Skip to content

Add unauthenticated RCE on Shenzhen Aitemi M300 MT02 (CVE-2025-34152) #20455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add unauthenticated RCE on Shenzhen Aitemi M300 MT02 (CVE-2025-34152) #20455

wants to merge 3 commits into from

Conversation

Chocapikk
Copy link
Contributor

Hello Metasploit Team,

This new module exploits CVE-2025-34152 in the Shenzhen Aitemi M300 MT02 by abusing the time_conf endpoint to run arbitrary commands as root without triggering a reboot or altering network settings. It delivers a reliable RCE vector while keeping the HTTP interface fully operational.

msutovsky-r7
msutovsky-r7 reviewed Aug 7, 2025
View reviewed changes
modules/exploits/linux/http/aitemi_m300_time_rce.rb Outdated
Comment on lines 126 to 127
'Origin' => "http://#{rhost}",
'Referer' => "http://#{rhost}/network.html",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this required by exploitation? Could it be randomized?

Copy link
Contributor Author

@Chocapikk Chocapikk Aug 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey thank you, I have removed the headers in this commit: ff4ede9 They are not useful.

@Chocapikk Chocapikk force-pushed the aitemi_m300_time_rce branch from a1d46f6 to 4afb02c Compare August 7, 2025 19:52
@Chocapikk Chocapikk force-pushed the aitemi_m300_time_rce branch from 4afb02c to ff4ede9 Compare August 7, 2025 19:53
msutovsky-r7
msutovsky-r7 reviewed Aug 8, 2025
View reviewed changes
modules/exploits/linux/http/aitemi_m300_time_rce.rb

if res_html.body.include?('langen.js') && res_html.body.include?('dw(TT_SetWifiExt)')
print_good("HTML fingerprint matched in #{page} – UI strings detected")
return CheckCode::Vulnerable('HTML language markers confirmed')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest Appears as Vulnerable is used when you trigger vulnerability to confirm exploitability

Suggested change
return CheckCode::Vulnerable('HTML language markers confirmed')
return CheckCode::Appears('HTML language markers confirmed')

Also, I assume this is unpatched, or is there a upper vulnerable version?

documentation/modules/exploit/linux/http/aitemi_m300_time_rce.md
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to get firmware from device to emulate it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msutovsky-r7 msutovsky-r7 msutovsky-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Chocapikk @msutovsky-r7