217, a .NET deserialization vulnerability for Sitecore.

Couldn't figure out any checks.

All it does is generate a serialized .NET object with the payload in it, then sends it in a HTTP header.

The exploit works when browsing to Sitecore pages, so any HTTP status code other than 200 in the response most likely means the request failed.

[sjanusz-r7]

For a def check method, we could have:

• A sleep command, then checking if the response from the server comes back after the sleep time. This would only work if the server execution is synchronous.
• If we can make sure the website is Sitecore and perform a version check from the response/page body, we could have a returns CheckCode::Detected as a check result.

[sjanusz-r7]

The indentation here is a little off.
Seeing how the linting workflow is also currently failing, we can run rubocop on the module in the metasploit-framework directory (might need to prefix the rubocop command with bundle exec):

1 file inspected, 41 offenses detected, 40 offenses autocorrectable
modules/exploits/windows/http/sitecore_xp_cve_2025_27218.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/exploits/windows/http/sitecore_xp_cve_2025_27218.rb and verify all issues are resolved

[sjanusz-r7]

Suggested change

'Space' => 3000,

[sjanusz-r7]

Would a Windows Fetch payload work here, with the default curl option?

[sjanusz-r7]

We use ARCH_CMD as a Windows Command target, so we can add it here:

Suggested change

	'Arch' => [ARCH_X86, ARCH_X64],
	'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],

[sjanusz-r7]

Suggested change

'RPORT' => 443,

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples