Add unauthenticated RCE on Shenzhen Aitemi M300 MT02 (CVE-2025-34152) #20455
Conversation
Chocapikk
force-pushed
the
aitemi_m300_time_rce
branch
from
a1d46f6 to
4afb02c
Compare
Chocapikk
force-pushed
the
aitemi_m300_time_rce
branch
from
4afb02c to
ff4ede9
Compare
There was a problem hiding this comment.
Is there a way to get firmware from device to emulate it?
There was a problem hiding this comment.
@Chocapikk if you have a device with root perharps you could send us just a dummy rootfs? 👀, just bare minimum for us to chroot it?
There was a problem hiding this comment.
Hey, I need to see how to setup a lab for this, as I have the physical device I didn't need to create a lab. I'll try thanks
There was a problem hiding this comment.
@Chocapikk if you have a device with root perharps you could send us just a dummy rootfs? 👀, just bare minimum for us to chroot it?
There was a problem hiding this comment.
Nice! that would work great, just some side notes. the kernel appears to be an u-boot and generally is a PITA to get it running on qemu, most likely the best thing to do is to get a malta OpenWrt with kernel near to the one we have here (4.4) and just chroot the rootfs you shared.
I'll give it a shot
There was a problem hiding this comment.
Nice! that would work great, just some side notes. the kernel appears to be an u-boot and generally is a PITA to get it running on qemu, most likely the best thing to do is to get a
maltaOpenWrt with kernel near to the one we have here (4.4) and just chroot the rootfs you shared. I'll give it a shot
I was pretty close to getting it working. I used this kernel:
wget https://mirror-03.infra.openwrt.org/snapshots/targets/malta/be/openwrt-malta-be-vmlinux.elfThen I converted the vendor rootfs.bin into ext4 and booted it with:
qemu-system-mips -M malta -cpu 24Kf -m 256M \
-kernel openwrt-malta-be-vmlinux.elf \
-drive if=ide,file=rootfs.ext4,format=raw \
-append "console=ttyS0,115200 root=/dev/sda rootfstype=ext4 rootwait rw" \
-netdev user,id=net0,hostfwd=tcp::8080-:80 \
-device pcnet,netdev=net0 \
-nographicThe issue is that the network interface doesn't come up, probably because I overwrite the drivers when replacing the rootfs, and I just haven't been able to fix that.
There was a problem hiding this comment.
generally is better to have a proper openwrt rootfs and then chroot inside there, to avoid driver issues, also because I would expect is only the http needed to have an exploit running?
EDIT: Neither with standard rootfs the network come up... currently investigating
Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
Hello Metasploit Team,
This new module exploits CVE-2025-34152 in the Shenzhen Aitemi M300 MT02 by abusing the
time_confendpoint to run arbitrary commands as root without triggering a reboot or altering network settings. It delivers a reliable RCE vector while keeping the HTTP interface fully operational.