Unauthenticated arbitrary file upload RCE in SmarterTools SmarterMail

Repository is a Python proof-of-concept exploit set for CVE-2025-52691 affecting SmarterMail, described as an unauthenticated arbitrary file upload via path traversal leading to RCE. It contains 4 files: (1) README.md documenting usage and vulnerable endpoints; (2) check.py, a scanner that probes a fixed list of upload endpoints by POSTing multipart data and flags endpoints as potentially vulnerable based on HTTP status codes and response content; (3) exploit.py, a reusable exploitation library plus a multi-host runner that reads targets from hosts.txt by default, attempts three upload techniques (multipart form fields with path/folder/directory set to ../wwwroot/, raw POST with X-Filename/X-Path headers, and JSON with base64 content and path ../wwwroot/), then verifies the webshell by requesting common locations and executing whoami; and (4) pwn.py, a CLI exploit tool that similarly uploads an ASPX webshell and supports single-command execution (-c) or an interactive shell (-i). The payload is an ASPX (C#) webshell that runs cmd.exe /c <cmd> and returns stdout in <pre> tags. Primary network targets are SmarterMail upload endpoints: /api/upload, /api/v1/upload, /Interface/Frmx/UploadFile.aspx, /MRS/Upload.ashx, and /Services/Upload.ashx; the exploit attempts to write into ../wwwroot/ and then access the uploaded shell at /<shell>.aspx and a few alternate paths.

Repository purpose: an end-to-end exploit toolchain targeting SmarterTools SmarterMail by chaining an authentication bypass (WT-2026-0001) with an RCE primitive associated with CVE-2025-52691/Volume Mounts functionality to obtain a SYSTEM-level reverse shell. Core capabilities (exploit chain): - Phase 1 (Auth bypass): Sends a POST to /api/v1/auth/force-reset-password with IsSysAdmin=true and a dummy OldPassword to reset the admin password without prior authentication. - Phase 2 (Admin login): Logs in via /api/v1/auth/login using the newly set credentials to obtain an authenticated session/token (implementation details are partially truncated in provided content, but README/config indicate this flow). - Phase 3 (RCE): Uses the authenticated context to create a command-type Volume Mount via POST /api/v1/settings/volume-mounts, embedding a Windows cmd.exe/PowerShell reverse shell one-liner that connects back to the attacker. Payload: A PowerShell TCP reverse shell template (cmd.exe /c powershell -nop -c ...) parameterized by attacker IP/port, intended to provide interactive command execution on the target. Repository structure: - exploit.py: Main Python exploit (requests-based). Handles target URL construction, disables TLS verification, performs the multi-phase attack, and supports CLI args for target host/port, attacker IP/port, admin username, and new password. Includes virtualenv python discovery. - run_exploit.sh: Operator-friendly runner that validates dependencies (python3, nc, curl), checks target reachability, starts a netcat listener, and launches exploit.py with provided/auto parameters; includes cleanup logic. - config/default_config.json and config/user_config.json: Store defaults for ports, credentials, user-agent, retry behavior, endpoint paths, reverse-shell template, and known SmarterMail installation paths for version/build targeting. - setup_venv.sh, activate_exploit.sh, deactivate_exploit.sh: Convenience scripts to create/activate/deactivate a Python virtual environment and install requirements. - requirements.txt: Python dependencies (requests, urllib3, colorama). Notable operational details: - Network-centric exploit; no local privilege escalation components. - TLS certificate verification is disabled (session.verify=False), easing exploitation of HTTPS deployments with self-signed certs. - Default assumptions: SmarterMail reachable on port 9998; reverse shell listener commonly on 4444. Sanity: This is not merely a detector; it is designed to change credentials and execute a reverse-shell payload. No obvious signs of being a fake exploit were observed in the provided files.

This repository provides a working exploit for CVE-2025-52691, a critical unauthenticated arbitrary file upload vulnerability in SmarterMail (build 9406 and earlier). The exploit is implemented in Python (exploit.py) and automates the process of uploading an ASPX webshell to the server's webroot directory using several known unauthenticated upload endpoints. The script supports multiple upload techniques (multipart, raw, JSON) and attempts to place the shell in a location accessible via HTTP. Once uploaded, the shell allows the attacker to execute arbitrary system commands on the target server. The repository includes a README.md with technical details, usage instructions, and remediation advice, as well as a requirements.txt listing Python dependencies. The main attack vector is network-based, targeting exposed HTTP endpoints on vulnerable SmarterMail servers. The exploit is operational and provides a real, functional payload (ASPX webshell) for remote code execution.

This repository provides a full proof-of-concept (POC) exploit for CVE-2025-52691, a critical unauthenticated arbitrary file upload vulnerability in SmarterMail. The vulnerability allows an attacker to upload an ASPX webshell to the web root of the target server via several exposed upload endpoints, leading to remote code execution (RCE) with no authentication required. The repository contains four files: - README.md: Detailed documentation, usage instructions, and technical background. - check.py: A scanner that checks if a target is vulnerable by probing known upload endpoints and attempting file uploads. - exploit.py: A reusable Python library and script that automates the exploitation process, uploads the webshell, and allows command execution. - pwn.py: A user-friendly exploit tool that uploads the webshell and provides both single-command and interactive shell access. The exploit targets the following endpoints: /api/upload, /api/v1/upload, /Interface/Frmx/UploadFile.aspx, /MRS/Upload.ashx, and /Services/Upload.ashx. The attack is performed over the network and does not require authentication. The payload is a minimal ASPX webshell that executes arbitrary system commands via the 'cmd' query parameter. The exploit scripts support multiple upload techniques (multipart form, raw POST, JSON with base64) to maximize the chance of success. Overall, the repository is well-structured, operational, and provides both detection and exploitation capabilities for CVE-2025-52691 against SmarterMail servers.

This repository provides a full proof-of-concept (POC) exploit for CVE-2025-52691, a critical unauthenticated arbitrary file upload vulnerability in SmarterMail. The vulnerability allows an attacker to upload an ASPX webshell to the web root of the target server via several exposed upload endpoints, leading to remote code execution (RCE) with no authentication required. The repository contains four files: - README.md: Detailed documentation, usage instructions, and technical background. - check.py: A scanner that checks if a target is vulnerable by probing known upload endpoints and attempting file uploads. - exploit.py: A reusable Python library and script that automates the exploitation process, uploads the webshell, and allows command execution. - pwn.py: A user-friendly exploit tool that uploads the webshell and provides both single-command and interactive shell access. The exploit targets the following endpoints: /api/upload, /api/v1/upload, /Interface/Frmx/UploadFile.aspx, /MRS/Upload.ashx, and /Services/Upload.ashx. The attack is performed over the network and does not require authentication. The payload is a minimal ASPX webshell that executes arbitrary system commands via the 'cmd' query parameter. The exploit scripts support multiple upload techniques (multipart form, raw POST, JSON with base64) to maximize the chance of success. Overall, the repository is well-structured, operational, and provides both detection and exploitation capabilities for CVE-2025-52691 against SmarterMail servers.

This repository contains a single Python exploit script (exploit-poc.py) and a detailed README.md for CVE-2025-52691, a critical unauthenticated arbitrary file upload vulnerability in SmarterTools SmarterMail. The exploit targets multiple known upload endpoints on the SmarterMail web interface, attempting to upload an obfuscated, password-protected ASPX web shell. Once uploaded, the shell allows remote code execution via PowerShell commands, supports file exfiltration, persistence (via scheduled tasks), interactive shell sessions, and cleanup of the shell to reduce forensic traces. The script includes features for stealth (random user agents, delays), proxy support, batch exploitation, and detailed logging. The exploit is operational and suitable for advanced penetration testing and red teaming. The only code file is exploit-poc.py, written in Python, and it is the main entry point. No hardcoded IPs or domains are present; the attacker supplies the target URL(s) at runtime. All endpoints referenced are relative to the target SmarterMail server.

This repository contains a working exploit for CVE-2025-52691, a critical unauthenticated arbitrary file upload vulnerability in SmarterMail (Build 9406 and earlier). The exploit is implemented in Python (exploit.py) and is accompanied by a detailed README.md. The exploit targets several known upload endpoints (e.g., /api/upload, /api/v1/upload, /Interface/Frmx/UploadFile.aspx, /MRS/Upload.ashx, /Services/Upload.ashx) and attempts to upload an ASPX webshell to the webroot directory using path traversal (../wwwroot/). Once uploaded, the shell can be accessed via HTTP and allows arbitrary command execution as the IIS user. The exploit supports command execution directly from the command line and includes a check-only mode to verify target reachability. The code is operational, with a hardcoded payload and multiple upload techniques (multipart, raw, JSON). The repository is well-structured, with clear usage instructions and mitigation advice in the README.