Further Adventures in Mainframe Hacking

Transcription

Further Adventures in Mainframe Hacking
Security Necromancy:
Further Adventures
in Mainframe Hacking
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
0"
Genesis
•  Wondered: Who’s researching this
shit?
– Windows
4,951
– Mac OSX
2,270
– z/OS (mainframe)
Source (cvedetails.com)
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
ZERO?? WTF
•  Imagine if you will … Your Doctor calls
IBM"System"z"believes"that"the"details"of"Security"/"Integrity"
APARs"should"not"be"made"publically""
available."
With"the"criBcal"workloads"running"on"these"systems,"the"
impact"of"a"vulnerability"being"exploited,"however,""
could"severely"damage"customer"operaBons"and"business.""
One"of"the"benefits"for"not"providing"vulnerability"details"is"
that"both"external"aIackers"and"internal"personnel"threats"
can"not"get"access"to"informaBon"that"could"put"an"
enterprise"at"undue"risk.""
Source"(ibm.com,"DOC#"ZSQ03054SUSENS03)"
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
$100,000 Brick
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
So who are you?
•  We’re just two cools dudes
•  And we are gonna rock your fucking
socks off
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B
I
G
S
M
A
L
L
S
E
N
D
I
A
N
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
! 
B
Cut my teeth on AS400
I
Love puzzles,
breaking things
G
S
! 
M
!  Woke up in a panic – because of Mainframe!
E
A
N I could get access to my own L
!  Realized
!  Started
D Exploit dev research
!  Wrote
first
z/OS
shellcode
(check
your
CD)
L
I
A life to helping poor, unfortunate
S
!  Dedicating
N
corporations
secure their shit "
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
!  “in” to mainframes in the 90s courtesy of
datapac (a Canadian x.25 network)
!  Security Consultant
!  Got my own mainframe
"  Realized its not as great as engineers have
said (shocker!)
!  I’ve spoken domestically and internationally
!  Released multiple tools from password sniffing
to user enumeration "
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
WTF is a
Mainframe?
Picture is worth a thousand words:
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Reality
•  Used by almost all fortune 100s
–  90% according to IBM!
–  But seriously look at this:
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Pepsico"INC"S"HarYord"Life"S"UBS"S"City"of"Phoenix"Phoenix"Az"USA"David"DeBevec"S"GCCPC"S"State"of"Alabama"Child"Support"Enforcement"Services"S"Jefferies"Bank"S"
Bank" Vontobel" S" Duke" Power," DB2" apps" S" Polfa" Tarchomin" S" Extensity" S" Patni" S" FPL" S" Wellpoint" S" Standard" Insurance" S" Fulton" County" S" Zagrebacka" Banka" (ZABA)" S"
Community"Loans"of"America"S"WGV"S"NAV"S"InformaBon"Builders"S"AIG"Global"Services"S"T."Rowe"Price"S"Macro"Sob"S"Commerzbank"S"Macy's"Systems"and"Technologies"
