Using Meterpreter Script – StickyKeys.rb

Monday, July 18, 2011

Kyle Young

4ed54e31491e9fa2405e4714670ae31f

Through the past year or so, I’ve had some ideas for meterpreter scripts floating around in my head that I’ve been meaning to put to use.

So this is my first unofficial meterpreter script for the Metasploit Framework (http://zitstif.no-ip.org/meterpreter/stickykeys.txt ).

The purpose of this script is to place a backdoor onto a Windows victim system. What it simply does is, copy cmd.exe over to sethc.exe.

The sethc.exe program is the sticky keys program. To activate this program you just have to hit the shift key 5 times and sethc.exe will be executed.

While this can be useful for those who are disabled, there is also an abuse for this feature.

If you have copied cmd.exe over to sethc.exe, you can then hit shift 5 times and be provided a shell.

If you’re at a log on prompt and if you have this backdoor placed, when you activate sethc.exe (instead of logging in) you get a shell with SYSTEM level privileges!

This may seem trivial, however if you’re doing a penetration test on a remote Windows system that is running remote desktop, this can be a deadly means for maintaining access.

You can then use this as pivoting your way back into the system, even if the original means (say for instance http) is blocked by an IPS and/or firewall.

One truly beautiful facet about this method if you’re an attacker, is that cmd.exe renamed as sethc.exe did not trigger any responses from scanners on www.virustotal.com.

I’m planning on adding more to this script, but I just wanted to get this released for the time being.

I also want to state that I just put this idea to use for the Metasploit project, this hack has been around for a while:

https://encrypted.google.com/#sclient=psy&hl=en&source=hp&q=stickykeys+hack&aq=f&aqi=&aql=&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=7e80ba762cd0557d&biw=1600&bih=775

To install this, simply download the txt file, then change the extension to .rb and throw this file in the framework3/msf3/scripts/meterpreter/ directory.

Cross-posted from Zitsif

Possibly Related Articles:
19744
Network->General
Information Security
Windows Hacking Metasploit IPS Meterpreter VirusTotal backdoor
Post Rating I Like this!
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson in your script you should probably edit this line:
cmd.exe /C copy %SYSTEMROOT%\\system32\\sethc.exe C:\\WINDOWS\\system32\\sethc.bk /Y

It would probably be better to use %SYSTEMROOT% consistently, rather than using it some times, and C:\Windows other times.

If they've put windows into another folder and all of a sudden there is a C:\Windows folder with nothing but a backup of the sticky keys program you might draw attention. Depending on what their HIDS looks for and how attentive the user/admin is.
1311178014
4ed54e31491e9fa2405e4714670ae31f
Kyle Young Ah thank you Rod! Note taken. I'm also curious if changing:
setbackup="C:\\WINDOWS\\system32\\sethc.bk"

to

setbackup="%SYSTEMROOT%\\system32\\sethc.bk"

would break the script. I will make changes when I get a chance to today.
1311178732
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.