Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
mainframed767 &
bigendiansmallsB.U.M. Corp. Confidential
Security Necromancy:
Further Adventures
in Mainframe Hacking
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Wondered: Who’s
researching this
stuff?
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
–Windows
4,951
–Mac OSX
2,270
–z/OS (mai...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
–Windows
4,951
–Mac OSX
2,270
–z/OS (mai...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Imagine if you will … Your Doctor call...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Imagine if you will … Your Doctor call...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
S
M
A
L
L
S
B
I
G
E
N
D
I
A
N
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
S
M
A
L
L
S
B
I
G
E
N
D
I
A
N
 Cut my ‘...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
 “in” to mainframes in the 90s courtesy...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Picture is worth a thousand words:
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Used by almost all fortune 100s
– 90% ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Pepsico INC - Hartford Life - UBS - City...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Princeton Retirement Group Inc - POLARIS...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• First Half: Networking
– Network Job E...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Networking
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• An extension on telnet
• Non interacti...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• The buffer is 1920 bytes long
• Each b...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• NMAP is bad at mainframes
• At one tim...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
I wanted to see
these:
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
So I wrote a TN3270
Emulator for NMAP
In...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
But now we can do all
kinds of cool stuf...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Cics brute
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
VTAM Application IDs
VTAM Macros
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Remember hidden &
protected?
• Client ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Locked Field Length
USERPG01
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
! !
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
And its trivial to add
fuzzing since it ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
I wrote one in LUA
why not Python?
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Blah blah blah same
as nmap
BUT NOW IT M...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• No args: TSO logon screen
• Mirror a t...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Big Thanks to Dominic White
• Big Iron R...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Network Job
Entry
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• I was auditing a system
• Saw a guy su...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Was told this is NJE
–AKA Network Job ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Number of Nodes
Our Node Name
Other node...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Runs on ports 175, 2252 (SSL)
• Uses ‘...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• First we need to find mainframes
with ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Next we need to figure out the
‘host’ ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
We’ve got:
–‘host’ names
–IP address/por...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• A lot of our research is from really
o...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Exploit
Development
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• You’re not pentesting mainframes BC?
–...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• You’re not pentesting mainframes BC?
–...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
JAVA
LINUX
C/C++
WEB
MOBILE
WEBSPHERECLO...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• 23,31,64 bit modes
• 3 sets of registe...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Focused on what I knew
• Unix System S...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Can we execute strings as code?
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Executes buffer as function
Strings as s...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Can we execute strings as code?
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Can we even over flow a buffer in a
me...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Can we even over flow a buffer in a
me...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Can we even over flow a buffer in a
me...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• So can we overflow and control executi...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Execute local shell
– Useful for Privi...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Setup our
frame
Find “exec”
function
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Arguments
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Constants
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
ASSEMBLE
LINK
SHELL!
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Execute local shell
– Useful for Privi...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
0x1E0 (480) Beginning
offset
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Shellcode C
buffer
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
New shell from
shellcode
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Execute local shell
– Useful for Privi...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
New shell from
encoded shellcode
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Execute local shell
– Useful for Privi...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Same vulnerable echo
program
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Function return address
Jump address to ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Execute local shell
– Useful for Privi...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
Simple echo demo
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Full shellcode -> vulnerable app = she...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• MSF Integration?
• Native Exploits
• C...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Mailing list
– Bit.ly/mf-pen
• Github ...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• DEFCON for letting us talk about this
...
mainframed767 &
bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
• Phil - “Soldier of Fortran”
@mainframe...
Upcoming SlideShare
Loading in …5
×

Security necromancy - Further adventures in mainframe hacking - DEF CON 23

5,748 views

Published on

Presentation at DEF CON 23 from bigendiansmalls and soldier of fortran. All about mainframe security, exploits, shellcode, NJE, tn3270 and more!

Published in: Technology

Security necromancy - Further adventures in mainframe hacking - DEF CON 23

  1. 1. mainframed767 & bigendiansmallsB.U.M. Corp. Confidential Security Necromancy: Further Adventures in Mainframe Hacking
  2. 2. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Wondered: Who’s researching this stuff?
