Cатсн²² (in)sесuяitу / ChrisJohnRiley

After taking input from a few interested sources I’ve done some tweaking on the adduser_wmic.rb script. These are only minor changes to the selection process to give the user 3 options on how the payload functions .:

1. Standard mode – The account is created and added to the hardcoded ‘Administrators’ local group
2. Custome mode – The account is created and added to the local group specified by the cust parameter
3. WMIC mode – The account is created and added to the local administrators group regardless of name, based on the SID.

This last option is, as HD pointed out, supported only on Windows XP / 2003 and later systems. However it does offer a larger degree of flexibility by discovering the local administrators account without relying on the name. This can help bypass the language issue, as well as the issue of renamed local groups. I’ll leave it up to you if you find it useful.

Some of the commands I used on the video are below for your reference .:

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG X > adduser_std.exe

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG cust=Admingroup X > adduser_cust_admingroup.exe

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG X wmic=true > adduser_wmic.exe

A number of small issues did appear in testing. The issue of a password greater than 14 chars prompting the target user to accept (due to backwards compatability reasons). As well as the issue of password complexity (the payload will fail if complexity rules on the target system aren’t met). I’ll be looking at those issues to see what can be done within the payload when I have a chance. Until then please feel free to download the current version of adduser_wmic.rb and give it a whirl.

As always, feel free to leave any comments if you encounter problems or would like to suggest any possible changes.