/MainTP

Mainframe Transfer: PROTOCOL

Primary LanguagePython

MainTP.py

A python script which takes a hostname/ip address of a z/OS FTP server, a username and password and gives you either a bind shell or reverse shell and automatically connects to it.

How?

Bind/Reverse Shell: A JCL file is dynamically generated which contains either a bind or reverse shell in C. This C code is compiled, on z/OS, at the time of exploit.

CVE-2012-5951: The JCL file contains an implementation of CVE-2012-5955 originally discovered by whomever perpetrated the Logica mainframe breach. Refer to https://github.com/mainframed/logica/blob/master/kuku.rx for original local priv escalation exploit on OMVS. This is essentially a REXX script that exploits a flaw to give you UID 0.

JCL: A JCL file is dynamically created based on the criteria provided (shell type, ip addresses, ports), uploaded via FTP and executed by JES (using the SITE FILE=JES extended commands).

NetEBCDICat: A copy of NetEBCDICat is here as well. NetEBCDICat is just an implementation, in python, of a socket ommunicator but it translates EBCDIC to ASCII because OMVS only speaks EBCDIC (ugh!).

Together

[+] Connecting to: mainframe.company.com : 21

[+] Switching to JES mode

[+] Inserting JCL in to job queue

[+] Job JOB00000 added to JES queue

[+] Connecting Reverse Shell - Waiting for z/OS!

id

uid=0(SYSROOT) gid=0(SYS1)