  3. 3. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential –Windows 4,951 –Mac OSX 2,270 –z/OS (mainframe) Source (cvedetails.com)
  4. 4. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential –Windows 4,951 –Mac OSX 2,270 –z/OS (mainframe) Source (cvedetails.com)
  5. 5. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Imagine if you will … Your Doctor calls Source (ibm.com, DOC# ZSQ03054-USEN-03)
  6. 6. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Imagine if you will … Your Doctor calls IBM System z believes that the details of Security / Integrity APARs should not be made publically available. With the critical workloads running on these systems, the impact of a vulnerability being exploited, however, could severely damage customer operations and business. One of the benefits for not providing vulnerability details is that both external attackers and internal personnel threats can not get access to information that could put an enterprise at undue risk. Source (ibm.com, DOC# ZSQ03054-USEN-03)
  7. 7. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  8. 8. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential S M A L L S B I G E N D I A N
  9. 9. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential S M A L L S B I G E N D I A N  Cut my ‘big iron’ teeth on AS400  Love puzzles, breaking things  Woke up in a panic – because Mainframe!  Realized I could get access to my own  Started exploit research  Wrote first? z/OS shellcode (check your CD)
  10. 10. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  11. 11. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential  “in” to mainframes in the 90s courtesy of datapac (a Canadian x.25 network)  Got my own mainframe  I’ve spoken domestically and internationally  Second DEFCON talk  Released multiple tools from password sniffing to user enumeration
  12. 12. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Picture is worth a thousand words:
  13. 13. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  14. 14. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Used by almost all fortune 100s – 90% according to IBM! – But seriously look at this:
  15. 15. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Pepsico INC - Hartford Life - UBS - City of Phoenix Phoenix Az USA David DeBevec - GCCPC - State of Alabama Child Support Enforcement Services - Jefferies Bank - Bank Vontobel - Duke Power, DB2 apps - Polfa Tarchomin - Extensity - Patni - FPL - Wellpoint - Standard Insurance - Fulton County - Zagrebacka Banka (ZABA) - Community Loans of America - WGV - NAV - Information Builders - AIG Global Services - T. Rowe Price - Macro Soft - Commerzbank - Macy's Systems and Technologies - Phoenix Home Life - United States Postal Service — Mainframe Ops - United Technologies - APIS IT - Bajaj Allianz - Universität Leipzig - Abraxas - PRT (Puerto Rico Telephone - Claro) - VISA Inc. - Taiwan Cooperative Bank Taiwan - Reserve Bank of India (www.rbi.org.in) - GEICO Atlanta GA Insurance - Garanti Technology Istanbul Turkey - Chrysler - Marist College - GEORGIA STATE UNIVERSITY - Blue Cross Blue Shield MD - Self Employed Consultant - Mpowerss - TD Ameritrade - Seminole Electric - TD Ameritrade - Modern Woodmen of America - TIAA-CREF - VF Corp. - Citi / Primerica - Comerica Bank - American Family Insurance - Alliance Data Systems (Texas and Ohio) - United Parcel Service Inc - American General - Farm Bureau Financial Services - IBM Global Services - Abraxas - SLK software - Brown Brothers Harriman (BBH) - EDEKA - Mainframe Co Ltd - Guardian Life - Enbridge Gas Distribution - SE Tools - Southern Company - Equifax Inc - HSBC - IRS - Watkins(now part of Fedex) - Fortis - General Dynamics - United States Steel - TAG - Bank of America - Pitney Bowes (Danbury, Ct.) - OFD - Infotel - Sainsburys Plc - IRS, New Carrolton MD - TIMKEN - T-Systems - Palm Beach County School District The School District of Palm Beach County West Palm Beach FL USA George Rodriguez - Emory Univ - WIPRO Technologies - Experian Americas - Lawrence Livermore National Laboratories, Livermore, CA - Helsana - Vertex (only Seattle area) - Suntrust Banks Inc - AMB Generali - Casas Bahia - Express Scripts - Harland Clarke (John H. Harland Co) - Medical