S"Phoenix"Home"Life"S"United"States"Postal"Service"—"Mainframe"Ops"S"United"Technologies"S"APIS"IT"S"Bajaj"Allianz"S"Universität"Leipzig"S"Abraxas"S"PRT"(Puerto"Rico"
Telephone"S"Claro)"S"VISA"Inc."S"Taiwan"CooperaBve"Bank"Taiwan"S"Reserve"Bank"of"India"(www.rbi.org.in)"S"GEICO"Atlanta"GA"Insurance"S"GaranB"Technology"Istanbul"
Turkey" S" Chrysler" S" Marist" College" S" GEORGIA" STATE" UNIVERSITY" S" Blue" Cross" Blue" Shield" MD" S" Self" Employed" Consultant" S" Mpowerss" S" TD" Ameritrade" S" Seminole"
Electric"S"TD"Ameritrade"S"Modern"Woodmen"of"America"S"TIAASCREF"S"VF"Corp."S"CiB"/"Primerica"S"Comerica"Bank"S"American"Family"Insurance"S"Alliance"Data"Systems"
(Texas" and" Ohio)" S" United" Parcel" Service" Inc" S" American" General" S" Farm" Bureau" Financial" Services" S" IBM" Global" Services" S"Abraxas" S" SLK" sobware" S" Brown" Brothers"
Harriman"(BBH)"S"EDEKA"S"Mainframe"Co"Ltd"S"Guardian"Life"S"Enbridge"Gas"DistribuBon"S"SE"Tools"S"Southern"Company"S"Equifax"Inc"S"HSBC"S"IRS"S"Watkins(now"part"of"
Fedex)"S"ForBs"S"General"Dynamics"S"United"States"Steel"S"TAG"S"Bank"of"America"S"Pitney"Bowes"(Danbury,"Ct.)"S"OFD"S"Infotel"S"Sainsburys"Plc"S"IRS,"New"Carrolton"MD"S"
TIMKEN"S"TSSystems"S"Palm"Beach"County"School"District"The"School"District"of"Palm"Beach"County"West"Palm"Beach"FL"USA"George"Rodriguez"S"Emory"Univ"S"WIPRO"
Technologies"S"Experian"Americas"S"Lawrence"Livermore"NaBonal"Laboratories,"Livermore,"CA"S"Helsana"S"Vertex"(only"SeaIle"area)"S"Suntrust"Banks"Inc"S"AMB"Generali"
S"Casas"Bahia"S"Express"Scripts"S"Harland"Clarke"(John"H."Harland"Co)"S"Medical"College"of"Georgia"S"Waddell"&"Reed"FInancial"Services"S"Praxair"(Danbury,"Ct.)"S"Avnet"S"
BMW"S"Ryder"Trucks"Miami"FL"USA"S"COVANYS"S"Emblem"Health"S"Bank"of"New"York"Mellon"(BNY)"(BK)"New"York"NY,"PiIsburgh,"PA"and"Nashville,"TN,"EvereI"S"Allied"
Irish"Bank"AIB"(www.aib.ie)"S"VISA"Inc."S"MAJORIS"S"AARP"S"Logica"Inc"S"Matera"S"R+V"S"Texas"A&M"University"Colleg"StaBon"TX"USA"S"Riocard"TI"S"United"Missouri"Bank"S"
R"R"Donlley"S"TechData"S"SERPRO"S"GreatSWest"Life"S"UNUM"Disability/Insurance"Portland"ME"Columbia"SC"S"Lloyds"Banking"Group"S"DST"S"ACS"State"Healthcare"S"IBM"
Global"Services"S"Travelport"S"State"Farm"Ins"S"CDSI"S"ABSA"Bank"S"Maintec"Technologies"Inc."S"TESCO"Bangalore"India"Sivaprasad"Vura"S"MINDTREE"S"CAP"GEMINI"S"Mass"
Mutual"S"AOK"S"TD"Auto"Finance"S"Blue"Cross"Blue"Shield"TN"S"Applabs"S"NaBonal"Life"Group"S"VOLVO"IT"Corp."S"United"Health"Care"(UHG)"S"Banco"Itau"S"CEPROMAT"S"
Total"Systems"S"University"of"California"at"Berkeley,"CA"S"DEVK"Köln"S"HewleI"Packard"S"M&T"Bank"S"University"of"Chicago"Chicago"IL"USA"S"FreddieMac"S"RHB"bank"S"
