## https://sploitus.com/exploit?id=0F630806-5F93-519B-9C49-755ECA96CFB3
# CVE-2025-52691 PoC: SmarterMail Arbitrary File Upload RCE (APT-Enhanced)
[](https://www.python.org/downloads/)
[](LICENSE)
This is an enhanced proof-of-concept (PoC) exploit for **CVE-2025-52691**, a critical vulnerability in SmarterTools SmarterMail email server software allowing unauthenticated arbitrary file uploads, potentially leading to remote code execution (RCE). This version incorporates APT-level techniques for improved stealth, persistence, and operational capabilities, making it suitable for advanced penetration testing and red teaming scenarios.
**WARNING**: This tool is for educational and authorized testing purposes only. Unauthorized use against systems without explicit permission is illegal and unethical. The author assumes no liability for misuse.
## Features
- **Core Exploit**: Uploads an obfuscated ASPX web shell to the target's web root via multiple endpoints and methods (multipart, raw, JSON).
- **Vulnerability Detection**: Checks if the target is alive and attempts to detect the SmarterMail version for vulnerability assessment.
- **Stealth Enhancements**:
- Random user agents for requests.
- Randomized delays between requests to evade rate-limiting and detection.
- Obfuscated web shell with password protection and base64-encoded commands.
- Uses PowerShell for command execution (bypasses some restrictions on cmd.exe).
- **APT-Level Capabilities**:
- **Proxy Support**: Route traffic through a proxy (e.g., Burp Suite) for interception or anonymization.
- **Persistence**: Establishes a scheduled task running as SYSTEM for long-term access (placeholder payload URL).
- **File Exfiltration**: Downloads remote files to local disk via base64 encoding.
- **Interactive Mode**: Shell-like interface for repeated command execution.
- **Cleanup**: Removes the uploaded web shell after use to minimize footprints.
- **Batch Processing**: Supports exploiting multiple targets from a file.
- **Logging**: Configurable logging levels (DEBUG, INFO, WARNING, ERROR) for detailed output.
- **SSL Handling**: SSL verification enabled by default; option to disable.
- **Ethical Safeguards**: Default secure settings and clear warnings.
## Requirements
- Python 3.8+
- Required libraries: `requests`, `uuid`, `base64`, `random`, `time`, `logging`, `re`
- Install via: `pip install requests`
No additional dependencies are needed beyond standard libraries.
## Usage
Clone the repository and run the script with Python.
### Basic Command
```bash
python exploit.py [options]
```
- ``: The base URL of the SmarterMail server (e.g., `https://mail.example.com`).
### Options
- `--targets-file `: Path to a file containing a list of target URLs (one per line).
- `-c, --command `: Command to execute after shell upload (e.g., `whoami`).
- `-t, --timeout `: Request timeout (default: 30).
- `--proxy `: Proxy URL (e.g., `http://127.0.0.1:8080`).
- `--no-verify`: Disable SSL certificate verification.
- `--check-only`: Only check if the target is alive and appears to be SmarterMail.
- `--persistence`: Establish persistence via a scheduled task.
- `--exfil `: Exfiltrate a file (e.g., `C:\\path\\to\\file.txt:local_copy.txt`).
- `--interactive`: Enter interactive command execution mode.
- `--cleanup`: Remove the uploaded shell after use.
- `--log-level `: Set logging level (DEBUG, INFO, WARNING, ERROR; default: INFO).
### Examples
1. **Basic Exploit**:
```bash
python exploit.py https://mail.vulnerable.com
```
2. **Execute a Command**:
```bash
python exploit.py https://mail.vulnerable.com -c "systeminfo"
```
3. **With Proxy and Persistence**:
```bash
python exploit.py https://mail.vulnerable.com --proxy http://127.0.0.1:8080 --persistence
```
4. **Interactive Mode with Cleanup**:
```bash
python exploit.py https://mail.vulnerable.com --interactive --cleanup
```
5. **Batch Exploit from File**:
```bash
python exploit.py --targets-file targets.txt
```
### Output
Successful exploitation will display the shell path, access URL (with auth password), and any command outputs. Logs are printed to console; for file logging, modify the script's `setup_logging` as needed.
## Credits
This enhanced version is based on the original PoC by [yt2w](https://github.com/yt2w/CVE-2025-52691). Significant modifications include APT-level features, obfuscation, and usability improvements. Thanks to the original author for the foundational work.
## Disclaimer
This tool demonstrates a vulnerability for educational purposes. Use it responsibly and only on systems you own or have explicit permission to test. Ensure compliance with all applicable laws and ethical guidelines. The developers disclaim any responsibility for misuse.
If you encounter issues or have suggestions, open an issue on GitHub.
## License
MIT License. See [LICENSE](LICENSE) for details.