College of Georgia - Waddell & Reed FInancial Services - Praxair (Danbury, Ct.) - Avnet - BMW - Ryder Trucks Miami FL USA - COVANYS - Emblem Health - Bank of New York Mellon (BNY) (BK) New York NY, Pittsburgh, PA and Nashville, TN, Everett - Allied Irish Bank AIB (www.aib.ie) - VISA Inc. - MAJORIS - AARP - Logica Inc - Matera - R+V - Texas A&M University Colleg Station TX USA - Riocard TI - United Missouri Bank - R R Donlley - TechData - SERPRO - Great-West Life - UNUM Disability/Insurance Portland ME Columbia SC - Lloyds Banking Group - DST - ACS State Healthcare - IBM Global Services - Travelport - State Farm Ins - CDSI - ABSA Bank - Maintec Technologies Inc. - TESCO Bangalore India Sivaprasad Vura - MINDTREE - CAP GEMINI - Mass Mutual - AOK - TD Auto Finance - Blue Cross Blue Shield TN - Applabs - National Life Group - VOLVO IT Corp. - United Health Care (UHG) - Banco Itau - CEPROMAT - Total Systems - University of California at Berkeley, CA - DEVK Köln - Hewlett Packard - M&T Bank - University of Chicago Chicago IL USA - FreddieMac - RHB bank - Commonwealth Automobile Reinsurers - Ecolab, Inc - Montreal - Ford - HPS4 - Bic Banco - Bank Vontobel - Time Customer Service - Phoenix Companies - Alcatel - Turner Broadcasting TBS - Motor Vehicles Admin - Avon Brasil - IBM - Gwinnett County School District - SunGard - CSC - WIPRO (ex- InfoCrossing) USA Outsourcing - Strate (www.Strate.co.za) - Pioneer Life Insurance - Rite Aid - Gwinnett Medical Center - GMAC SmartCash - BNP Paribas Paris France - Lender Processing Services (LPS) - Bank Rakyat Indonesia (BRI) - Nike INC - Tampa General - CPS - PCCW - ADP - Wellmark - Blue Cross Blue Shield SC - RBSLynk - Ameriprise (American Express Financial Advisors) - Chubb - MASCON - SAS Institute NC USA - Thomson Financial-Transaction Services - Washington State Employment Security Department - AliComp www.alicomp.com - AAFES - Merlin International - Veteran Affairs - Donovan Data Systems (Manhattan) - Avon (Westchester) - Sloan Kettering (Bronx) - Shands HealthCare - Wellpoint - MFX Fairfax Morristown NJ USA KLCameron Outsourcing - Virginia Department of Motor Vehicles - ONCOR Dallas TX USA - DST Output - Nation Wide Insurance - Riyad Bank - Bank Central Asia (BCA) - Eddie Bauer - Scientific Games International, Inc - Commerzbank - Lousiana Housing Fin Ag / Baton Rouge CC - Broward County Schools - Verizon (Wireless) - Master Card INC - Connecture - Atos Origin - L&T - Capco - Accenture - Georgia State Dept of Education - Cathy Pacific - GE Financial Assurance - ING - Fidelity Investments Boston MA & New York - PATNI - Maersk Lines (Global Container Shipping), - TCS - British Airways - GAVI - CVS pharmacy - First National Bank - LabCorp - Klein Mgt. Systems (Westchester) - H. E. Butt Grocery Co. - Duke Energy - Vanguard Group - Kaiser Permanente Corona CA USA - State Auto Insurance - Bi-Lo - MARTA - EDS - DHL IT Services - Charles Schwab - CPU Service - Virginia Dept of Corrections - Cielo - Business Connexion (www.bcx.co.za) - Lockheed - Fiat - Symetra - Citi - Collabera - Bank of America (was Nations Bank – Can work out of Alpharetta office) - FIS - State of Montana - Accenture - PWC - State of GA - DHS - Bank Indonesia (BI) - Publix - Porto Seguro - General Motors Detroit Austin Atlanta Phoenix - CPQD - BB&T - Partsearch Technologies - ISO (Jersey City) - HMS - Depository Trust and Clearing Corp - VISA Inc. - EDB ErgoGroup - US Bank - Federal Reserve - Co-operators Canada - OCIT , Sacramento Cty - Progressive Insurance - ZETO - MetaVante (Now Fidelity) - Ford Motor Co - University System of Georgia - California Casualty Management Company, San Mateo and Sacramento, CA - PSP - Thomson Reuters - RBS (Royal Bank of Scotland) - Aurum/BSPR - Social Security - GKVI - Kohls Department Stores - FIS - New York Times (Manhattan) - CIGNA - SunGard Computer Services Voorhees NJ - Florida Power & Light (FPL) Juno Beach FL USA Utility - Fiserv (formerly Check Free) - H&W Computer Systems, Inc. - CA Technologies - Treehouse Software, Inc. http://www.treehouse.com - Ohio Public Employees Retirement System - Montefiore Hospital (Bronx) - Air New Zealand - KEANE - Blue Cross/Blue Shield of Texas - Cotton States Mutual Ins Company - PKO BP Warszawa, Poland - - Insurance Services Office - Citigroup - Liberty Life - Thomson Reuters - Royal Bank of Canada (RBC) - M&T Bank - Medstar Health http://www.medstarhealth.org - Infosys - Maersk Data (Global Logistics/Shipment Tracking) - Missouri Gas Energy Kansas City MO USA KLCameron Utility - Choice Point - Express Scripts - VETTRI - Wellogic - Arby’s – Wendy’s Group - Bacen www.bcb.gov.br - BNP Paribas Fortis Brussels Belgium - Alcan Global ATI - C&S Wholesale Grocers - United States Postal Service -
