Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Authorized FTP JCL exploit for z/OS #6834
z/OS FTP server on the mainframe can be configured (and often is by default) to allow JCL script execution with nothing more that a set of credentials, authorized to use FTP.
This exploit module does that. It uses existing credentials for a z/OS system and attempts to upload JCL which can than, for example, execute a reverse shell payload.
This should open a browser on your local machine.
z/OS JCL authorized FTP-base command execution - hints & tips
In order to use this exploit, you must have valid credentials on the target z/OS system. The credentials must have access to upload files via FTP. If in doubt, use the check function of the exploit.
This exploit was tested on the ftp daemons for z/OS version 1.13 / 2.1
If the exploit works, any JCL the user has rights to submit can be submitted.
See cmd type payloads under mainframe with jcl in the payload name, e.g.:
A successful check of the exploit will look like this:
If the exploit or check is not working, turn on the VERBOSE and FTPDEBUG settings of the exploit and run.
The job run will leave a joblog for the credentials used.
I would suggest trying out 'rubocop' and running it against your module. I usually try to get modules down to < 10 warnings. We try not to be too extreme about rubocop adherence, since there is a lot of code in the tree that predates Ruby having much of a style guide, but it will alert about a lot of common ruby style issues. It is possible to have rubocop have 0 alerts without a lot of trouble on new code!
When exploiting a non-compliant FTP server, we should not assume that res has a lines value. Here I fuzzed a little with
May 14, 2016
1 check passed
added a commit
this pull request
May 14, 2016
JCL exploit for z/OS - Remember those JCL payloads we added a couple of months ago for z/OS? Here is the first exploit that you can use to deliver those JCL payloads. This module targets FTP servers on z/OS systems; it submits a JCL job via FTP to exploit the target. To use this exploit, you'll need to have valid credentials.