Land #6013, add mainframe as a platform and architecture

2015-09-29 13:28:23 -05:00 · 2015-09-29 13:28:23 -05:00 · 54f9a3b25a
parent f3e8b34b4f 31552a71cf
commit 54f9a3b25a
10 changed files with 220 additions and 3 deletions
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@ -524,4 +524,12 @@ class Msf::Module::Platform
    Rank = 100
    Alias = "firefox"
  end
+
+  #
+  # Mainframe
+  #
+  class Mainframe < Msf::Module::Platform
+    Rank = 100
+    Alias = "mainframe"
+  end
 end
--- a/lib/msf/core/payload.rb
+++ b/lib/msf/core/payload.rb
@ -30,6 +30,7 @@ class Payload < Msf::Module
  require 'msf/core/payload/java'
  require 'msf/core/payload/dalvik'
  require 'msf/core/payload/firefox'
+  require 'msf/core/payload/mainframe'

  ##
  #
--- a/lib/msf/core/payload/mainframe.rb
+++ b/lib/msf/core/payload/mainframe.rb
@ -0,0 +1,33 @@
+# -*- coding: binary -*-
+require 'msf/core'
+
+###
+#
+# This class is here to implement advanced features for mainframe based
+# payloads. Mainframe payloads are expected to include this module if
+# they want to support these features.
+#
+###
+module Msf::Payload::Mainframe
+
+  #
+  # Z notes
+  # Z notes
+  #
+  def initialize(info = {})
+    ret = super(info)
+  end
+
+  #
+  # Returns a list of compatible encoders based on mainframe architecture
+  # most will not work because of the different architecture
+  # an XOR-based encoder will be defined soon
+  #
+  def compatible_encoders
+    encoders = super()
+    encoders2 = ['/generic\/none/','none']
+
+    return encoders2
+  end
+
+end
--- a/lib/rex/arch.rb
+++ b/lib/rex/arch.rb
@ -18,6 +18,7 @@ module Arch
  #
  require 'rex/arch/x86'
  require 'rex/arch/sparc'
+  require 'rex/arch/zarch'

  #
  # This routine adjusts the stack pointer for a given architecture.
@ -64,6 +65,8 @@ module Arch
        [addr].pack('V')
      when ARCH_ARMBE
        [addr].pack('N')
+      when ARCH_ZARCH
+        [addr].pack('Q>')
    end
  end

@ -95,6 +98,8 @@ module Arch
        return ENDIAN_LITTLE
      when ARCH_ARMBE
        return ENDIAN_BIG
+      when ARCH_ZARCH
+        return ENDIAN_BIG
    end

    return ENDIAN_LITTLE
--- a/lib/rex/arch/zarch.rb
+++ b/lib/rex/arch/zarch.rb
@ -0,0 +1,17 @@
+# -*- coding: binary -*-
+
+module Rex
+module Arch
+
+#
+# base module for ZARCH creation    8/13/15
+# Author:   BeS Bigendian Smalls
+#
+
+module ZARCH
+
+
+end
+
+end end
+
--- a/lib/rex/constants.rb
+++ b/lib/rex/constants.rb
@ -88,6 +88,7 @@ ARCH_DALVIK  = 'dalvik'
 ARCH_PYTHON  = 'python'
 ARCH_NODEJS  = 'nodejs'
 ARCH_FIREFOX = 'firefox'
+ARCH_ZARCH   = 'zarch'
 ARCH_TYPES   =
  [
    ARCH_X86,
@ -110,7 +111,8 @@ ARCH_TYPES   =
    ARCH_DALVIK,
    ARCH_PYTHON,
    ARCH_NODEJS,
-    ARCH_FIREFOX
+    ARCH_FIREFOX,
+    ARCH_ZARCH,
  ]

 ARCH_ALL = ARCH_TYPES
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@ -45,6 +45,93 @@ module Text

  DefaultPatternSets = [ Rex::Text::UpperAlpha, Rex::Text::LowerAlpha, Rex::Text::Numerals ]

+  # The Iconv translation table for IBM's mainframe / System Z
+  # (z/os, s390, mvs, etc) - This is a different implementation
+  # of EBCDIC than the Iconv_EBCDIC below.
+  # It is technically referred to as Code Page IBM1047.
+  # This will be net new (until Ruby supports 1047 code page)
+  # for all Mainframe / SystemZ based modules
+  # that need to convert ASCII to EBCDIC
+  #
+  # The bytes are indexed by ASCII conversion number
+  # e.g.  Iconv_IBM1047[0x41] == \xc1 for letter "A"
+  #
+  # Note the characters CANNOT be assumed to be in any logical
+  # order. Nor are the tables reversible.  Lookups must be for each byte
+  # https://gist.github.com/bigendiansmalls/b08483ecedff52cc8fa3
+  #
+  Iconv_IBM1047 = [
+    "\x00","\x01","\x02","\x03","\x37","\x2d","\x2e","\x2f",
+    "\x16","\x05","\x15","\x0b","\x0c","\x0d","\x0e","\x0f","\x10",
+    "\x11","\x12","\x13","\x3c","\x3d","\x32","\x26","\x18","\x19",
+    "\x3f","\x27","\x1c","\x1d","\x1e","\x1f","\x40","\x5a","\x7f",
+    "\x7b","\x5b","\x6c","\x50","\x7d","\x4d","\x5d","\x5c","\x4e",
+    "\x6b","\x60","\x4b","\x61","\xf0","\xf1","\xf2","\xf3","\xf4",
+    "\xf5","\xf6","\xf7","\xf8","\xf9","\x7a","\x5e","\x4c","\x7e",
+    "\x6e","\x6f","\x7c","\xc1","\xc2","\xc3","\xc4","\xc5","\xc6",
+    "\xc7","\xc8","\xc9","\xd1","\xd2","\xd3","\xd4","\xd5","\xd6",
+    "\xd7","\xd8","\xd9","\xe2","\xe3","\xe4","\xe5","\xe6","\xe7",
+    "\xe8","\xe9","\xad","\xe0","\xbd","\x5f","\x6d","\x79","\x81",
+    "\x82","\x83","\x84","\x85","\x86","\x87","\x88","\x89","\x91",
+    "\x92","\x93","\x94","\x95","\x96","\x97","\x98","\x99","\xa2",
+    "\xa3","\xa4","\xa5","\xa6","\xa7","\xa8","\xa9","\xc0","\x4f",
+    "\xd0","\xa1","\x07","\x20","\x21","\x22","\x23","\x24","\x25",
+    "\x06","\x17","\x28","\x29","\x2a","\x2b","\x2c","\x09","\x0a",
+    "\x1b","\x30","\x31","\x1a","\x33","\x34","\x35","\x36","\x08",
+    "\x38","\x39","\x3a","\x3b","\x04","\x14","\x3e","\xff","\x41",
+    "\xaa","\x4a","\xb1","\x9f","\xb2","\x6a","\xb5","\xbb","\xb4",
+    "\x9a","\x8a","\xb0","\xca","\xaf","\xbc","\x90","\x8f","\xea",
+    "\xfa","\xbe","\xa0","\xb6","\xb3","\x9d","\xda","\x9b","\x8b",
+    "\xb7","\xb8","\xb9","\xab","\x64","\x65","\x62","\x66","\x63",
+    "\x67","\x9e","\x68","\x74","\x71","\x72","\x73","\x78","\x75",
+    "\x76","\x77","\xac","\x69","\xed","\xee","\xeb","\xef","\xec",
+    "\xbf","\x80","\xfd","\xfe","\xfb","\xfc","\xba","\xae","\x59",
+    "\x44","\x45","\x42","\x46","\x43","\x47","\x9c","\x48","\x54",
+    "\x51","\x52","\x53","\x58","\x55","\x56","\x57","\x8c","\x49",
+    "\xcd","\xce","\xcb","\xcf","\xcc","\xe1","\x70","\xdd","\xde",