  16. 16. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Princeton Retirement Group Inc - POLARIS - Georgia Farm Bureau Mutual - MBT - May bank - BMW - AIG - EDEKA - Delloits - Iflex - Bank of Tokyo (Jersey City) - Crawford and Company - Meredith Corp - Express Scripts - Home Depot U.S.A., Inc. - Broadridge Financial Services - NMBS-Holding http://www.nmbs-holding.be - Prudential - KPN - Bank of Montreal (BMO:CN) - Montreal - Union Bank - R+V - Alcatel-Lucent - DATEV eG - Delta Air Lines Inc - Pershing LLC - Physicians Mutual Insurance Company (PMIC) Omaha NE USA KLCameron Insurance - Morgan Stanley (Brooklyn) - Scotiabank - CSI International OH USA Jon Henderson, COO - Coca Cola Enterprises - Amadeus Data Processing - Zions Bancorporation - Ciber - Gwinnett County - VW - Banco Bradesco - Target INC - Copel - Blue Cross Blue Shield AL - LDS - IPACS - ZETO - Office Depot Deerfield & DelRay - Air France - Capital One - Glen Allen/West Creek - Emigrant Savings Bank - Consist - Siemens - JPMorgan Chase - Banco Davivienda - QBE the Americas - Lufthansa Systems - Metlife - United States Postal Service — Mainframe Ops - Tata Steel - Franklin Templeton - United Parcel Service Inc (UPS) - Nest - Kawasaki Motors Corp - AT&T / BellSouth / Cingular - HSBC GLT - Medical Mutual of Ohio Cleveland OH USA CooperMA - T-System - NYS Dept of Tax and Fin - HealthPlan Services - OFD - State of California Teale Data Center, Rancho Cordova, CA - CEF - Delphi - Tivit http://www.tivit.com.br - Igate Hyderabad India Sivaprasad Vura - Atlanta Journal Constitution - Manhattan Associates - Helsana - MHS - FannieMae - S1 - HDFC Bank - Great Lakes Higher Education Corp. - Norfork Southern Railway - SCHLUMBERGER Sema - United Health Group (UHG) - Union Pacific Omaha NE USA KLCameron Transportation - Outsourcing deTecnica deSistemas - Hardware - CSX - Deutsche Bundesbank - TD Canada Trust - Computer Sciences Corporation (CSC) - Highmark - Rubbermaid - IGS - Edward Jones St. Louis MO Tempe AZ USA - Ministry of Interior (NIC) - IBM - Scott Trade - EMC - Bank International Indonesia (BII) - CIC - Parker Hannifin Cleveland Ohio USA Cooperma - Paccar - Deutsche Bundesbank - Deutsche Bank - Global SMS Networks Pvt. Ltd. ( GLOBALSMSC ) - Chase - Genuine Auto Parts ( Motion Industries) - Hexaware - Virginia State Corp, Commission - Customs & Border Enforcement (CBE) - Protech Training [http://www.protechtraining.com] Training, Consulting & Software Pittsburgh PA USA - NBNZ - ING NA Insurance Corp - IBM Tucson, Arizona Software Development Laboratory (DFSMShsm, Copy Services) - Atlantic Pacific Tea Company (A&P) - CTS - AMB Generali - WIPRO - State of Florida - Northwest Regional Data Center - Brotherhood Bank & Trust - Walmart - VW - MINDTEK - Philip Morris - Intercontinental Hotels Group - Dekalb County - Allstate - Utica Insurance Utica NY USA Insurance – Emirates - Assurance - New York University - Primerica Life Ins Co - Krasdale Foods, Inc. - Prokarma Hyderabad India Sivaprasad Vura - North Carolina State Employees' Credit Union - Commerce Bank Kansas City MO USA - First Data - UPS (Paramus, NJ) - Credit Suisse - State of Illinois - Central Management Services (CMS) - Springfield, IL - Penn Mutual - United States Postal Service — Mgmt Ops - MASTEK - LBBW (Landesbank Baden Wuerttemberg) - DIGITAL - Citi - ELCOT - Wakefern Food Corp - BI Moyle Associates, Inc. - Steria - Acuity Lighting Group Inc.. - HMC Holdings (Manhattan) - ANZ Bank - Banco do Brasil - Allianz Assurancies - DATEV eG - Puget Sound Energy (Seattle) - Charles Schwab - Serasa Experian - TECO - Winn-Dixie - Belastingdienst - Lufthansa Systems - GAP Inc - HCL - Chemical Abstract Services (CAS) - ProdeSP - United States Postal Service - DB2 DBA Ops - Assurant - Prodam SP - Bank Nasional Indonesia (BNI46) - Norfolk Southern Corp - AON Hewitt - ITERGO - Aegon - State of Georgia - Trinity Health - AIG - PNC Bank Pittsburgh PA USA - Washington State Department of Social and Health Services - Credit Suisse - Aviva - ELIT - FINA - Finanz Informatik - Jackson National - BMC Software - Group Health Cooperative - Media Ocean (office here, HQ most likely New York) - Grady Hospital - Ameritech - Allianz Assurancies - Hewlett-Packard - Merrill Lynch (now BOA) - Miami Dade County - IBM Silicon Valley Laboratory, San Jose, CA (home of DFSMS, DB2, IMS, languages) - RedeCard - Connecticut, State of (various Departments including Transportation, Public Safety, and Information Technologies) - UBS APAC (Union Bank of Switzerland) - ZETO - WGV - Conseco - Atlanta Housing Authority - National Life Ins. Co. - Collective Brands - SAS - FIS - TD Ameritrade - Navistar - LDS - Target India - Dominion Power/Dominion Resources - Glen Allen/Innsbrook - US Software - Voith - Thrivent - LBBW (Landesbank Baden Wuerttemberg) - State of Alabama - Bank of America (BAC) - Ford - SATHYAM/PCS - Fiducia - Amadeus Data Processing - State of AZ - ADOT - IBM India - Florida Power & Light - PSA Peugeot Citroen - Mphasis - ADP, Inc. - City of Tulsa - Energy Future Holdings Dallas Tx USA - CGI - Boston Univerity - University of NC - Atos Origin - Key Bank - AFLAC - IBM Global Services - YRCW - Lincoln National - Software Paradigms India - logica CMG - Fujitsu America Dallas TX KLCameron Outsourcing - Southern California Edison - CEF - Mt. Sinai (Bronx) - Blue Cross Blue Shield - HSBC Trinkaus & Burkhardt AG - Mainline Information Systems - Schneider National Green Bay WI USA KLCameron Transportation - Publix - John Dere - PSC Electrical Contracting - Family Life Ins. Co. - DTC (Manhattan) - Eaton Cleveland Ohio USA Cooper MA - Russell Stovers - AEP - Alcatel - Axa (Jersey City) - ACS (Texas) - Mutual of America - Liberty Mutual (Safeco Insurance) - Medicare - Statens Uddannelsesstøtte - Lowe's - Bank Of America - TUI - IVV - Aetna - Sanepar - Sentry Insurance - Fiserv IntegraSys - State of Connecticut (various Departments including Public Safety, Transportation, Information Technologies) - Bovespa - City of New York (Several locations) - Con Edison (Manhattan) - City of Atlanta - GM - UBS - Krakatau Steel Cilegon Indonesia - ITERGO - Blue Cross Blue Shield GA - Scope International(Standard Chatered) - Rutgers University - Office of IT - GM - Santander - State of Alaska - AIG Global Services - Atos Origin - CA Technologies - Garuda Indonesia Jakarta Indonesia Gun gun - Leumi Bank Leumi Bank Tel-Aviv ISrael, Shai Perry - Cognizant Technology Solutions - Barclays bank - Heartland Payment Systems (Texas) - Xerox - State of GA - DOL - SYNTEL - Canadian Imperial Bank of Commerce (CIBC) - Friedkin Information Technology Houston TX USA - NASDAQ Stock Market - Mahindra Satyam - Coca-Cola Co - SIAC (Brooklyn) - Sears Holdings Corporation - Finanz Informatik - Fiducia - Metro North (Manhattan) - FedEx - KEONICS - Ahold - NY City, Various Agencies - IBM - CA Technologies - Principal Financial Group - Georgia Pacific - Governor's Office - Kansas City Life - Old Mutual - Catapiller - Amtrak - CTS - City
  17. 17. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • First Half: Networking – Network Job Entry – TN3270 protocol fun! • Second Half: Exploit Development – How to write an exploit – Program debugging – Shellcode development – First z/OS Shellcode
  18. 18. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Networking
  19. 19. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  20. 20. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • An extension on telnet • Non interactive – You make changes and send them – Mainframe updates, processes and sends back updates
  21. 21. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • The buffer is 1920 bytes long • Each byte could be a field attribute identifying: Color Locked/Unlocked (Protected) Visible/Invisible (Hidden)
  22. 22. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  23. 23. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • NMAP is bad at mainframes • At one time identified them as IIS/SSL (wtf?) • So I wrote my nmap script:
  24. 24. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  25. 25. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  26. 26. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential I wanted to see these:
  27. 27. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  28. 28. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential So I wrote a TN3270 Emulator for NMAP In LUA : tn3270lib
  29. 29. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  30. 30. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential But now we can do all kinds of cool stuff on the mainframe!
  31. 31. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Cics brute
  32. 32. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential VTAM Application IDs VTAM Macros
  33. 33. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Remember hidden & protected? • Client Side • Look at this:
  34. 34. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Locked Field Length USERPG01
  35. 35. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential ! !
  36. 36. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential And its trivial to add fuzzing since it ignores the hidden/protected ‘rules’
  37. 37. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential I wrote one in LUA why not Python?
  38. 38. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Blah blah blah same as nmap BUT NOW IT MEANS I CAN INTRODUCE: SET’n’3270
  39. 39. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • No args: TSO logon screen • Mirror a targeted mainframe • Proxy/Passthrough – MitM
  40. 40. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  41. 41. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Big Thanks to Dominic White • Big Iron Recon and Pwnage – By Dominic White! – https://github.com/sensepost/birp • Mainframe Brute – Slower but prolly more reliable – https://github.com/sensepost/mainframe_brute
  42. 42. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Network Job Entry
  43. 43. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • I was auditing a system • Saw a guy submit a job to add a user to a production system: – FROM THE DEV SYSTEM! • He didn’t log in to prod, just submitted the job.
  44. 44. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Was told this is NJE –AKA Network Job Entry • Trusted ‘nodes’ can send JOBs (and commands) • And it works like this:
  45. 45. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Number of Nodes Our Node Name Other nodes ‘WASHDC’ IP Address
  46. 46. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Runs on ports 175, 2252 (SSL) • Uses ‘hostnames’ • Runs over TCP/IP • Developed in the 80s (??)
  47. 47. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • First we need to find mainframes with NJE • Problem: nmap
  48. 48. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  49. 49. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  50. 50. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Next we need to figure out the ‘host’ names –(and password, maybe) • When you connect, NJE replies with specific packet –ACK when your good –NAK when your not
  51. 51. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  52. 52. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential We’ve got: –‘host’ names –IP address/port •Introducting: iNJEctor
  53. 53. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  54. 54. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  55. 55. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • A lot of our research is from really old books • Like, really old • Older than some of you here today:
  56. 56. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  57. 57. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  58. 58. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  59. 59. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  60. 60. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Exploit Development
  61. 61. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • You’re not pentesting mainframes BC? – I don’t speak JCL – What the heck is PL/I – REXX not in effect here – COBOL, snore – I only just learned about NJE, 3270 and SET’n’3270 exploits from SoF – what do you expect?