Commonwealth"Automobile"Reinsurers"S"Ecolab,"Inc"S"Montreal"S"Ford"S"HPS4"S"Bic"Banco"S"Bank"Vontobel"S"Time"Customer"Service"S"Phoenix"Companies"S"Alcatel"S"
Turner"BroadcasBng"TBS"S"Motor"Vehicles"Admin"S"Avon"Brasil"S"IBM"S"GwinneI"County"School"District"S"SunGard"S"CSC"S"WIPRO"(exSInfoCrossing)"USA"Outsourcing"S"
Strate"(www.Strate.co.za)"S"Pioneer"Life"Insurance"S"Rite"Aid"S"GwinneI"Medical"Center"S"GMAC"SmartCash"S"BNP"Paribas"Paris"France"S"Lender"Processing"Services"
(LPS)"S"Bank"Rakyat"Indonesia"(BRI)"S"Nike"INC"S"Tampa"General"S"CPS"S"PCCW"S"ADP"S"Wellmark"S"Blue"Cross"Blue"Shield"SC"S"RBSLynk"S"Ameriprise"(American"Express"
Financial" Advisors)" S" Chubb" S" MASCON" S" SAS" InsBtute" NC" USA" S" Thomson" FinancialSTransacBon" Services" S" Washington" State" Employment" Security" Department" S"
AliComp" www.alicomp.com" S" AAFES" S" Merlin" InternaBonal" S" Veteran" Affairs" S" Donovan" Data" Systems" (ManhaIan)" S" Avon" (Westchester)" S" Sloan" KeIering" (Bronx)" S"
Shands" HealthCare" S" Wellpoint" S" MFX" Fairfax" Morristown" NJ" USA" KLCameron" Outsourcing" S" Virginia" Department" of" Motor" Vehicles" S" ONCOR" Dallas" TX" USA" S" DST"
Output"S"NaBon"Wide"Insurance"S"Riyad"Bank"S"Bank"Central"Asia"(BCA)"S"Eddie"Bauer"S"ScienBfic"Games"InternaBonal,"Inc"S"Commerzbank"S"Lousiana"Housing"Fin"Ag"/"
Baton" Rouge" CC" S" Broward" County" Schools" S" Verizon" (Wireless)" S" Master" Card" INC" S" Connecture" S" Atos" Origin" S" L&T" S" Capco" S" Accenture" S" Georgia" State" Dept" of"
EducaBon"S"Cathy"Pacific"S"GE"Financial"Assurance"S"ING"S"Fidelity"Investments"Boston"MA"&"New"York"S"PATNI"S"Maersk"Lines"(Global"Container"Shipping),"S"TCS"S"BriBsh"
Airways"S"GAVI"S"CVS"pharmacy"S"First"NaBonal"Bank"S"LabCorp"S"Klein"Mgt."Systems"(Westchester)"S"H."E."BuI"Grocery"Co."S"Duke"Energy"S"Vanguard"Group"S"Kaiser"
Permanente" Corona" CA" USA" S" State" Auto" Insurance" S"BiSLo" S" MARTA" S" EDS" S" DHL" IT" Services" S" Charles" Schwab" S" CPU" Service" S" Virginia"Dept" of" CorrecBons" S"Cielo" S"
Business"Connexion"(www.bcx.co.za)"S"Lockheed"S"Fiat"S"Symetra"S"CiB"S"Collabera"S"Bank"of"America"(was"NaBons"Bank"–"Can"work"out"of"AlphareIa"office)"S"FIS"S"State"
of"Montana"S"Accenture"S"PWC"S"State"of"GA"S"DHS"S"Bank"Indonesia"(BI)"S"Publix"S"Porto" Seguro"S"General"Motors"Detroit"AusBn"Atlanta"Phoenix"S"CPQD"S"BB&T"S"
Partsearch"Technologies"S"ISO"(Jersey"City)"S"HMS"S"Depository"Trust"and"Clearing"Corp"S"VISA"Inc."S"EDB"ErgoGroup"S"US"Bank"S"Federal"Reserve"S"CoSoperators"Canada"S"
OCIT","Sacramento"Cty"S"Progressive"Insurance"S"ZETO"S"MetaVante"(Now"Fidelity)"S"Ford"Motor"Co"S"University"System"of"Georgia"S"California"Casualty"Management"
Company,"San"Mateo"and"Sacramento,"CA"S"PSP"S"Thomson"Reuters"S"RBS"(Royal"Bank"of"Scotland)"S"Aurum/BSPR"S"Social"Security"S"GKVI"S"Kohls"Department"Stores"S"
