Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New mainframe privesc payload for z/OS #8228

Merged
merged 1 commit into from Apr 14, 2017
Merged

Conversation

@bigendiansmalls
Copy link
Contributor

bigendiansmalls commented Apr 11, 2017

This module performs a privilege escalation on mainframe systems
runing z/OS and using RACF for their security manager. A user
with any non-privileged credentials and the ability to write to
an apf authorized library can use this payload to add "root level"
privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.

Note, this can be used with an existing reverse shell that is backgrounded,
however the SPECIAL authority will not take hold until the user logs
off and back on again.

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Steps to execute

  • Start msfconsole
  • use exploit/mainframe/ftp/ftp_jcl_creds
  • fill in options as appropriate
  • set payload cmd/mainframe/apf_privesc_jcl
  • set APFLIB XXX.YYYY.ZZZ <-- this is the APF lib that the User has write access to
  • run

Screenshot

image

Execution Screenshot

image

Before & After system verification

#Before RACF (no attributes)
image

After RACF (SPECIAL attribute)

image

Output from the JOBLOG of the exploit run (in verbose mode)

image

This module performs a privilege escaltion on mainframe systems
runing z/OS and using RACF for their security manager.  A user
with any non-privileged credentials and the ability to write to
an apf authorized library can use this payload to add "root level"
privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.
@bigendiansmalls bigendiansmalls force-pushed the bigendiansmalls:privesc branch from aabdf3c to fa8011f Apr 11, 2017
@busterb busterb self-assigned this Apr 14, 2017
@busterb busterb merged commit fa8011f into rapid7:master Apr 14, 2017
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
busterb pushed a commit that referenced this pull request Apr 14, 2017
@busterb
Copy link
Member

busterb commented Apr 14, 2017

Did my best visually inspecting and verifying that this looks sane. Thanks!

@busterb
Copy link
Member

busterb commented Apr 14, 2017

Release Notes

The mainframe/ftp/ftp_jcl_creds module has been added to the framework. It performs a privilege escalation on mainframe systems running z/OS and using RACF for the security manager. A user with any non-privileged credential and the ability to write to an APF-authorized library can use this payload to add "root level" privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.

@bigendiansmalls
Copy link
Contributor Author

bigendiansmalls commented Apr 14, 2017

Cheers @busterb - Thank you!

@bigendiansmalls bigendiansmalls deleted the bigendiansmalls:privesc branch Apr 14, 2017
@busterb busterb added the rn-exploit label Apr 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.