+    "\xdb","\xdc","\x8d","\x8e","\xdf"
+  ]
+
+  #
+  # This is the reverse of the above, converts EBCDIC -> ASCII
+  # The bytes are indexed by IBM1047(EBCDIC) conversion number
+  # e.g. Iconv_ISO8859_1[0xc1] = \x41 for letter "A"
+  #
+  # Note the characters CANNOT be assumed to be in any logical (e.g. sequential)
+  # order. Nor are the tables reversible.  Lookups must be done byte by byte
+  #
+  Iconv_ISO8859_1 = [
+    "\x00","\x01","\x02","\x03","\x9c","\x09","\x86","\x7f",
+    "\x97","\x8d","\x8e","\x0b","\x0c","\x0d","\x0e","\x0f","\x10",
+    "\x11","\x12","\x13","\x9d","\x0a","\x08","\x87","\x18","\x19",
+    "\x92","\x8f","\x1c","\x1d","\x1e","\x1f","\x80","\x81","\x82",
+    "\x83","\x84","\x85","\x17","\x1b","\x88","\x89","\x8a","\x8b",
+    "\x8c","\x05","\x06","\x07","\x90","\x91","\x16","\x93","\x94",
+    "\x95","\x96","\x04","\x98","\x99","\x9a","\x9b","\x14","\x15",
+    "\x9e","\x1a","\x20","\xa0","\xe2","\xe4","\xe0","\xe1","\xe3",
+    "\xe5","\xe7","\xf1","\xa2","\x2e","\x3c","\x28","\x2b","\x7c",
+    "\x26","\xe9","\xea","\xeb","\xe8","\xed","\xee","\xef","\xec",
+    "\xdf","\x21","\x24","\x2a","\x29","\x3b","\x5e","\x2d","\x2f",
+    "\xc2","\xc4","\xc0","\xc1","\xc3","\xc5","\xc7","\xd1","\xa6",
+    "\x2c","\x25","\x5f","\x3e","\x3f","\xf8","\xc9","\xca","\xcb",
+    "\xc8","\xcd","\xce","\xcf","\xcc","\x60","\x3a","\x23","\x40",
+    "\x27","\x3d","\x22","\xd8","\x61","\x62","\x63","\x64","\x65",
+    "\x66","\x67","\x68","\x69","\xab","\xbb","\xf0","\xfd","\xfe",
+    "\xb1","\xb0","\x6a","\x6b","\x6c","\x6d","\x6e","\x6f","\x70",
+    "\x71","\x72","\xaa","\xba","\xe6","\xb8","\xc6","\xa4","\xb5",
+    "\x7e","\x73","\x74","\x75","\x76","\x77","\x78","\x79","\x7a",
+    "\xa1","\xbf","\xd0","\x5b","\xde","\xae","\xac","\xa3","\xa5",
+    "\xb7","\xa9","\xa7","\xb6","\xbc","\xbd","\xbe","\xdd","\xa8",
+    "\xaf","\x5d","\xb4","\xd7","\x7b","\x41","\x42","\x43","\x44",
+    "\x45","\x46","\x47","\x48","\x49","\xad","\xf4","\xf6","\xf2",
+    "\xf3","\xf5","\x7d","\x4a","\x4b","\x4c","\x4d","\x4e","\x4f",
+    "\x50","\x51","\x52","\xb9","\xfb","\xfc","\xf9","\xfa","\xff",
+    "\x5c","\xf7","\x53","\x54","\x55","\x56","\x57","\x58","\x59",
+    "\x5a","\xb2","\xd4","\xd6","\xd2","\xd3","\xd5","\x30","\x31",
+    "\x32","\x33","\x34","\x35","\x36","\x37","\x38","\x39","\xb3",
+    "\xdb","\xdc","\xd9","\xda","\x9f"
+  ]
+
  # The Iconv translation table. The Iconv gem is deprecated in favor of
  # String#encode, yet there is no encoding for EBCDIC. See #4525
  Iconv_EBCDIC = [
@ -396,7 +483,7 @@ module Text
    new_str.join
  end