FIS"S"New"York"Times"(ManhaIan)"S"CIGNA"S"SunGard"Computer"Services"Voorhees"NJ"S"Florida"Power"&"Light"(FPL)"Juno"Beach"FL"USA"UBlity"S"Fiserv"(formerly"Check"
Free)" S" H&W" Computer" Systems," Inc." S" CA" Technologies" S" Treehouse" Sobware," Inc." hIp://www.treehouse.com" S" Ohio" Public" Employees" ReBrement" System" S"
Montefiore"Hospital"(Bronx)"S"Air"New"Zealand"S"KEANE"S"Blue"Cross/Blue"Shield"of"Texas"S"CoIon"States"Mutual"Ins"Company"S"PKO"BP"Warszawa,"Poland"S"S"Insurance"
Services" Office" S" CiBgroup" S" Liberty" Life" S" Thomson" Reuters" S" Royal" Bank" of" Canada" (RBC)" S" M&T" Bank" S" Medstar" Health" hIp://www.medstarhealth.org" S" Infosys" S"
Maersk"Data"(Global"LogisBcs/Shipment"Tracking)"S"Missouri"Gas"Energy"Kansas"City"MO"USA"KLCameron"UBlity"S"Choice"Point"S"Express"Scripts"S"VETTRI"S"Wellogic"S"
Arby’s"–"Wendy’s"Group"S"Bacen"www.bcb.gov.br"S"BNP"Paribas"ForBs"Brussels"Belgium"S"Alcan"Global"ATI"S"C&S"Wholesale"Grocers"S"United"States"Postal"Service"S"
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Princeton" ReBrement" Group" Inc" S" POLARIS" S" Georgia" Farm" Bureau" Mutual" S" MBT" S" May" bank" S" BMW" S" AIG" S" EDEKA" S" Delloits" S" Iflex" S" Bank" of" Tokyo" (Jersey" City)" S"
Crawford"and"Company"S"Meredith"Corp"S"Express"Scripts"S"Home"Depot"U.S.A.,"Inc."S"Broadridge"Financial"Services"S"NMBSSHolding"hIp://www.nmbsSholding.be"S"
PrudenBal" S" KPN" S" Bank" of" Montreal" (BMO:CN)" S" Montreal" S" Union" Bank" S" R+V" S" AlcatelSLucent" S" DATEV" eG" S" Delta" Air" Lines" Inc" S" Pershing" LLC" S" Physicians" Mutual"
Insurance"Company"(PMIC)"Omaha"NE"USA"KLCameron"Insurance"S"Morgan"Stanley"(Brooklyn)"S"ScoBabank"S"CSI"InternaBonal"OH"USA"Jon"Henderson,"COO"S"Coca"Cola"
Enterprises"S"Amadeus"Data"Processing"S"Zions"BancorporaBon"S"Ciber"S"GwinneI"County"S"VW"S"Banco"Bradesco"S"Target"INC"S"Copel"S"Blue"Cross"Blue"Shield"AL"S"LDS"S"
IPACS"S"ZETO"S"Office"Depot"Deerfield"&"DelRay"S"Air"France"S"Capital"One"S"Glen"Allen/West"Creek"S"Emigrant"Savings"Bank"S"Consist"S"Siemens"S"JPMorgan"Chase"S"
Banco"Davivienda"S"QBE"the"Americas"S"Lubhansa"Systems"S"Metlife"S"United"States"Postal"Service"—"Mainframe"Ops"S"Tata"Steel"S"Franklin"Templeton"S"United"Parcel"
Service"Inc"(UPS)"S"Nest"S"Kawasaki"Motors"Corp"S"AT&T"/"BellSouth"/"Cingular"S"HSBC"GLT"S"Medical"Mutual"of"Ohio"Cleveland"OH"USA"CooperMA"S"TSSystem"S"NYS"Dept"
of"Tax"and"Fin"S"HealthPlan"Services"S"OFD"S"State"of"California"Teale"Data"Center,"Rancho"Cordova,"CA"S"CEF"S"Delphi"S"Tivit"hIp://www.Bvit.com.br"S"Igate"Hyderabad"
India"Sivaprasad"Vura"S"Atlanta"Journal"ConsBtuBon"S"ManhaIan"Associates"S"Helsana"S"MHS"S"FannieMae"S"S1"S"HDFC"Bank"S"Great"Lakes"Higher"EducaBon"Corp."S"
Norfork"Southern"Railway"S"SCHLUMBERGER"Sema"S"United"Health"Group"(UHG)"S"Union"Pacific"Omaha"NE"USA"KLCameron"TransportaBon"S"Outsourcing"deTecnica"
