This module performs a privilege escaltion on mainframe systems
runing z/OS and using RACF for their security manager. A user
with any non-privileged credentials and the ability to write to
an apf authorized library can use this payload to add "root level"
privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.
The shell does exactly the same as the previous, just made the code read much
better so as to not severely anger the gray beards and other lesser
mainframe deities. The only architectural change is the payload uses the
spawn system call vs exec - this provides for a cleaner exit in some cases.
I think PAYLOADSTR should take precedence over PAYLOADFILE. Usually,
you'll use PAYLOADFILE but might want to override with PAYLOADSTR. I
doubt this change will hurt anyone, since few people set both at once.
The payload description even says "either," so there's that.
This commit moves much of the platform-specific logic from the
reverse_http handler down into the payloads. This makes the handler
a bit more agnostic of what the payload is (which is a good thing).
There is more to do here though, and things can be improved.
Handling of datastore settings has been changed to make room for the
ability to override the datastore completely when generating the
payloads. If a datastore is given via the `opts` then this is used
instead otherwise it falls back to the settings specified in the usual
datatstore location.
Down the track, we'll have a payload that supports multiple stages, and
the datastore will be generated on the fly, along with the stage itself.
Without this work, there's no other nice way of getting datastore
settings to be contained per-stager.
The payload was missing require 'msf/core/handler/reverse_tcp', latest update pulled with msfupdate broke the startup of the framework, where you got this kind of an error:
!master ~/4tools/metasploit-framework> msfconsole
/home/tony/4tools/metasploit-framework/modules/payloads/singles/android/meterpreter_reverse_tcp.rb:28:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
from /home/tony/4tools/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:71:in `on_module_load'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:182:in `load_module'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:237:in `block in load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:55:in `block (2 levels) in each_module_reference_name'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:127:in `block in find'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `catch'
from /var/lib/gems/2.3.0/gems/rex-core-0.1.2/lib/rex/file.rb:126:in `find'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:46:in `block in each_module_reference_name'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `foreach'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/directory.rb:34:in `each_module_reference_name'
from /home/tony/4tools/metasploit-framework/lib/msf/core/modules/loader/base.rb:236:in `load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:117:in `block in load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/loading.rb:115:in `load_modules'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `add_module_path'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `block in init_module_paths'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `each'
from /home/tony/4tools/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:49:in `init_module_paths'
from /home/tony/4tools/metasploit-framework/lib/msf/ui/console/driver.rb:204:in `initialize'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `new'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `driver'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
from /home/tony/4tools/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
from /home/tony/4tools/metasploit-framework/msfconsole:48:in `<main>'
PR7007 centralized JCL job card for any JCL cmd payload. This PR simply
uses that new format for existing JCL cmd payloads. No functionality
for these payloads was changed, added or deleted.
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.
For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.
Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Misc:
Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.
Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.
Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.
Testing:
Tested against Win2k8r2, Win7x64, and WinXPx86
ToDo:
Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
Added a JCL-based reverse shell. Uses the same source code as the
shellcode version does. Source code is in
external/source/shellcode/mainframe/shell_reverse_tcp.s
This pops up occasionally. This fixes a couple of anecdotal reports of missing
requires that cause the loader to fail, depending on the directory sort order.
It also fixes the problem as reported in #6460
This brings in the following changes:
Changes to support maven 3.3+
Don't fall back to 0.0.0.0
Remove all debug builds from the Windows projects
Add show_mount, ps_list, and some core tweaks
Refactor TLV layout, add more debug output, token stealing
Add incognito binding, code tidies
Update packaged libs
Add transport list binding
Add transport add command to python binding
Update python core lib archive
change source perms back to non-executable
First pass of stageless initialisation script
Finalise stageless initialisation scripts
add BOOT_COMPLETED receiver that starts the Payload
Improve the implementation of the getuid command
Switch to Utils.runCommand per timwr's suggestion
Updated init script method
also bumps msgpack 0.7.1, which fixes a failure packing messages > 256k
Changed the following instruction:
67 48 8D 8D 00 01 00 00 lea rcx,[ebp+100h]
Into
90 nop
48 8D 8D 00 01 00 00 lea rcx,[rbp+100h]
The old code breaks if the payload is executed from a memory area where the 4 most significant bytes are non-zero.
The bugfix removes the Address-Size override prefix 0x67 of the lea instruction and replaces it with a nop 0x90 (to not mess up code alignment,relative addressing or jmps).
Calling .new on payload modules does not perform parameter validation, leading
to a number cached sizes based on invalid parameters. Most notably,
normalization does not occur either, which makes all OptBool params default to
true.
This commit adjusts the way that the config block is set for java and
android because behind the scenes the stageless connect-backs need to
know what to discard. as a result of connecting back to staged listeners
we need to be able to discard a number of bytes/blocks before we can
continue process (at least in the case of TCP).
Tried to implement some more of the stuff that egypt suggested, managed
to get some in, but not others. Ultimately, its smaller than it was, and
I'm sure there are ways to make it better as well.
For some reason this was only working on Windows7/2008, yet when tired
on Windows 2012 it was resulting in crashes. It was also stopping
working in exploits such as psexec_psh.
Went back to the beginning and started again. With this in place, we can
now do a bit of shellcode golf to make it a bit smaller.
Adjusted payload sizes as well.
This time it's against the currently "installed" version of Meterpeter
binaries. When Meterpreter is landed down the track we'll need to make
sure that the payload sizes are updated again.