Mainframe Bind Shell – Source Code

Key in any basic toolset for pentesting the mainframe platform is a selection of payloads that can be used to test vulnerabilities.

Below is a bind shell payload, written from scratch in mainframe assembler.  The shell can be connected to using netcat. The payload differs from its Intel counterparts, in that it contains its own EBCDIC to ASCII convertor.  Because of this, the standard exec(‘/bin/sh’,’sh’) could not be used.  Read on for more technical details.

Continue reading Mainframe Bind Shell – Source Code

Building shellcode, egghunters and decoders.

Creating shellcode on System Z (Mainframe)  Unix System Services (USS) employs the same disciplines required for the same activities on Intel platforms.   The difference lies in the syntax, assembler mnemonics, tools available, and debugging utilities.  There are certainly other ways to achieve this, and I’m still refining my favorites.  The below is one of my early successful attempts at doing so.

If you have never created shellcode from scratch, including a hand-hewn encoder for zapping bad characters, I recommend you do so on a well-documented platform.   Become familiar with using basic (but powerful tools for the task) such as dd, od, gdb and basic python scripting.

Continue reading Building shellcode, egghunters and decoders.

Shellcode Freebie!

Got a burning privesc vulnerable binary on your  USS? How about feeding it a little self-decoding shellcode?  (Hint this is fully functional, find a C stub and try it yourself!).

Tips / Tricks – 7/2/15 (update)

Updated.  Added update to the packet capture section below, included pcap export!

ISPF editor

  • Want more real estate in your ISPF editor?   In an editing session enter EDSET in the command line, then check the line marked:
      X Remove action bars in ISPF edit and view panels
    This will remove the menu bars and give you more room.   If you haven’t already, I’d clear these two settings in the main menu ISPF settings also.


Unix System Services

  • These commands will help you find / list APF authorized binaries in USS.  First one finds apf auth with sticky bit (suid) set.  These could be great targets for exploits.  Second finds all apf authorized binaries (no dll’s or shared object files).  The ls -E is just a switch to ls, you can use separately to show the extended flags.  an “a” in the display (e.g.  a-s-) means the apf auth bit is set.
    • find / -type f -ext a \( -perm -2000 -o -perm -4000 \) -exec ls -l {} \;
    • find / -type f -ext a -exec ls -E {} \;|grep -v .so|grep -v .dll

Packet Captures – TCP/IP Networking

  • Getting a packet capture on a mainframe is a non-trivial event.  I’ll save you the trouble of digging up all the requisite tutorials and lay down my version here:

There are 4 major components to this effort:
1) A trace writer proc, put in your favorite PROCLIB, created with JCL such as:

2) The TCPIP packet trace functionality. Started with a command like this from the master console or SDSF – (check the link at the bottom for more filter options):

3) Then, start the writer and execute the capture by issuing the following commands:

4) Using the IPCS functionality to format the trace into a spool file.  I use JCL like this (Make sure to modify datasets to match your system):

Bonus Step 5)  If you want to export the dump to a pcap file, readable by tcpdump, wireshark and the like, substitute step 4 JCL (the inline portion after DD* only) for something like the following:

Then I like to use USS copy and sftp (make sure you use something that does strict binary transfer) to dump the file to your PC and open with Wireshark.  Enjoy!

That’s it .. simple right?

Here’s some useful links:

TCPIP Packet Tracing

How to collect packet trace on z/OS

V TCPIP,,PKT command syntax

ZOS IP Diagnosis Guide (SNIFFER CTRACE and others syntax)

Mainframe shellcode

Come see my talk at DEFCON23.

Stay tuned to this site and follow @bigendiansmalls for sneak peeks at what I will be presenting!

Finding the Callable Services

The posts here won’t initially be in a start-from-the-beginning order.   However, as I get more of them up,  they will contain all the steps to help you set up your Z environment to begin building exploits and shellcode.

This post is about finding the addresses of what IBM refers to as the Assembler Callable Services (or sometimes USS Callable Services).  These addresses can be thought of loosely analogous to the Procedure Linkage Table / Global Offset Table duo used in Linux to find addresses of common functions from position independent code.   If mainframe programs are written in a higher level language such as High-Level Assembler (HLASM) or C, these functions can be called and the linker will take care of this for you at runtime.   Since our shellcode needs to be able to mimic this, we will find these addresses ourselves, using examples provided by IBM. Continue reading Finding the Callable Services

Adventures in securing a “dinosaur”

This blog is my own chronicle of adventures in writing exploits, cryptography, security and who knows what else.   Specifically though, I’m going to start by sharing technical specifics to support my upcoming co-talk at Defcon 23.

Our talk titled “Security Necromancy: Further Adventures in Mainframe Hacking” seeks to educate the security community to actively dig into the z/series (IBM Mainframe) platform by showing how to leverage skills most already have.

Know how to write shellcode?  Great!  We will show you how easy it is to parlay those skills into writing shellcode that will execute on System Z.  Understanding fuzzing and exploit research?  Those skills are easy to apply on this platform as well.

Use your network hacking skills to exploit Network Job Entry (NJE) with some help from Soldier of Fortran to get you started.

Ultimately we want people to understand that, because of its widespread usage as a core system in many critical infrastructures from finance to air travel; its relative obscurity; and lack of real wide-spread exposure to the hacking public; this system is rife with opportunities to be further secured and hardened.  All that is needed is your expertise.

Come join us for a great show @ DEFCON 23, and watch here for ongoing updates before and after.