JCL to Escalate Privileges - Metasploit
This page contains detailed information about how to use the payload/cmd/mainframe/apf_privesc_jcl metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: JCL to Escalate Privileges
Module: payload/cmd/mainframe/apf_privesc_jcl
Source code: modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb
Disclosure date: -
Last modification time: 2021-01-05 14:59:46 +0000
Supported architecture(s): cmd
Supported platform(s): Mainframe
Target service / protocol: -
Target network port(s): 21
List of CVEs: -
(Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using an unsecured/updateable APF authorized library (APFLIB) and updating the user's ACEE using this program/library. Note: This privesc only works with z/OS systems using RACF, no other ESM is supported.)
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use payload/cmd/mainframe/apf_privesc_jcl
msf payload(apf_privesc_jcl) > show options
... show and set options ...
msf payload(apf_privesc_jcl) > generate
To learn how to generate payload/cmd/mainframe/apf_privesc_jcl with msfvenom, please read this.
Go back to menu.
Msfconsole Usage
Here is how the cmd/mainframe/apf_privesc_jcl payload looks in the msfconsole:
msf6 > use payload/cmd/mainframe/apf_privesc_jcl
msf6 payload(cmd/mainframe/apf_privesc_jcl) > show info
Name: JCL to Escalate Privileges
Module: payload/cmd/mainframe/apf_privesc_jcl
Platform: Mainframe
Arch: cmd
Needs Admin: No
Total size: 3156
Rank: Normal
Provided by:
Bigendian Smalls
Ayoub
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACTNUM MSFUSER-ACCTING-INFO yes Accounting info for JCL JOB card
APFLIB SYS1.LINKLIB yes APF Authorized Library to use
JCLASS A yes Job Class for JCL JOB card
MSGCLASS Z yes Message Class for JCL JOB card
MSGLEVEL (0,0) yes Message Level for JCL JOB card
NOTIFY no Notify User for JCL JOB card
PGMNAME programmer name yes Programmer name for JCL JOB card
RPORT 21 yes The target port
Description:
(Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER
to user profile. Does this by using an unsecured/updateable APF
authorized library (APFLIB) and updating the user's ACEE using this
program/library. Note: This privesc only works with z/OS systems
using RACF, no other ESM is supported.)
Module Options
This is a complete list of options available in the cmd/mainframe/apf_privesc_jcl payload:
msf6 payload(cmd/mainframe/apf_privesc_jcl) > show options
Module options (payload/cmd/mainframe/apf_privesc_jcl):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTNUM MSFUSER-ACCTING-INFO yes Accounting info for JCL JOB card
APFLIB SYS1.LINKLIB yes APF Authorized Library to use
JCLASS A yes Job Class for JCL JOB card
MSGCLASS Z yes Message Class for JCL JOB card
MSGLEVEL (0,0) yes Message Level for JCL JOB card
NOTIFY no Notify User for JCL JOB card
PGMNAME programmer name yes Programmer name for JCL JOB card
RPORT 21 yes The target port
Advanced Options
Here is a complete list of advanced options supported by the cmd/mainframe/apf_privesc_jcl payload:
msf6 payload(cmd/mainframe/apf_privesc_jcl) > show advanced
Module advanced options (payload/cmd/mainframe/apf_privesc_jcl):
Name Current Setting Required Description
---- --------------- -------- -----------
JOBNAME DUMMY yes Job name for JCL JOB card
NTFYUSR false yes Include NOTIFY Parm?
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Go back to menu.
Related Pull Requests
- #14584 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/base
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #11797 Merged Pull Request: Added to code to remove payload once run.
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #8228 Merged Pull Request: New mainframe privesc payload for z/OS
Go back to menu.
See Also
Check also the following modules related to this module:
- payload/cmd/mainframe/bind_shell_jcl
- payload/cmd/mainframe/generic_jcl
- payload/cmd/mainframe/reverse_shell_jcl
- exploit/mainframe/ftp/ftp_jcl_creds
- payload/mainframe/shell_reverse_tcp
Authors
- Bigendian Smalls
- Ayoub
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.