Sticky Keys Persistance Module - Metasploit
This page contains detailed information about how to use the post/windows/manage/sticky_keys metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Sticky Keys Persistance Module
Module: post/windows/manage/sticky_keys
Source code: modules/post/windows/manage/sticky_keys.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting for certain executables. The module options allow for this hack to be applied to: SETHC (sethc.exe is invoked when SHIFT is pressed 5 times), UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U), OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), and DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P). The hack can be added using the ADD action, and removed with the REMOVE action. Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded to the target prior to running the module. By default, a SYSTEM command prompt is installed using the registry method if this module is run without modifying any parameters.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/manage/sticky_keys
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/manage/sticky_keys
msf post(sticky_keys) > show options
... show and set options ...
msf post(sticky_keys) > set SESSION session-id
msf post(sticky_keys) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/manage/sticky_keys")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Go back to menu.
Msfconsole Usage
Here is how the windows/manage/sticky_keys post exploitation module looks in the msfconsole:
msf6 > use post/windows/manage/sticky_keys
msf6 post(windows/manage/sticky_keys) > show info
Name: Sticky Keys Persistance Module
Module: post/windows/manage/sticky_keys
Platform: Windows
Arch:
Rank: Normal
Provided by:
OJ Reeves
Compatible session types:
Meterpreter
Shell
Available actions:
Name Description
---- -----------
ADD Add the backdoor to the target.
REMOVE Remove the backdoor from the target.
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXE %SYSTEMROOT%\system32\cmd.exe yes Executable to execute when the exploit is triggered.
SESSION yes The session to run this module on.
TARGET SETHC yes The target binary to add the exploit to. (Accepted: SETHC, UTILMAN, OSK, DISP)
Description:
This module makes it possible to apply the 'sticky keys' hack to a
session with appropriate rights. The hack provides a means to get a
SYSTEM shell using UI-level interaction at an RDP login screen or
via a UAC confirmation dialog. The module modifies the Debug
registry setting for certain executables. The module options allow
for this hack to be applied to: SETHC (sethc.exe is invoked when
SHIFT is pressed 5 times), UTILMAN (Utilman.exe is invoked by
pressing WINDOWS+U), OSK (osk.exe is invoked by pressing WINDOWS+U,
then launching the on-screen keyboard), and DISP (DisplaySwitch.exe
is invoked by pressing WINDOWS+P). The hack can be added using the
ADD action, and removed with the REMOVE action. Custom payloads and
binaries can be run as part of this exploit, but must be manually
uploaded to the target prior to running the module. By default, a
SYSTEM command prompt is installed using the registry method if this
module is run without modifying any parameters.
References:
https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit
http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
Module Options
This is a complete list of options available in the windows/manage/sticky_keys post exploitation module:
msf6 post(windows/manage/sticky_keys) > show options
Module options (post/windows/manage/sticky_keys):
Name Current Setting Required Description
---- --------------- -------- -----------
EXE %SYSTEMROOT%\system32\cmd.exe yes Executable to execute when the exploit is triggered.
SESSION yes The session to run this module on.
TARGET SETHC yes The target binary to add the exploit to. (Accepted: SETHC, UTILMAN, OSK, DISP)
Post action:
Name Description
---- -----------
ADD Add the backdoor to the target.
Advanced Options
Here is a complete list of advanced options supported by the windows/manage/sticky_keys post exploitation module:
msf6 post(windows/manage/sticky_keys) > show advanced
Module advanced options (post/windows/manage/sticky_keys):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/manage/sticky_keys module can do:
msf6 post(windows/manage/sticky_keys) > show actions
Post actions:
Name Description
---- -----------
ADD Add the backdoor to the target.
REMOVE Remove the backdoor from the target.
Evasion Options
Here is the full list of possible evasion options supported by the windows/manage/sticky_keys post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/manage/sticky_keys) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
The current session does not have administrative rights.
Here is a relevant code snippet related to the "The current session does not have administrative rights." error message:
96: #
97: # Runs the exploit.
98: #
99: def run
100: unless is_admin?
101: fail_with(Failure::NoAccess, 'The current session does not have administrative rights.')
102: end
103:
104: print_good("Session has administrative rights, proceeding.")
105:
106: target_key = get_target_exe_reg_key
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6996 Merged Pull Request: Fix unused SessionType in two modules
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5785 Merged Pull Request: Minor description fixes
- #5760 Merged Pull Request: Add the sticky_keys module
References
- CVE: Not available
- https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit
- http://carnal0wnage.attackresearch.com/2012/04/privilege-escalation-via-sticky-keys.html
See Also
Check also the following modules related to this module:
- post/windows/manage/add_user
- post/windows/manage/archmigrate
- post/windows/manage/change_password
- post/windows/manage/clone_proxy_settings
- post/windows/manage/delete_user
- post/windows/manage/dell_memory_protect
- post/windows/manage/download_exec
- post/windows/manage/driver_loader
- post/windows/manage/enable_rdp
- post/windows/manage/enable_support_account
- post/windows/manage/exec_powershell
- post/windows/manage/execute_dotnet_assembly
- post/windows/manage/forward_pageant
- post/windows/manage/hashcarve
- post/windows/manage/ie_proxypac
- post/windows/manage/inject_ca
- post/windows/manage/inject_host
- post/windows/manage/install_python
- post/windows/manage/install_ssh
- post/windows/manage/killav
- post/windows/manage/migrate
- post/windows/manage/mssql_local_auth_bypass
- post/windows/manage/multi_meterpreter_inject
- post/windows/manage/nbd_server
- post/windows/manage/peinjector
- post/windows/manage/persistence_exe
- post/windows/manage/portproxy
- post/windows/manage/pptp_tunnel
- post/windows/manage/priv_migrate
- post/windows/manage/pxeexploit
- post/windows/manage/reflective_dll_inject
- post/windows/manage/remove_ca
- post/windows/manage/remove_host
- post/windows/manage/rid_hijack
- post/windows/manage/rollback_defender_signatures
- post/windows/manage/rpcapd_start
- post/windows/manage/run_as
- post/windows/manage/run_as_psh
- post/windows/manage/sdel
- post/windows/manage/shellcode_inject
- post/windows/manage/sshkey_persistence
- post/windows/manage/vmdk_mount
- post/windows/manage/vss
- post/windows/manage/vss_create
- post/windows/manage/vss_list
- post/windows/manage/vss_mount
- post/windows/manage/vss_set_storage
- post/windows/manage/vss_storage
- post/windows/manage/wdigest_caching
- post/windows/manage/webcam
Authors
- OJ Reeves
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.