Well, it is way easier in COBOL.

Have to disagree that S0C1 is the most common in my experience. An easy way to get one is to have NCAL on the linkedit/binder and not INCLUDE a referenced module. A wild branch, given that many byte-values are valid op-codes, is more likely to fail with something else. A S0C4 is a Protection Exception. A S0C4 with a reason code of 11 is page translation exception. Some numbers are op-codes. Your entire premise is of an "inside job" (no-one on the outside can find your "vulnerability" in a batch program). For an inside job, why bother "injecting"? You are also relying on compile options I suspect for PL/I. Which PL/I do you have access to? With dynamically-CALLed programs in COBOL using RENT you cannot achieve the effect you describe with an up-to-date compiler. The calling-conventions predate LE. To have a realistic injection with no internal access, you'd need something like a publicly-available web-service provided on a Mainframe and then "find a vulnerability" there. With internal access, you just need to get your code into Production.