  62. 62. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • You’re not pentesting mainframes BC? – I don’t speak JCL – What the heck is PL/I – REXX not in effect here – COBOL, snore – I only just learned about NJE, 3270 and SET’n’3270 exploits from SoF – what do you expect? Fair point. But, what about these obscure technologies?
  63. 63. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential JAVA LINUX C/C++ WEB MOBILE WEBSPHERECLOUD ASM REXX CICS DB2 JAVASCRIPT MQ HTTP UNIX
  64. 64. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • 23,31,64 bit modes • 3 sets of registers (16 ea) • Big Endian / 3 type of memory addressing • Von Neumann Architecture • Stack-based (sorta) • Memory Protection! • 4K blocks, unique keys prevent overwriting other processes memory
  65. 65. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Focused on what I knew • Unix System Services (POSIX standard) • Why? Cause C and Assembler (HLASM) – Narrowed down to this plan: • Figure out assembler syntax • Learn debuggers and compilers • Basic application build / test • Shell code development and deployment • Buffer Overflow POC
  66. 66. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Can we execute strings as code?
  67. 67. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Executes buffer as function Strings as shellcode
  68. 68. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  69. 69. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Can we execute strings as code?
  70. 70. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Can we even over flow a buffer in a meaningful way? – Easy Proof of Concept C-code
  71. 71. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  72. 72. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Can we even over flow a buffer in a meaningful way? – Easy Proof of Concept C-code – Crashes crashes
  73. 73. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  74. 74. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Can we even over flow a buffer in a meaningful way? – Easy Proof of Concept C-code – Crashes crashes – R13 (stack pointer sorta) aha! – Return address bonus!
  75. 75. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  76. 76. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • So can we overflow and control execution?
  77. 77. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Execute local shell – Useful for Privilege Escalation • Steps – Build working program that launches shell
  78. 78. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Setup our frame Find “exec” function
  79. 79. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Arguments
  80. 80. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Constants
  81. 81. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential ASSEMBLE LINK SHELL!
  82. 82. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Execute local shell – Useful for Privilege Escalation • Steps – Build working program that launches shell – Convert to shellcode
  83. 83. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  84. 84. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential 0x1E0 (480) Beginning offset
  85. 85. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Shellcode C buffer
  86. 86. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential New shell from shellcode
  87. 87. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Execute local shell – Useful for Privilege Escalation • Steps – Build working program that launches shell – Convert to shellcode – Encode to remove bad chars (x00 x15)
  88. 88. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  89. 89. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential New shell from encoded shellcode
  90. 90. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Execute local shell – Useful for Privilege Escalation • Steps – Build working program that launches shell – Convert to shellcode – Encode to remove bad chars (x00 x15) – Create vulnerable app – echo program
  91. 91. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Same vulnerable echo program
  92. 92. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Function return address Jump address to buffer Sizes for filler
  93. 93. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  94. 94. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  95. 95. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Execute local shell – Useful for Privilege Escalation • Steps – Build working program that launches shell – Convert to shellcode – Encode to remove bad chars (x00 x15) – Create vulnerable app – echo program – Pipe shellcode to echo program
  96. 96. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential Simple echo demo
  97. 97. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential
  98. 98. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Full shellcode -> vulnerable app = shell?
  99. 99. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • MSF Integration? • Native Exploits • Custom debugger • Java / Web exploits • More Privilege Escalation • Continued Tool development / Porting • SMP/E Installation of Exploits
  100. 100. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Mailing list – Bit.ly/mf-pen • Github (with today’s code) – https://github.com/zedsec390/ • Blogs – soldieroffortran.org – www.bigendiansmalls.com
  101. 101. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • DEFCON for letting us talk about this • IBM for this cool platform and online books • Dominic White for his tools • Swedish underground community • X3270 authors
  102. 102. mainframed767 & bigendiansmallsB.U.M. Corp. ConfidentialB.U.M. Corp. Confidential • Phil - “Soldier of Fortran” @mainframed767 mainframed767@gmail.com • Chad – “Big Endian Smalls” @bigendiansmalls mainframe@bigendiansmalls.com

×