deSistemas"S"Hardware"S"CSX"S"Deutsche"Bundesbank"S"TD"Canada"Trust"S"Computer"Sciences"CorporaBon"(CSC)"S"Highmark"S"Rubbermaid"S"IGS"S"Edward"Jones"St."Louis"
MO"Tempe"AZ"USA"S"Ministry"of"Interior"(NIC)"S"IBM"S"ScoI"Trade"S"EMC"S"Bank"InternaBonal"Indonesia"(BII)"S"CIC"S"Parker"Hannifin"Cleveland"Ohio"USA"Cooperma"S"
Paccar" S" Deutsche" Bundesbank" S" Deutsche" Bank" S" Global" SMS" Networks" Pvt." Ltd." (" GLOBALSMSC" )" S" Chase" S" Genuine" Auto" Parts" (" MoBon" Industries)" S" Hexaware" S"
Virginia" State" Corp," Commission" S" Customs" &" Border" Enforcement" (CBE)" S" Protech" Training" [hIp://www.protechtraining.com]" Training," ConsulBng" &" Sobware"
PiIsburgh" PA" USA" S" NBNZ" S" ING" NA" Insurance" Corp" S" IBM" Tucson," Arizona" Sobware" Development" Laboratory" (DFSMShsm," Copy" Services)" S" AtlanBc" Pacific" Tea"
Company"(A&P)"S"CTS"S"AMB"Generali"S"WIPRO"S"State"of"Florida"S"Northwest"Regional"Data"Center"S"Brotherhood"Bank"&"Trust"S"Walmart"S"VW"S"MINDTEK"S"Philip"
Morris"S"InterconBnental"Hotels"Group"S"Dekalb"County"S"Allstate"S"UBca"Insurance"UBca"NY"USA"Insurance"–"Emirates"S"Assurance"S"New"York"University"S"Primerica"
Life"Ins"Co"S"Krasdale"Foods,"Inc."S"Prokarma"Hyderabad"India"Sivaprasad"Vura"S"North"Carolina"State"Employees'"Credit"Union"S"Commerce"Bank"Kansas"City"MO"USA"S"
First"Data"S"UPS"(Paramus,"NJ)"S"Credit"Suisse"S"State"of"Illinois"S"Central"Management"Services"(CMS)"S"Springfield,"IL"S"Penn"Mutual"S"United"States"Postal"Service"—"
Mgmt"Ops"S"MASTEK"S"LBBW"(Landesbank"Baden"WuerIemberg)"S"DIGITAL"S"CiB"S"ELCOT"S"Wakefern"Food"Corp"S"BI"Moyle"Associates,"Inc."S"Steria"S"Acuity"LighBng"
Group" Inc.." S" HMC" Holdings" (ManhaIan)" S" ANZ" Bank" S" Banco" do" Brasil" S" Allianz" Assurancies" S" DATEV" eG" S" Puget" Sound" Energy" (SeaIle)" S" Charles" Schwab" S" Serasa"
Experian"S"TECO"S"WinnSDixie"S"BelasBngdienst"S"Lubhansa"Systems"S"GAP"Inc"S"HCL"S"Chemical"Abstract"Services"(CAS)"S"ProdeSP"S"United"States"Postal"Service"S"DB2"
DBA"Ops"S"Assurant"S"Prodam"SP"S"Bank"Nasional"Indonesia"(BNI46)"S"Norfolk"Southern"Corp"S"AON"HewiI"S"ITERGO"S"Aegon"S"State"of"Georgia"S"Trinity"Health"S"AIG"S"
PNC"Bank"PiIsburgh"PA"USA"S"Washington"State"Department"of"Social"and"Health"Services"S"Credit"Suisse"S"Aviva"S"ELIT"S"FINA"S"Finanz"InformaBk"S"Jackson"NaBonal"S"
BMC"Sobware"S"Group"Health"CooperaBve"S"Media"Ocean"(office"here,"HQ"most"likely"New"York)"S"Grady"Hospital"S"Ameritech"S"Allianz"Assurancies"S"HewleISPackard"S"
Merrill"Lynch"(now"BOA)"S"Miami"Dade"County"S"IBM"Silicon"Valley"Laboratory,"San"Jose,"CA"(home"of"DFSMS,"DB2,"IMS,"languages)"S"RedeCard"S"ConnecBcut,"State"of"
(various" Departments" including" TransportaBon," Public" Safety," and" InformaBon" Technologies)" S" UBS" APAC" (Union" Bank" of" Switzerland)" S" ZETO" S" WGV" S" Conseco" S"
