Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

adduser_wmic

After taking input from a few interested sources I’ve done some tweaking on the adduser_wmic.rb script. These are only minor changes to the selection process to give the user 3 options on how the payload functions .:

  1. Standard mode – The account is created and added to the hardcoded ‘Administrators’ local group
  2. Custome mode – The account is created and added to the local group specified by the cust parameter
  3. WMIC mode – The account is created and added to the local administrators group regardless of name, based on the SID.

This last option is, as HD pointed out, supported only on Windows XP / 2003 and later systems. However it does offer a larger degree of flexibility by discovering the local administrators account without relying on the name. This can help bypass the language issue, as well as the issue of renamed local groups. I’ll leave it up to you if you find it useful.

Some of the commands I used on the video are below for your reference .:

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG X > adduser_std.exe

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG cust=Admingroup X > adduser_cust_admingroup.exe

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG X wmic=true > adduser_wmic.exe

A number of small issues did appear in testing. The issue of a password greater than 14 chars prompting the target user to accept (due to backwards compatability reasons). As well as the issue of password complexity (the payload will fail if complexity rules on the target system aren’t met). I’ll be looking at those issues to see what can be done within the payload when I have a chance. Until then please feel free to download the current version of adduser_wmic.rb and give it a whirl.

As always, feel free to leave any comments if you encounter problems or would like to suggest any possible changes.

Advertisements

One response to “adduser_wmic

  1. Ben September 13, 2009 at 17:30

    Hi Chris,

    nice stuff, thanks… 🙂
    To get around the “more than 14 characters” warning, just add a “/y” switch:

    net user longpass 12345678901234567890 /add /y

    I remembered this from somewhere far, far back in my mind. I don’t know if this is documented for the “net” command but it works on XP. The “/y” switch is, for example, documented for “copy” where it suppresses the “overwrite” confirmation. Whenever some Windows command asks for confirmation, I try with “/y” and it usually works – at least some consistency 😉

    Cheers,
    Ben

%d bloggers like this: