This module performs a privilege escaltion on mainframe systems
runing z/OS and using RACF for their security manager. A user
with any non-privileged credentials and the ability to write to
an apf authorized library can use this payload to add "root level"
privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.
The shell does exactly the same as the previous, just made the code read much
better so as to not severely anger the gray beards and other lesser
mainframe deities. The only architectural change is the payload uses the
spawn system call vs exec - this provides for a cleaner exit in some cases.
I think PAYLOADSTR should take precedence over PAYLOADFILE. Usually,
you'll use PAYLOADFILE but might want to override with PAYLOADSTR. I
doubt this change will hurt anyone, since few people set both at once.
The payload description even says "either," so there's that.
This commit moves much of the platform-specific logic from the
reverse_http handler down into the payloads. This makes the handler
a bit more agnostic of what the payload is (which is a good thing).
There is more to do here though, and things can be improved.
Handling of datastore settings has been changed to make room for the
ability to override the datastore completely when generating the
payloads. If a datastore is given via the `opts` then this is used
instead otherwise it falls back to the settings specified in the usual
datatstore location.
Down the track, we'll have a payload that supports multiple stages, and
the datastore will be generated on the fly, along with the stage itself.
Without this work, there's no other nice way of getting datastore
settings to be contained per-stager.
The payload was missing require 'msf/core/handler/reverse_tcp', latest update pulled with msfupdate broke the startup of the framework, where you got this kind of an error:
!master ~/4tools/metasploit-framework> msfconsole
/home/tony/4tools/metasploit-framework/modules/payloads/singles/android/meterpreter_reverse_tcp.rb:28:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:71:in `on_module_load'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:182:in `load_module'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:237:in `block in load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:55:in `block (2 levels) in each_module_reference_name'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:127:in `block in find'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `catch'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `find'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:46:in `block in each_module_reference_name'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `foreach'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `each_module_reference_name'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:236:in `load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:117:in `block in load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `add_module_path'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `block in init_module_paths'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `init_module_paths'
from /home/tony/4tools/metasploit-framework/lib/msf/ui/console/driver.rb:204:in `initialize'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `new'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `driver'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
from /home/tony/4tools/metasploit-framework/msfconsole:48:in `<main>'
PR7007 centralized JCL job card for any JCL cmd payload. This PR simply
uses that new format for existing JCL cmd payloads. No functionality
for these payloads was changed, added or deleted.
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.
For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.
Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Misc:
Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.
Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.
Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.
Testing:
Tested against Win2k8r2, Win7x64, and WinXPx86
ToDo:
Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
Added a JCL-based reverse shell. Uses the same source code as the
shellcode version does. Source code is in
external/source/shellcode/mainframe/shell_reverse_tcp.s
This pops up occasionally. This fixes a couple of anecdotal reports of missing
requires that cause the loader to fail, depending on the directory sort order.
It also fixes the problem as reported in #6460
Brent Cook
Brent Cook
Spencer McIntyre
itsmeroy2012
bigendiansmalls
Adam Cammack
alpiste
bwatters-r7
=
sekritskwurl
James Lee
William Vu
William Webb
OJ
Tim
Tonimir Kisasondi
RageLtMan
wchen-r7
Hans Jerry Illikainen
earthquake
root
Christian Mehlmauer
joev
jvazquez-r7