-  # A native implementation of the EBCIDC to ASCII conversion table, since
+  # A native implementation of the EBCDIC to ASCII conversion table, since
  # EBCDIC isn't available to String#encode as of Ruby 2.1
  #
  # @param str [String] an EBCDIC encoded string
@ -414,6 +501,39 @@ module Text
    new_str.join
  end

+  #
+  # The next two are the same as the above, except strictly for z/os
+  # conversions
+  #  strictly for IBM1047 -> ISO8859-1
+  # A native implementation of the IBM1047(EBCDIC) -> ISO8859-1(ASCII)
+  # conversion table, since EBCDIC isn't available to String#encode as of Ruby 2.1
+  # all 256 bytes are defined
+  #
+  def self.to_ibm1047(str)
+    return str if str.nil?
+    new_str = []
+    str.each_byte do |x|
+        new_str << Iconv_IBM1047[x.ord]
+    end
+    new_str.join
+  end
+
+  #
+  # The next two are the same as the above, except strictly for z/os
+  # conversions
+  #  strictly for ISO8859-1 -> IBM1047
+  # A native implementation of the ISO8859-1(ASCII) -> IBM1047(EBCDIC)
+  # conversion table, since EBCDIC isn't available to String#encode as of Ruby 2.1
+  #
+  def self.from_ibm1047(str)
+    return str if str.nil?
+    new_str = []
+    str.each_byte do |x|
+      new_str << Iconv_ISO8859_1[x.ord]
+    end
+    new_str.join
+  end
+
  #
  # Returns the words in +str+ as an Array.
  #
--- a/modules/exploits/multi/handler.rb
+++ b/modules/exploits/multi/handler.rb
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
          'BadChars'    => '',
          'DisableNops' => true,
        },
-      'Platform'       => %w{ android bsd java js linux osx nodejs php python ruby solaris unix win },
+      'Platform'       => %w{ android bsd java js linux osx nodejs php python ruby solaris unix win mainframe },
      'Arch'           => ARCH_ALL,
      'Targets'        => [ [ 'Wildcard Target', { } ] ],
      'DefaultTarget'  => 0
--- a/spec/lib/rex/arch/zarch_spec.rb
+++ b/spec/lib/rex/arch/zarch_spec.rb
@ -0,0 +1,17 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+require 'rex/arch'
+
+describe Rex::Arch do
+  describe ".pack_addr" do
+    subject { described_class.pack_addr(arch, addr) }
+
+    context "when arch is ARCH_ZARCH" do
+      let(:arch) { ARCH_ZARCH }
+      let(:addr) { 0xdeadbeefbe655321 }
+      it "packs addr as 64-bit unsigned, big-endian" do
+        is_expected.to eq("\xDE\xAD\xBE\xEF\xBEeS!")
+      end
+    end
+  end
+end
--- a/spec/lib/rex/text_spec.rb
+++ b/spec/lib/rex/text_spec.rb
@ -22,6 +22,20 @@ describe Rex::Text do
      end
    end

+    context ".to_ibm1047" do
+      it "should convert ASCII to mainfram EBCDIC (cp1047)" do
+        described_class.to_ibm1047(%q[^[](){}%!$#1234567890abcde'"`~]).should
+        eq("_\xAD\xBDM]\xC0\xD0lZ[{\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xF0\x81\x82\x83\x84\x85}\x7Fy\xA1")
+      end
+    end
+
+    context ".from_1047" do
+      it "should convert mainframe EBCDIC (cp1047) to ASCII (ISO-8859-1)" do
+        described_class.from_ibm1047(%q[^[](){}%!$#1234567890abcde'"`~]).should
+        eq(";$)\x88\x89#'\x85\x81\x84\x83\x91\x16\x93\x94\x95\x96\x04\x98\x99\x90/\xC2\xC4\xC0\xC1\e\x82-=")
+      end
+    end
+
    context ".to_utf8" do
      it "should convert a string to UTF-8, skipping badchars" do
        described_class.to_utf8("Hello, world!").should eq("Hello, world!")