JCL to Escalate Privileges - Metasploit

This page contains detailed information about how to use the payload/cmd/mainframe/apf_privesc_jcl metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: JCL to Escalate Privileges
Module: payload/cmd/mainframe/apf_privesc_jcl
Source code: modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb
Disclosure date: -
Last modification time: 2021-01-05 14:59:46 +0000
Supported architecture(s): cmd
Supported platform(s): Mainframe
Target service / protocol: -
Target network port(s): 21
List of CVEs: -

(Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER to user profile. Does this by using an unsecured/updateable APF authorized library (APFLIB) and updating the user's ACEE using this program/library. Note: This privesc only works with z/OS systems using RACF, no other ESM is supported.)

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

msf > use payload/cmd/mainframe/apf_privesc_jcl
msf payload(apf_privesc_jcl) > show options
    ... show and set options ...
msf payload(apf_privesc_jcl) > generate

To learn how to generate payload/cmd/mainframe/apf_privesc_jcl with msfvenom, please read this.

Go back to menu.

Msfconsole Usage

---

Here is how the cmd/mainframe/apf_privesc_jcl payload looks in the msfconsole:

msf6 > use payload/cmd/mainframe/apf_privesc_jcl

msf6 payload(cmd/mainframe/apf_privesc_jcl) > show info

       Name: JCL to Escalate Privileges
     Module: payload/cmd/mainframe/apf_privesc_jcl
   Platform: Mainframe
       Arch: cmd
Needs Admin: No
 Total size: 3156
       Rank: Normal

Provided by:
  Bigendian Smalls
  Ayoub

Basic options:
Name      Current Setting       Required  Description
----      ---------------       --------  -----------
ACTNUM    MSFUSER-ACCTING-INFO  yes       Accounting info for JCL JOB card
APFLIB    SYS1.LINKLIB          yes       APF Authorized Library to use
JCLASS    A                     yes       Job Class for JCL JOB card
MSGCLASS  Z                     yes       Message Class for JCL JOB card
MSGLEVEL  (0,0)                 yes       Message Level for JCL JOB card
NOTIFY                          no        Notify User for JCL JOB card
PGMNAME   programmer name       yes       Programmer name for JCL JOB card
RPORT     21                    yes       The target port

Description:
  (Elevate privileges for user. Adds SYSTEM SPECIAL and BPX.SUPERUSER 
  to user profile. Does this by using an unsecured/updateable APF 
  authorized library (APFLIB) and updating the user's ACEE using this 
  program/library. Note: This privesc only works with z/OS systems 
  using RACF, no other ESM is supported.)

Module Options

---

This is a complete list of options available in the cmd/mainframe/apf_privesc_jcl payload:

msf6 payload(cmd/mainframe/apf_privesc_jcl) > show options

Module options (payload/cmd/mainframe/apf_privesc_jcl):

   Name      Current Setting       Required  Description
   ----      ---------------       --------  -----------
   ACTNUM    MSFUSER-ACCTING-INFO  yes       Accounting info for JCL JOB card
   APFLIB    SYS1.LINKLIB          yes       APF Authorized Library to use
   JCLASS    A                     yes       Job Class for JCL JOB card
   MSGCLASS  Z                     yes       Message Class for JCL JOB card
   MSGLEVEL  (0,0)                 yes       Message Level for JCL JOB card
   NOTIFY                          no        Notify User for JCL JOB card
   PGMNAME   programmer name       yes       Programmer name for JCL JOB card
   RPORT     21                    yes       The target port

Advanced Options

---

Here is a complete list of advanced options supported by the cmd/mainframe/apf_privesc_jcl payload:

msf6 payload(cmd/mainframe/apf_privesc_jcl) > show advanced

Module advanced options (payload/cmd/mainframe/apf_privesc_jcl):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   JOBNAME    DUMMY            yes       Job name for JCL JOB card
   NTFYUSR    false            yes       Include NOTIFY Parm?
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Go back to menu.

Related Pull Requests

---

• #14584 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/base
• #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
• #11797 Merged Pull Request: Added to code to remove payload once run.
• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #8228 Merged Pull Request: New mainframe privesc payload for z/OS

Go back to menu.

See Also

---

Check also the following modules related to this module:

• payload/cmd/mainframe/bind_shell_jcl
• payload/cmd/mainframe/generic_jcl
• payload/cmd/mainframe/reverse_shell_jcl
• exploit/mainframe/ftp/ftp_jcl_creds
• payload/mainframe/shell_reverse_tcp

Authors

---

• Bigendian Smalls
• Ayoub

Version

---

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.