Atlanta"Housing"Authority"S"NaBonal"Life"Ins."Co."S"CollecBve"Brands"S"SAS"S"FIS"S"TD"Ameritrade"S"Navistar"S"LDS"S"Target"India"S"Dominion"Power/Dominion"Resources"S"
Glen"Allen/Innsbrook"S"US"Sobware"S"Voith"S"Thrivent"S"LBBW"(Landesbank"Baden"WuerIemberg)"S"State"of"Alabama"S"Bank"of"America"(BAC)"S"Ford"S"SATHYAM/PCS"S"
Fiducia"S"Amadeus"Data"Processing"S"State"of"AZ"S"ADOT"S"IBM"India"S"Florida"Power"&"Light"S"PSA"Peugeot"Citroen"S"Mphasis"S"ADP,"Inc."S"City"of"Tulsa"S"Energy"Future"
Holdings"Dallas"Tx"USA"S"CGI"S"Boston"Univerity"S"University"of"NC"S"Atos"Origin"S"Key"Bank"S"AFLAC"S"IBM"Global"Services"S"YRCW"S"Lincoln"NaBonal"S"Sobware"Paradigms"
India"S"logica"CMG"S"Fujitsu"America"Dallas"TX"KLCameron"Outsourcing"S"Southern"California"Edison"S"CEF"S"Mt."Sinai"(Bronx)"S"Blue"Cross"Blue"Shield"S"HSBC"Trinkaus"&"
Burkhardt"AG"S"Mainline"InformaBon"Systems"S"Schneider"NaBonal"Green"Bay"WI"USA"KLCameron"TransportaBon"S"Publix"S"John"Dere"S"PSC"Electrical"ContracBng"S"
Family"Life"Ins."Co."S"DTC"(ManhaIan)"S"Eaton"Cleveland"Ohio"USA"Cooper"MA"S"Russell"Stovers"S"AEP"S"Alcatel"S"Axa"(Jersey"City)"S"ACS"(Texas)"S"Mutual"of"America"S"
Liberty" Mutual" (Safeco" Insurance)" S" Medicare" S" Statens" UddannelsesstøIe" S" Lowe's" S" Bank" Of" America" S" TUI" S" IVV" S" Aetna" S" Sanepar" S" Sentry" Insurance" S" Fiserv"
IntegraSys" S" State" of" ConnecBcut" (various" Departments" including" Public" Safety," TransportaBon," InformaBon" Technologies)" S" Bovespa" S" City" of" New" York" (Several"
locaBons)"S"Con"Edison"(ManhaIan)"S"City"of"Atlanta"S"GM"S"UBS"S"Krakatau"Steel"Cilegon"Indonesia"S"ITERGO"S"Blue"Cross"Blue"Shield"GA"S"Scope"InternaBonal(Standard"
Chatered)" S" Rutgers" University" S" Office" of" IT" S" GM" S" Santander" S" State" of" Alaska" S" AIG" Global" Services" S" Atos" Origin" S" CA" Technologies" S" Garuda" Indonesia" Jakarta"
Indonesia"Gun"gun"S"Leumi"Bank"Leumi"Bank"TelSAviv"ISrael,"Shai"Perry"S"Cognizant"Technology"SoluBons"S"Barclays"bank"S"Heartland"Payment"Systems"(Texas)"S"Xerox"S"
State"of"GA"S"DOL"S" SYNTEL" S" Canadian" Imperial" Bank" of" Commerce" (CIBC)" S" Friedkin" InformaBon" Technology"Houston"TX"USA"S"NASDAQ"Stock"Market"S"Mahindra"
Satyam"S"CocaSCola"Co"S"SIAC"(Brooklyn)"S"Sears"Holdings"CorporaBon"S"Finanz"InformaBk"S"Fiducia"S"Metro"North"(ManhaIan)"S"FedEx"S"KEONICS"S"Ahold"S"NY"City,"
B.U.M. Corp. Confidential
Various"Agencies"S"IBM"S"CA"Technologies"S"Principal"Financial"Group"S"Georgia"Pacific"S"Governor's"Office"S"Kansas"City"Life"S"Old"Mutual"S"Catapiller"S"Amtrak"S"CTS"S"City"
and"County"of"Alameda,"California"S"Ceridian"S"DPF"S"USAA"S"Traveler's"Insurance"S"Roundy's"Supermarkets"Milwaukee"WI"USA"S"Lexis"Nexis"(formerly"ChoicePoint"Inc)"S"
