New mainframe privesc payload for z/OS #8228

Merged
merged 1 commit into from Apr 14, 2017

Conversation

Projects
None yet
2 participants
@bigendiansmalls
Contributor

bigendiansmalls commented Apr 11, 2017

This module performs a privilege escalation on mainframe systems
runing z/OS and using RACF for their security manager. A user
with any non-privileged credentials and the ability to write to
an apf authorized library can use this payload to add "root level"
privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.

Note, this can be used with an existing reverse shell that is backgrounded,
however the SPECIAL authority will not take hold until the user logs
off and back on again.

Tell us what this change does. If you're fixing a bug, please mention
the github issue number.

Steps to execute

  • Start msfconsole
  • use exploit/mainframe/ftp/ftp_jcl_creds
  • fill in options as appropriate
  • set payload cmd/mainframe/apf_privesc_jcl
  • set APFLIB XXX.YYYY.ZZZ <-- this is the APF lib that the User has write access to
  • run

Screenshot

image

Execution Screenshot

image

Before & After system verification

#Before RACF (no attributes)
image

After RACF (SPECIAL attribute)

image

Output from the JOBLOG of the exploit run (in verbose mode)

image

New mainframe privesc payload for z/OS
This module performs a privilege escaltion on mainframe systems
runing z/OS and using RACF for their security manager.  A user
with any non-privileged credentials and the ability to write to
an apf authorized library can use this payload to add "root level"
privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.

@busterb busterb self-assigned this Apr 14, 2017

@busterb busterb merged commit fa8011f into rapid7:master Apr 14, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb pushed a commit that referenced this pull request Apr 14, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Apr 14, 2017

Contributor

Did my best visually inspecting and verifying that this looks sane. Thanks!

Contributor

busterb commented Apr 14, 2017

Did my best visually inspecting and verifying that this looks sane. Thanks!

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Apr 14, 2017

Contributor

Release Notes

The mainframe/ftp/ftp_jcl_creds module has been added to the framework. It performs a privilege escalation on mainframe systems running z/OS and using RACF for the security manager. A user with any non-privileged credential and the ability to write to an APF-authorized library can use this payload to add "root level" privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.

Contributor

busterb commented Apr 14, 2017

Release Notes

The mainframe/ftp/ftp_jcl_creds module has been added to the framework. It performs a privilege escalation on mainframe systems running z/OS and using RACF for the security manager. A user with any non-privileged credential and the ability to write to an APF-authorized library can use this payload to add "root level" privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.

@bigendiansmalls

This comment has been minimized.

Show comment
Hide comment
@bigendiansmalls

bigendiansmalls Apr 14, 2017

Contributor

Cheers @busterb - Thank you!

Contributor

bigendiansmalls commented Apr 14, 2017

Cheers @busterb - Thank you!

@bigendiansmalls bigendiansmalls deleted the bigendiansmalls:privesc branch Apr 14, 2017

@busterb busterb added the rn-exploit label Apr 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment