Further Adventures in Mainframe Hacking

Transcription

Security Necromancy:
Further Adventures
in Mainframe Hacking
B.U.M. Corp. Confidential
mainframed767 &
bigendiansmalls
0"
Genesis
•  Wondered: Who’s researching this
shit?
– Windows
4,951
– Mac OSX
2,270
– z/OS (mainframe)
Source (cvedetails.com)
mainframed767 &
bigendiansmalls
ZERO?? WTF
•  Imagine if you will … Your Doctor calls
IBM"System"z"believes"that"the"details"of"Security"/"Integrity"
APARs"should"not"be"made"publically""
available."
With"the"criBcal"workloads"running"on"these"systems,"the"
impact"of"a"vulnerability"being"exploited,"however,""
could"severely"damage"customer"operaBons"and"business.""
One"of"the"benefits"for"not"providing"vulnerability"details"is"
that"both"external"aIackers"and"internal"personnel"threats"
can"not"get"access"to"informaBon"that"could"put"an"
enterprise"at"undue"risk.""
Source"(ibm.com,"DOC#"ZSQ03054SUSENS03)"
mainframed767 &
bigendiansmalls
$100,000 Brick
mainframed767 &
bigendiansmalls
So who are you?
•  We’re just two cools dudes
•  And we are gonna rock your fucking
socks off
mainframed767 &
bigendiansmalls
B
I
G
S
M
A
L
L
S
E
N
D
I
A
N
mainframed767 &
bigendiansmalls
! 
B
Cut my teeth on AS400
I
Love puzzles,
breaking things
G
S
! 
M
!  Woke up in a panic – because of Mainframe!
E
A
N I could get access to my own L
!  Realized
!  Started
D Exploit dev research
!  Wrote
first
z/OS
shellcode
(check
your
CD)
L
I
A life to helping poor, unfortunate
S
!  Dedicating
N
corporations
secure their shit "
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
!  “in” to mainframes in the 90s courtesy of
datapac (a Canadian x.25 network)
!  Security Consultant
!  Got my own mainframe
"  Realized its not as great as engineers have
said (shocker!)
!  I’ve spoken domestically and internationally
!  Released multiple tools from password sniffing
to user enumeration "
mainframed767 &
bigendiansmalls
WTF is a
Mainframe?
Picture is worth a thousand words:
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Reality
•  Used by almost all fortune 100s
–  90% according to IBM!
–  But seriously look at this:
mainframed767 &
bigendiansmalls
Pepsico"INC"S"HarYord"Life"S"UBS"S"City"of"Phoenix"Phoenix"Az"USA"David"DeBevec"S"GCCPC"S"State"of"Alabama"Child"Support"Enforcement"Services"S"Jefferies"Bank"S"
Bank" Vontobel" S" Duke" Power," DB2" apps" S" Polfa" Tarchomin" S" Extensity" S" Patni" S" FPL" S" Wellpoint" S" Standard" Insurance" S" Fulton" County" S" Zagrebacka" Banka" (ZABA)" S"
Community"Loans"of"America"S"WGV"S"NAV"S"InformaBon"Builders"S"AIG"Global"Services"S"T."Rowe"Price"S"Macro"Sob"S"Commerzbank"S"Macy's"Systems"and"Technologies"
S"Phoenix"Home"Life"S"United"States"Postal"Service"—"Mainframe"Ops"S"United"Technologies"S"APIS"IT"S"Bajaj"Allianz"S"Universität"Leipzig"S"Abraxas"S"PRT"(Puerto"Rico"
Telephone"S"Claro)"S"VISA"Inc."S"Taiwan"CooperaBve"Bank"Taiwan"S"Reserve"Bank"of"India"(www.rbi.org.in)"S"GEICO"Atlanta"GA"Insurance"S"GaranB"Technology"Istanbul"
Turkey" S" Chrysler" S" Marist" College" S" GEORGIA" STATE" UNIVERSITY" S" Blue" Cross" Blue" Shield" MD" S" Self" Employed" Consultant" S" Mpowerss" S" TD" Ameritrade" S" Seminole"
Electric"S"TD"Ameritrade"S"Modern"Woodmen"of"America"S"TIAASCREF"S"VF"Corp."S"CiB"/"Primerica"S"Comerica"Bank"S"American"Family"Insurance"S"Alliance"Data"Systems"
(Texas" and" Ohio)" S" United" Parcel" Service" Inc" S" American" General" S" Farm" Bureau" Financial" Services" S" IBM" Global" Services" S"Abraxas" S" SLK" sobware" S" Brown" Brothers"
Harriman"(BBH)"S"EDEKA"S"Mainframe"Co"Ltd"S"Guardian"Life"S"Enbridge"Gas"DistribuBon"S"SE"Tools"S"Southern"Company"S"Equifax"Inc"S"HSBC"S"IRS"S"Watkins(now"part"of"
Fedex)"S"ForBs"S"General"Dynamics"S"United"States"Steel"S"TAG"S"Bank"of"America"S"Pitney"Bowes"(Danbury,"Ct.)"S"OFD"S"Infotel"S"Sainsburys"Plc"S"IRS,"New"Carrolton"MD"S"
TIMKEN"S"TSSystems"S"Palm"Beach"County"School"District"The"School"District"of"Palm"Beach"County"West"Palm"Beach"FL"USA"George"Rodriguez"S"Emory"Univ"S"WIPRO"
Technologies"S"Experian"Americas"S"Lawrence"Livermore"NaBonal"Laboratories,"Livermore,"CA"S"Helsana"S"Vertex"(only"SeaIle"area)"S"Suntrust"Banks"Inc"S"AMB"Generali"
S"Casas"Bahia"S"Express"Scripts"S"Harland"Clarke"(John"H."Harland"Co)"S"Medical"College"of"Georgia"S"Waddell"&"Reed"FInancial"Services"S"Praxair"(Danbury,"Ct.)"S"Avnet"S"
BMW"S"Ryder"Trucks"Miami"FL"USA"S"COVANYS"S"Emblem"Health"S"Bank"of"New"York"Mellon"(BNY)"(BK)"New"York"NY,"PiIsburgh,"PA"and"Nashville,"TN,"EvereI"S"Allied"
Irish"Bank"AIB"(www.aib.ie)"S"VISA"Inc."S"MAJORIS"S"AARP"S"Logica"Inc"S"Matera"S"R+V"S"Texas"A&M"University"Colleg"StaBon"TX"USA"S"Riocard"TI"S"United"Missouri"Bank"S"
R"R"Donlley"S"TechData"S"SERPRO"S"GreatSWest"Life"S"UNUM"Disability/Insurance"Portland"ME"Columbia"SC"S"Lloyds"Banking"Group"S"DST"S"ACS"State"Healthcare"S"IBM"
Global"Services"S"Travelport"S"State"Farm"Ins"S"CDSI"S"ABSA"Bank"S"Maintec"Technologies"Inc."S"TESCO"Bangalore"India"Sivaprasad"Vura"S"MINDTREE"S"CAP"GEMINI"S"Mass"
Mutual"S"AOK"S"TD"Auto"Finance"S"Blue"Cross"Blue"Shield"TN"S"Applabs"S"NaBonal"Life"Group"S"VOLVO"IT"Corp."S"United"Health"Care"(UHG)"S"Banco"Itau"S"CEPROMAT"S"
Total"Systems"S"University"of"California"at"Berkeley,"CA"S"DEVK"Köln"S"HewleI"Packard"S"M&T"Bank"S"University"of"Chicago"Chicago"IL"USA"S"FreddieMac"S"RHB"bank"S"
Commonwealth"Automobile"Reinsurers"S"Ecolab,"Inc"S"Montreal"S"Ford"S"HPS4"S"Bic"Banco"S"Bank"Vontobel"S"Time"Customer"Service"S"Phoenix"Companies"S"Alcatel"S"
Turner"BroadcasBng"TBS"S"Motor"Vehicles"Admin"S"Avon"Brasil"S"IBM"S"GwinneI"County"School"District"S"SunGard"S"CSC"S"WIPRO"(exSInfoCrossing)"USA"Outsourcing"S"
Strate"(www.Strate.co.za)"S"Pioneer"Life"Insurance"S"Rite"Aid"S"GwinneI"Medical"Center"S"GMAC"SmartCash"S"BNP"Paribas"Paris"France"S"Lender"Processing"Services"
(LPS)"S"Bank"Rakyat"Indonesia"(BRI)"S"Nike"INC"S"Tampa"General"S"CPS"S"PCCW"S"ADP"S"Wellmark"S"Blue"Cross"Blue"Shield"SC"S"RBSLynk"S"Ameriprise"(American"Express"
Financial" Advisors)" S" Chubb" S" MASCON" S" SAS" InsBtute" NC" USA" S" Thomson" FinancialSTransacBon" Services" S" Washington" State" Employment" Security" Department" S"
AliComp" www.alicomp.com" S" AAFES" S" Merlin" InternaBonal" S" Veteran" Affairs" S" Donovan" Data" Systems" (ManhaIan)" S" Avon" (Westchester)" S" Sloan" KeIering" (Bronx)" S"
Shands" HealthCare" S" Wellpoint" S" MFX" Fairfax" Morristown" NJ" USA" KLCameron" Outsourcing" S" Virginia" Department" of" Motor" Vehicles" S" ONCOR" Dallas" TX" USA" S" DST"
Output"S"NaBon"Wide"Insurance"S"Riyad"Bank"S"Bank"Central"Asia"(BCA)"S"Eddie"Bauer"S"ScienBfic"Games"InternaBonal,"Inc"S"Commerzbank"S"Lousiana"Housing"Fin"Ag"/"
Baton" Rouge" CC" S" Broward" County" Schools" S" Verizon" (Wireless)" S" Master" Card" INC" S" Connecture" S" Atos" Origin" S" L&T" S" Capco" S" Accenture" S" Georgia" State" Dept" of"
EducaBon"S"Cathy"Pacific"S"GE"Financial"Assurance"S"ING"S"Fidelity"Investments"Boston"MA"&"New"York"S"PATNI"S"Maersk"Lines"(Global"Container"Shipping),"S"TCS"S"BriBsh"
Airways"S"GAVI"S"CVS"pharmacy"S"First"NaBonal"Bank"S"LabCorp"S"Klein"Mgt."Systems"(Westchester)"S"H."E."BuI"Grocery"Co."S"Duke"Energy"S"Vanguard"Group"S"Kaiser"
Permanente" Corona" CA" USA" S" State" Auto" Insurance" S"BiSLo" S" MARTA" S" EDS" S" DHL" IT" Services" S" Charles" Schwab" S" CPU" Service" S" Virginia"Dept" of" CorrecBons" S"Cielo" S"
Business"Connexion"(www.bcx.co.za)"S"Lockheed"S"Fiat"S"Symetra"S"CiB"S"Collabera"S"Bank"of"America"(was"NaBons"Bank"–"Can"work"out"of"AlphareIa"office)"S"FIS"S"State"
of"Montana"S"Accenture"S"PWC"S"State"of"GA"S"DHS"S"Bank"Indonesia"(BI)"S"Publix"S"Porto" Seguro"S"General"Motors"Detroit"AusBn"Atlanta"Phoenix"S"CPQD"S"BB&T"S"
Partsearch"Technologies"S"ISO"(Jersey"City)"S"HMS"S"Depository"Trust"and"Clearing"Corp"S"VISA"Inc."S"EDB"ErgoGroup"S"US"Bank"S"Federal"Reserve"S"CoSoperators"Canada"S"
OCIT","Sacramento"Cty"S"Progressive"Insurance"S"ZETO"S"MetaVante"(Now"Fidelity)"S"Ford"Motor"Co"S"University"System"of"Georgia"S"California"Casualty"Management"
Company,"San"Mateo"and"Sacramento,"CA"S"PSP"S"Thomson"Reuters"S"RBS"(Royal"Bank"of"Scotland)"S"Aurum/BSPR"S"Social"Security"S"GKVI"S"Kohls"Department"Stores"S"
FIS"S"New"York"Times"(ManhaIan)"S"CIGNA"S"SunGard"Computer"Services"Voorhees"NJ"S"Florida"Power"&"Light"(FPL)"Juno"Beach"FL"USA"UBlity"S"Fiserv"(formerly"Check"
Free)" S" H&W" Computer" Systems," Inc." S" CA" Technologies" S" Treehouse" Sobware," Inc." hIp://www.treehouse.com" S" Ohio" Public" Employees" ReBrement" System" S"
Montefiore"Hospital"(Bronx)"S"Air"New"Zealand"S"KEANE"S"Blue"Cross/Blue"Shield"of"Texas"S"CoIon"States"Mutual"Ins"Company"S"PKO"BP"Warszawa,"Poland"S"S"Insurance"
Services" Office" S" CiBgroup" S" Liberty" Life" S" Thomson" Reuters" S" Royal" Bank" of" Canada" (RBC)" S" M&T" Bank" S" Medstar" Health" hIp://www.medstarhealth.org" S" Infosys" S"
Maersk"Data"(Global"LogisBcs/Shipment"Tracking)"S"Missouri"Gas"Energy"Kansas"City"MO"USA"KLCameron"UBlity"S"Choice"Point"S"Express"Scripts"S"VETTRI"S"Wellogic"S"
Arby’s"–"Wendy’s"Group"S"Bacen"www.bcb.gov.br"S"BNP"Paribas"ForBs"Brussels"Belgium"S"Alcan"Global"ATI"S"C&S"Wholesale"Grocers"S"United"States"Postal"Service"S"
mainframed767 &
bigendiansmalls
Princeton" ReBrement" Group" Inc" S" POLARIS" S" Georgia" Farm" Bureau" Mutual" S" MBT" S" May" bank" S" BMW" S" AIG" S" EDEKA" S" Delloits" S" Iflex" S" Bank" of" Tokyo" (Jersey" City)" S"
Crawford"and"Company"S"Meredith"Corp"S"Express"Scripts"S"Home"Depot"U.S.A.,"Inc."S"Broadridge"Financial"Services"S"NMBSSHolding"hIp://www.nmbsSholding.be"S"
PrudenBal" S" KPN" S" Bank" of" Montreal" (BMO:CN)" S" Montreal" S" Union" Bank" S" R+V" S" AlcatelSLucent" S" DATEV" eG" S" Delta" Air" Lines" Inc" S" Pershing" LLC" S" Physicians" Mutual"
Insurance"Company"(PMIC)"Omaha"NE"USA"KLCameron"Insurance"S"Morgan"Stanley"(Brooklyn)"S"ScoBabank"S"CSI"InternaBonal"OH"USA"Jon"Henderson,"COO"S"Coca"Cola"
Enterprises"S"Amadeus"Data"Processing"S"Zions"BancorporaBon"S"Ciber"S"GwinneI"County"S"VW"S"Banco"Bradesco"S"Target"INC"S"Copel"S"Blue"Cross"Blue"Shield"AL"S"LDS"S"
IPACS"S"ZETO"S"Office"Depot"Deerfield"&"DelRay"S"Air"France"S"Capital"One"S"Glen"Allen/West"Creek"S"Emigrant"Savings"Bank"S"Consist"S"Siemens"S"JPMorgan"Chase"S"
Banco"Davivienda"S"QBE"the"Americas"S"Lubhansa"Systems"S"Metlife"S"United"States"Postal"Service"—"Mainframe"Ops"S"Tata"Steel"S"Franklin"Templeton"S"United"Parcel"
Service"Inc"(UPS)"S"Nest"S"Kawasaki"Motors"Corp"S"AT&T"/"BellSouth"/"Cingular"S"HSBC"GLT"S"Medical"Mutual"of"Ohio"Cleveland"OH"USA"CooperMA"S"TSSystem"S"NYS"Dept"
of"Tax"and"Fin"S"HealthPlan"Services"S"OFD"S"State"of"California"Teale"Data"Center,"Rancho"Cordova,"CA"S"CEF"S"Delphi"S"Tivit"hIp://www.Bvit.com.br"S"Igate"Hyderabad"
India"Sivaprasad"Vura"S"Atlanta"Journal"ConsBtuBon"S"ManhaIan"Associates"S"Helsana"S"MHS"S"FannieMae"S"S1"S"HDFC"Bank"S"Great"Lakes"Higher"EducaBon"Corp."S"
Norfork"Southern"Railway"S"SCHLUMBERGER"Sema"S"United"Health"Group"(UHG)"S"Union"Pacific"Omaha"NE"USA"KLCameron"TransportaBon"S"Outsourcing"deTecnica"
deSistemas"S"Hardware"S"CSX"S"Deutsche"Bundesbank"S"TD"Canada"Trust"S"Computer"Sciences"CorporaBon"(CSC)"S"Highmark"S"Rubbermaid"S"IGS"S"Edward"Jones"St."Louis"
MO"Tempe"AZ"USA"S"Ministry"of"Interior"(NIC)"S"IBM"S"ScoI"Trade"S"EMC"S"Bank"InternaBonal"Indonesia"(BII)"S"CIC"S"Parker"Hannifin"Cleveland"Ohio"USA"Cooperma"S"
Paccar" S" Deutsche" Bundesbank" S" Deutsche" Bank" S" Global" SMS" Networks" Pvt." Ltd." (" GLOBALSMSC" )" S" Chase" S" Genuine" Auto" Parts" (" MoBon" Industries)" S" Hexaware" S"
Virginia" State" Corp," Commission" S" Customs" &" Border" Enforcement" (CBE)" S" Protech" Training" [hIp://www.protechtraining.com]" Training," ConsulBng" &" Sobware"
PiIsburgh" PA" USA" S" NBNZ" S" ING" NA" Insurance" Corp" S" IBM" Tucson," Arizona" Sobware" Development" Laboratory" (DFSMShsm," Copy" Services)" S" AtlanBc" Pacific" Tea"
Company"(A&P)"S"CTS"S"AMB"Generali"S"WIPRO"S"State"of"Florida"S"Northwest"Regional"Data"Center"S"Brotherhood"Bank"&"Trust"S"Walmart"S"VW"S"MINDTEK"S"Philip"
Morris"S"InterconBnental"Hotels"Group"S"Dekalb"County"S"Allstate"S"UBca"Insurance"UBca"NY"USA"Insurance"–"Emirates"S"Assurance"S"New"York"University"S"Primerica"
Life"Ins"Co"S"Krasdale"Foods,"Inc."S"Prokarma"Hyderabad"India"Sivaprasad"Vura"S"North"Carolina"State"Employees'"Credit"Union"S"Commerce"Bank"Kansas"City"MO"USA"S"
First"Data"S"UPS"(Paramus,"NJ)"S"Credit"Suisse"S"State"of"Illinois"S"Central"Management"Services"(CMS)"S"Springfield,"IL"S"Penn"Mutual"S"United"States"Postal"Service"—"
Mgmt"Ops"S"MASTEK"S"LBBW"(Landesbank"Baden"WuerIemberg)"S"DIGITAL"S"CiB"S"ELCOT"S"Wakefern"Food"Corp"S"BI"Moyle"Associates,"Inc."S"Steria"S"Acuity"LighBng"
Group" Inc.." S" HMC" Holdings" (ManhaIan)" S" ANZ" Bank" S" Banco" do" Brasil" S" Allianz" Assurancies" S" DATEV" eG" S" Puget" Sound" Energy" (SeaIle)" S" Charles" Schwab" S" Serasa"
Experian"S"TECO"S"WinnSDixie"S"BelasBngdienst"S"Lubhansa"Systems"S"GAP"Inc"S"HCL"S"Chemical"Abstract"Services"(CAS)"S"ProdeSP"S"United"States"Postal"Service"S"DB2"
DBA"Ops"S"Assurant"S"Prodam"SP"S"Bank"Nasional"Indonesia"(BNI46)"S"Norfolk"Southern"Corp"S"AON"HewiI"S"ITERGO"S"Aegon"S"State"of"Georgia"S"Trinity"Health"S"AIG"S"
PNC"Bank"PiIsburgh"PA"USA"S"Washington"State"Department"of"Social"and"Health"Services"S"Credit"Suisse"S"Aviva"S"ELIT"S"FINA"S"Finanz"InformaBk"S"Jackson"NaBonal"S"
BMC"Sobware"S"Group"Health"CooperaBve"S"Media"Ocean"(office"here,"HQ"most"likely"New"York)"S"Grady"Hospital"S"Ameritech"S"Allianz"Assurancies"S"HewleISPackard"S"
Merrill"Lynch"(now"BOA)"S"Miami"Dade"County"S"IBM"Silicon"Valley"Laboratory,"San"Jose,"CA"(home"of"DFSMS,"DB2,"IMS,"languages)"S"RedeCard"S"ConnecBcut,"State"of"
(various" Departments" including" TransportaBon," Public" Safety," and" InformaBon" Technologies)" S" UBS" APAC" (Union" Bank" of" Switzerland)" S" ZETO" S" WGV" S" Conseco" S"
Atlanta"Housing"Authority"S"NaBonal"Life"Ins."Co."S"CollecBve"Brands"S"SAS"S"FIS"S"TD"Ameritrade"S"Navistar"S"LDS"S"Target"India"S"Dominion"Power/Dominion"Resources"S"
Glen"Allen/Innsbrook"S"US"Sobware"S"Voith"S"Thrivent"S"LBBW"(Landesbank"Baden"WuerIemberg)"S"State"of"Alabama"S"Bank"of"America"(BAC)"S"Ford"S"SATHYAM/PCS"S"
Fiducia"S"Amadeus"Data"Processing"S"State"of"AZ"S"ADOT"S"IBM"India"S"Florida"Power"&"Light"S"PSA"Peugeot"Citroen"S"Mphasis"S"ADP,"Inc."S"City"of"Tulsa"S"Energy"Future"
Holdings"Dallas"Tx"USA"S"CGI"S"Boston"Univerity"S"University"of"NC"S"Atos"Origin"S"Key"Bank"S"AFLAC"S"IBM"Global"Services"S"YRCW"S"Lincoln"NaBonal"S"Sobware"Paradigms"
India"S"logica"CMG"S"Fujitsu"America"Dallas"TX"KLCameron"Outsourcing"S"Southern"California"Edison"S"CEF"S"Mt."Sinai"(Bronx)"S"Blue"Cross"Blue"Shield"S"HSBC"Trinkaus"&"
Burkhardt"AG"S"Mainline"InformaBon"Systems"S"Schneider"NaBonal"Green"Bay"WI"USA"KLCameron"TransportaBon"S"Publix"S"John"Dere"S"PSC"Electrical"ContracBng"S"
Family"Life"Ins."Co."S"DTC"(ManhaIan)"S"Eaton"Cleveland"Ohio"USA"Cooper"MA"S"Russell"Stovers"S"AEP"S"Alcatel"S"Axa"(Jersey"City)"S"ACS"(Texas)"S"Mutual"of"America"S"
Liberty" Mutual" (Safeco" Insurance)" S" Medicare" S" Statens" UddannelsesstøIe" S" Lowe's" S" Bank" Of" America" S" TUI" S" IVV" S" Aetna" S" Sanepar" S" Sentry" Insurance" S" Fiserv"
IntegraSys" S" State" of" ConnecBcut" (various" Departments" including" Public" Safety," TransportaBon," InformaBon" Technologies)" S" Bovespa" S" City" of" New" York" (Several"
locaBons)"S"Con"Edison"(ManhaIan)"S"City"of"Atlanta"S"GM"S"UBS"S"Krakatau"Steel"Cilegon"Indonesia"S"ITERGO"S"Blue"Cross"Blue"Shield"GA"S"Scope"InternaBonal(Standard"
Chatered)" S" Rutgers" University" S" Office" of" IT" S" GM" S" Santander" S" State" of" Alaska" S" AIG" Global" Services" S" Atos" Origin" S" CA" Technologies" S" Garuda" Indonesia" Jakarta"
Indonesia"Gun"gun"S"Leumi"Bank"Leumi"Bank"TelSAviv"ISrael,"Shai"Perry"S"Cognizant"Technology"SoluBons"S"Barclays"bank"S"Heartland"Payment"Systems"(Texas)"S"Xerox"S"
State"of"GA"S"DOL"S" SYNTEL" S" Canadian" Imperial" Bank" of" Commerce" (CIBC)" S" Friedkin" InformaBon" Technology"Houston"TX"USA"S"NASDAQ"Stock"Market"S"Mahindra"
Satyam"S"CocaSCola"Co"S"SIAC"(Brooklyn)"S"Sears"Holdings"CorporaBon"S"Finanz"InformaBk"S"Fiducia"S"Metro"North"(ManhaIan)"S"FedEx"S"KEONICS"S"Ahold"S"NY"City,"
Various"Agencies"S"IBM"S"CA"Technologies"S"Principal"Financial"Group"S"Georgia"Pacific"S"Governor's"Office"S"Kansas"City"Life"S"Old"Mutual"S"Catapiller"S"Amtrak"S"CTS"S"City"
and"County"of"Alameda,"California"S"Ceridian"S"DPF"S"USAA"S"Traveler's"Insurance"S"Roundy's"Supermarkets"Milwaukee"WI"USA"S"Lexis"Nexis"(formerly"ChoicePoint"Inc)"S"
MarrioI"Hotel"S"United"States"Postal"Service"Applic."Dev."S"XANSA"S"Auto"Zone"S"EDS"S"Manulife"S"State"of"GA"S"GTA"S"Washington"State"Department"of"TransportaBon"
mainframed767 &
bigendiansmalls
Two Parts
•  First Half: Networking
–  Network Job Entry
–  TN3270 protocol fun!
•  Second Half: Exploit Development
–  How to write exploits
–  Program debugging
–  Shellcode development
–  First z/OS Shellcode
mainframed767 &
bigendiansmalls
Butt first
You need a quick refresher on what this
looks like this:
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Networking
mainframed767 &
bigendiansmalls
TN3270
•  Imagine a world where telnet still
exists
•  Imagine no MORE!
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
TN3270
•  Imagine a world where telnet still
exists
•  Imagine no MORE!
•  Basically like BBS’s back in the day
•  Uses a ‘stream’
mainframed767 &
bigendiansmalls
Field Attributes
•  Screen is 1920 bytes long
•  Each byte could be a field
attribute identifying:
" Color
" Locked/Unlocked (Protected)
" Visible/Invisible (Hidden)
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Locked Field Length
USERPG01)
mainframed767 &
bigendiansmalls
Identifyin’
•  No support in nmap/other tools
•  Hard to identify screens
– Without getting an emulator
•  What about Hidden Fields?
•  Or Protected Values?
mainframed767 &
bigendiansmalls
Until NOW!
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
NEW!
•  TN3270 Library for NMAP
•  Emulates a ‘real’ 3270 screen
•  Allows you to:
–  Connect
–  Show the screen
–  Send commands
–  Detect hidden fields!
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Samesies
VTAM Application IDs
VTAM Macros
mainframed767 &
bigendiansmalls
Hidden Fields!
!"
!"
mainframed767 &
bigendiansmalls
But Wait!
There’s more!
I wrote one in LUA
why not Python?
mainframed767 &
bigendiansmalls
tn3270lib
•  Support tn3270 (not E)
•  Creates a tn3270 object
•  Allows for sending commands
•  Blah blah blah same as nmap
BUT NOW IT MEANS I CAN INTRODUCE:
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
3 modes
•  Proxy/Passthrough – MitM
•  Mirror a targetted mainframe
–  Connects, scrapes the screen, then shares
that screen on your machine
–  Takes commands you might expect your
target to send and pregrabs those screens
as well
•  No args: TSO logon screen
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
SET’n’3270
•  Supports SSL
Which is cool cause clients don’t check
certs
(like, at all, no warning no nothing)
mainframed767 &
bigendiansmalls
More Tools
•  Big Iron Recon and Pwnage
–  By Dominic White!
–  https://github.com/sensepost/birp
•  Mainframe Brute
–  Slower but prolly more reliable
–  https://github.com/sensepost/mainframe_brute
mainframed767 &
bigendiansmalls
Network
Job Entry
mainframed767 &
bigendiansmalls
Jobs
(not steve)
• JCL (Job Control Language)
• Run by “JES”
• Made up of
– STEPS
– ProGraMs
– etc
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Network Job Entry
•  Also known as NJE
•  Runs on ports 175, 2252 (SSL)
•  Developed in the 80s (??)
mainframed767 &
bigendiansmalls
Works like this
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Initial Setup
•  Systems configure JES telling
them:
– Where to connect
– Who they will accept connections
from
How?
mainframed767 &
bigendiansmalls
Number of Nodes
Our Node Name
Other nodes
‘WASHDC’ IP Address
mainframed767 &
bigendiansmalls
Connect
Connect TCPIP
“OPEN”
“ACK”
From: Network Job Entry (NJE) Formats and Protocols (SA32-0988-00)
mainframed767 &
bigendiansmalls
Once established
•  You can send JCL
•  You can send NMR (command/control
records)
•  You are now a ‘trusted’ node
– Depending on your security, of course
mainframed767 &
bigendiansmalls
Interesting ‘feature’
•  Users from one node don’t need to log on
•  When a job is sent, the userID is sent
along with the ‘NJE’ job
•  So long as that account exists on the
receiving side it will work.
mainframed767 &
bigendiansmalls
NO Password
Note: no password or any
authentication information is sent.
Nodes are TRUSTED and therefore
no need to re-authenticate.
mainframed767 &
bigendiansmalls
Breaking NJE
•  First we need to find mainframes
with NJE
•  Problem: nmap
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
NJE Node Names
•  You need this.
•  No, you NEED it.
•  You can’t connect otherwise
NMAP Script: NJE Node Brute
•  Brute forces node names (even if the
node is connected!)
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
NJE is super
awesome
•  Like we said before: You need three things:
–  Node Name of your target
–  Node name you want to pretend to be
–  IP Address of your target
With these you can inject JES2 commands
with:
mainframed767 &
bigendiansmalls
iNJEctor.py
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Books from the Past!
•  A lot of our research is from really
old books
•  Like, really old
•  Older than some of you here
today:
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Exploit
Development
mainframed767 &
bigendiansmalls
Architecture
•  23,31,64 bit modes
–  3 sets of registers (16 ea)
–  Big Endian
–  Von Neumann Architecture
–  Stack-based (sorta)
•  Virtual Address Spaces
•  Program Status Word (PSW)
•  Z/OS, USS, Z/Linux, Z/VM
mainframed767 &
bigendiansmalls
DC in a box
JAVA"
LINUX"
ASM"
PL/I"
WEB"
WEBSPHERE"
COBOL"
AND"MORE!"
CLOUD"
MQ"
HTTP"
C"
C++"
JAVASCRIPT"
MOBILE"
UNIX"
DB2"
mainframed767 &
bigendiansmalls
Where to start
•  Focus on what you know
•  Unix System Services
•  Why? Cause C and Assembler
–  Narrowed down to:
•  Buffer Overflow POC
•  Format String Exploit POC
•  Learn testing environment
•  Shell code development and deployment
mainframed767 &
bigendiansmalls
Setup"
Memory"
Args"and"
Execute"
Cleanup"&"
Exit"
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
Useful example
•  Execute local shell
–  Useful for Privilege Escalation
•  Steps
–  Build working C or HLASM
–  Convert to machine code
–  Once working, “shellcode-ize”
•  Remove bad chars or encode
–  Test with C buffer stub program
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
mainframed767 &
bigendiansmalls
What’s Next?
• 
• 
• 
• 
• 
MSF Integration?
Native Exploits
Java / Web exploits
Privilege Escalation
Continued Tool development / Porting
–  Generic shellcode building
–  Fuzzi
mainframed767 &
bigendiansmalls
Thanks
• 
• 
• 
• 
• 
• 
DEFCON for letting us talk about this
IBM for this cool platform and online books
Huge Mega Corps for neglecting this platform
Dominic White for his tools
Swedish underground community
X3270 authors
mainframed767 &
bigendiansmalls
Contact
•  Phil - “Soldier of Fortran”
@mainframed767
[email protected]
Soldieroffortran.org
•  Chad – “Big Endian Smalls”
@bigendiansmalls
[email protected]
Bigendiansmalls.com
mainframed767 &
bigendiansmalls

Further Adventures in Mainframe Hacking

Transcription

Similar documents

SALES GUIDE GENT