Add Magento SessionReaper (CVE-2025-54236) exploit module

[Chocapikk]

Hello Metasploit Team,

This PR adds a new exploit module for CVE-2025-54236 (SessionReaper), a critical vulnerability in Magento/Adobe Commerce that allows unauthenticated remote code execution.

The vulnerability stems from improper handling of nested deserialization in the payment method context, combined with an unauthenticated file upload endpoint. The exploit chain consists of:

1. Uploading a malicious PHP session file containing a Guzzle/FW1 deserialization payload via the unauthenticated /customer/address_file/upload endpoint
2. Triggering deserialization by sending a crafted JSON payload to the REST API endpoint /rest/default/V1/guest-carts/{cart_id}/order that modifies the session savePath to point to the uploaded file
3. Executing the uploaded PHP code to gain remote code execution

This module supports multiple targets:

• PHP In-Memory (php/meterpreter/reverse_tcp)
• Unix/Linux Command Shell (cmd/linux/http/x64/meterpreter/reverse_tcp)
• Windows Command Shell (cmd/windows/http/x64/meterpreter/reverse_tcp)

The module includes:

• Automatic vulnerability detection via the check() method
• Support for both PHP and command payloads
• Complete documentation with real-world examples
• Automatic file cleanup using FileDropper mixin

The module has been tested against Magento 2.4.4 and passes all code quality checks (msftidy, rubocop, msftidy_docs).

Thanks

[dledda-r7]

@Chocapikk Welcome back 🔥