Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mainframed/logica

Files compiled from the Logica breach investigation materials
https://github.com/mainframed/logica

Last synced: 3 months ago
JSON representation

Files compiled from the Logica breach investigation materials

Host: GitHub
URL: https://github.com/mainframed/logica
Owner: mainframed
Created: 2013-05-05T23:04:18.000Z (almost 12 years ago)
Default Branch: master
Last Pushed: 2018-08-14T04:45:58.000Z (over 6 years ago)
Last Synced: 2023-03-25T13:12:34.628Z (almost 2 years ago)
Language: C
Size: 27.3 KB
Stars: 39
Watchers: 3
Forks: 12
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

AwesomeCompiler - logica

README

## Logica Investigation

**Description**: In this repository is a collection of files outlined/documented in the various files included within the alleged Logica breach. Most of the files are complete (typos notwithstanding) and incomplete files contain whatever was documented in the investigation paperwork.

## WHY?

I decided to document these files here due to the historical nature of the breach. It is the first publicly documented IBM z/OS breach in which the some of the code is actually available. It also serves as educational resources to those wanting to get interested in testing/auditing mainframes and mainframe security.

## The Files

**aptitup.jcl**: A JCL file which executes the file `/tmp/a.env` file in **OMVS** (aka UNIX) using `BPXBATCH`.

**Enum.c**: A C program to enumerate users using `getpwuid`.

**go.rx**: A REXX script used to escalate privileges to the UID/GID supplied to the script. It is assumed this program is running with an appropriate setuid.

**Ha.C**: A C program that takes two arguments UID/GID and executes `/bin/sh` as the supplied arguments.

**kuku.rx**: A REXX script which exploits a previously unknown 0-Day vulnerability in CNMEUNIX (a program in OMVS with setuid). The script uses CNMEUNIX to locally escalate privileges to superuser (aka root) access in OMVS. **This code is only a snippet as that is all that is available**.

**nop.jcl**: A JCL file which "does nothing" ;)

**Tfy.source.backdoor**: A ASM program which changes ACEE settings.

**tsocmd.rx**: A REXX script which executes TSO commands. This is different from the /bin/tso command as it can execute authorized programs. This script is freely available from IBM but was found during the investigation.

**utcam.sh**: BASH script which when run send commands to a remote listening web server.

**vc242**: Turns on and off the JSCBAUTH bit depending on the contents of Register 0. (thanks @BarrySchrager1)

**DeFeNeStRaTe.C**: z/OS OMVS local exploit for APF authorized load module IOELMD10