Bind Shell – shellcode and source

This is an addendum to the last post.  Here is shellcode (and it’s stripped down source) that achieve the same goal as the prior post.   The difference is the payload is XOR encoded and the shellcode, and it’s source, have a built in decoder stub that decodes the payload in memory then jumps to it.

If the payload decoder coding looks a bit obtuse, it’s because instructions and operands were chosen that have neither nulls “\x0” nor EBCDIC newlines “\x15” in them.

The code also includes an egghunter that finds the location of the payload in memory, in case they need to be separated.   You can read about egghunters here and here if you aren’t sure what that means.

Full source code on github
Shellcode version

Mainframe Bind Shell – Source Code

Key in any basic toolset for pentesting the mainframe platform is a selection of payloads that can be used to test vulnerabilities.

Below is a bind shell payload, written from scratch in mainframe assembler.  The shell can be connected to using netcat. The payload differs from its Intel counterparts, in that it contains its own EBCDIC to ASCII convertor.  Because of this, the standard exec(‘/bin/sh’,’sh’) could not be used.  Read on for more technical details.

Continue reading Mainframe Bind Shell – Source Code

Python shells on Z & a Patch to Ported Tools

Rocket Software (@rocket on twitter, links below) has a great set of ported tools for System Z.  One of them is Python 2.7.6    Python is in ever penetration tester’s toolkit, and one of my favorite uses for it is to get a “clean” shell once you have gotten connectivity to a system.

Mainframe is no different;  using the old one liner

One can change an ugly shell (perhaps gained by Java app, or some other means:  e.g. netcat, exploit, etc) into one with proper TTY / shell settings, as show in this simple gif:

python-demo-shell

The Gist below patches Rocket’s port of Python to make this work on System Z ( the pty.py – one line fix to match the naming conventions on mainframe).

Gist for patching python

Rocket Ported tools @ SHARE

Rocket Ported Tools Download

DEF CON 23 – Slides & Code

If you are interested (and why wouldn’t you be?)   Here are is a link to the presentation posted below, given by myself and Soldier of Fortran (@mainframed767) at this year’s DEF CON23.   Enjoy!

The link to all the tools and code in the presentation can be found here.

 

Building shellcode, egghunters and decoders.

Creating shellcode on System Z (Mainframe)  Unix System Services (USS) employs the same disciplines required for the same activities on Intel platforms.   The difference lies in the syntax, assembler mnemonics, tools available, and debugging utilities.  There are certainly other ways to achieve this, and I’m still refining my favorites.  The below is one of my early successful attempts at doing so.

If you have never created shellcode from scratch, including a hand-hewn encoder for zapping bad characters, I recommend you do so on a well-documented platform.   Become familiar with using basic (but powerful tools for the task) such as dd, od, gdb and basic python scripting.

Continue reading Building shellcode, egghunters and decoders.

Shellcode Freebie!

Got a burning privesc vulnerable binary on your  USS? How about feeding it a little self-decoding shellcode?  (Hint this is fully functional, find a C stub and try it yourself!).