MarrioI"Hotel"S"United"States"Postal"Service"Applic."Dev."S"XANSA"S"Auto"Zone"S"EDS"S"Manulife"S"State"of"GA"S"GTA"S"Washington"State"Department"of"TransportaBon"
mainframed767 &
bigendiansmalls
Two Parts
•  First Half: Networking
–  Network Job Entry
–  TN3270 protocol fun!
•  Second Half: Exploit Development
–  How to write exploits
–  Program debugging
–  Shellcode development
–  First z/OS Shellcode
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Butt first
You need a quick refresher on what this
looks like this:
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Networking
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
TN3270
•  Imagine a world where telnet still
exists
•  Imagine no MORE!
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
TN3270
•  Imagine a world where telnet still
exists
•  Imagine no MORE!
•  Basically like BBS’s back in the day
•  Uses a ‘stream’
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Field Attributes
•  Screen is 1920 bytes long
•  Each byte could be a field
attribute identifying:
" Color
" Locked/Unlocked (Protected)
" Visible/Invisible (Hidden)
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Locked Field Length
USERPG01)
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Identifyin’
•  No support in nmap/other tools
•  Hard to identify screens
– Without getting an emulator
•  What about Hidden Fields?
•  Or Protected Values?
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Until NOW!
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
NEW!
•  TN3270 Library for NMAP
•  Emulates a ‘real’ 3270 screen
•  Allows you to:
–  Connect
–  Show the screen
–  Send commands
–  Detect hidden fields!
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Samesies
VTAM Application IDs
VTAM Macros
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Hidden Fields!
!"
B.U.M. Corp. Confidential
!"
mainframed767 &
bigendiansmalls
But Wait!
There’s more!
I wrote one in LUA
why not Python?
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
tn3270lib
•  Support tn3270 (not E)
•  Creates a tn3270 object
•  Allows for sending commands
•  Blah blah blah same as nmap
BUT NOW IT MEANS I CAN INTRODUCE:
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
3 modes
•  Proxy/Passthrough – MitM
•  Mirror a targetted mainframe
–  Connects, scrapes the screen, then shares
that screen on your machine
–  Takes commands you might expect your
target to send and pregrabs those screens
as well
•  No args: TSO logon screen
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
SET’n’3270
•  Supports SSL
Which is cool cause clients don’t check
certs
(like, at all, no warning no nothing)
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
More Tools
•  Big Iron Recon and Pwnage
–  By Dominic White!
–  https://github.com/sensepost/birp
•  Mainframe Brute
–  Slower but prolly more reliable
–  https://github.com/sensepost/mainframe_brute
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Network
Job Entry
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Jobs
(not steve)
• JCL (Job Control Language)
• Run by “JES”
• Made up of
– STEPS
– ProGraMs
– etc
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Network Job Entry
•  Also known as NJE
•  Runs on ports 175, 2252 (SSL)
•  Developed in the 80s (??)
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Works like this
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Initial Setup
•  Systems configure JES telling
them:
– Where to connect
– Who they will accept connections
from
How?
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Number of Nodes
Our Node Name
Other nodes
‘WASHDC’ IP Address
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Connect
Connect TCPIP
“OPEN”
“ACK”
From: Network Job Entry (NJE) Formats and Protocols (SA32-0988-00)
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Once established
•  You can send JCL
•  You can send NMR (command/control
records)
•  You are now a ‘trusted’ node
– Depending on your security, of course
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Interesting ‘feature’
•  Users from one node don’t need to log on
•  When a job is sent, the userID is sent
along with the ‘NJE’ job
•  So long as that account exists on the
receiving side it will work.
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
NO Password
Note: no password or any
authentication information is sent.
Nodes are TRUSTED and therefore
no need to re-authenticate.
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Breaking NJE
•  First we need to find mainframes
with NJE
•  Problem: nmap
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
NJE Node Names
•  You need this.
•  No, you NEED it.
•  You can’t connect otherwise
NMAP Script: NJE Node Brute
•  Brute forces node names (even if the
node is connected!)
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
NJE is super
awesome
•  Like we said before: You need three things:
–  Node Name of your target
–  Node name you want to pretend to be
–  IP Address of your target
With these you can inject JES2 commands
with:
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
iNJEctor.py
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Books from the Past!
•  A lot of our research is from really
old books
•  Like, really old
•  Older than some of you here
today:
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Exploit
Development
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Architecture
•  23,31,64 bit modes
–  3 sets of registers (16 ea)
–  Big Endian
–  Von Neumann Architecture
–  Stack-based (sorta)
•  Virtual Address Spaces
•  Program Status Word (PSW)
•  Z/OS, USS, Z/Linux, Z/VM
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
DC in a box
JAVA"
LINUX"
ASM"
PL/I"
WEB"
WEBSPHERE"
COBOL"
AND"MORE!"
CLOUD"
MQ"
HTTP"
C"
C++"
JAVASCRIPT"
MOBILE"
B.U.M. Corp. Confidential
UNIX"
DB2"
mainframed767 &
bigendiansmalls
Where to start
•  Focus on what you know
•  Unix System Services
•  Why? Cause C and Assembler
–  Narrowed down to:
•  Buffer Overflow POC
•  Format String Exploit POC
•  Learn testing environment
•  Shell code development and deployment
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Setup"
Memory"
Args"and"
Execute"
B.U.M. Corp. Confidential
Cleanup"&"
Exit"
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Useful example
•  Execute local shell
–  Useful for Privilege Escalation
•  Steps
–  Build working C or HLASM
–  Convert to machine code
–  Once working, “shellcode-ize”
•  Remove bad chars or encode
–  Test with C buffer stub program
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
What’s Next?
• 
• 
• 
• 
• 
MSF Integration?
Native Exploits
Java / Web exploits
Privilege Escalation
Continued Tool development / Porting
–  Generic shellcode building
–  Fuzzi
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Thanks
• 
• 
• 
• 
• 
• 
DEFCON for letting us talk about this
IBM for this cool platform and online books
Huge Mega Corps for neglecting this platform
Dominic White for his tools
Swedish underground community
X3270 authors
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
Contact
•  Phil - “Soldier of Fortran”
@mainframed767
[email protected]
Soldieroffortran.org
•  Chad – “Big Endian Smalls”
@bigendiansmalls
[email protected]
Bigendiansmalls.com
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls

Similar documents