Fix empty cmd/windows/powershell/download_exec payload

[adfoster-r7]

Fix a bug in cmd/windows/powershell/download_exec which caused empty payloads to be generated

Closes #18607

Debugging Notes

Adding this debug line:

diff --git a/modules/payloads/singles/windows/download_exec.rb b/modules/payloads/singles/windows/download_exec.rb
index 0a7295d6ef..a28fb2ea9d 100644
--- a/modules/payloads/singles/windows/download_exec.rb
+++ b/modules/payloads/singles/windows/download_exec.rb
@@ -386,6 +386,8 @@ server_host:
 end:
 EOS
     self.assembly = payload_data
-    super
+    result = super
+    $stderr.puts "Generated: #{result}"
+    result
   end
 end

Shows the unadapted payload works:

msf6 payload(windows/download_exec) > generate -f raw
Generated: ??`??1?d?R0?R
?8?u?}?;}$u?X?X$?f??H?X ??<I?4??1?1????|, ??
                   K?XӋ?ЉD$$[[aYZQ??X_Z??]hnethwini??ThLw&??1?WWWWVh:Vy????c[1?QQjQQh?SPhW??????OY1?Rh2??RRRQRPh?U.;?Չ?j[h?3??jPjVhuF????1?WWWWVh-{?Յ?uK?z???????/evil.exe?k1?_PjjPjjWh???O?Փ1?f?)?T?L1??PQVh????Յ?t-X??tjTP?D$
                                                                 PSh-W?[?Ճ???ShƖ?R??jWh1?o???jh?V??????rund11.exe????localhost
??`??1?d?R0?R
?8?u?}?;}$u?X?X$?f??H?X ??<I?4??1?1????
                   K?XӋ?ЉD$$[[aYZQ??X_Z??]hnethwini??ThLw&??1?WWWWVh:Vy????c[1?QQjQQh?SPhW??????OY1?Rh2??RRRQRPh?U.;?Չ?j[h?3??jPjVhuF????1?WWWWVh-{?Յ?uK?z???????/evil.exe?k1?_PjjPjjWh???O?Փ1?f?)?T?L1??PQVh????Յ?t-X??tjTP?D$
                                                                 PSh-W?[?Ճ???ShƖ?R??jWh1?o???jh?V??????rund11.exe????localhost

But the adapter doesn't:

msf6 payload(cmd/windows/powershell/download_exec) > generate -f raw
Generated: 

This is because the adapted payload arch is identified as ["cmd"], so it doesn't convert the ASM payload correctly:

[9] pry(#<#<Class:0x00007fe1cfc73928>>)> whereami

From: /Users/user/Documents/code/metasploit-framework/lib/msf/core/payload.rb:652 Msf::Payload#build:

    647:     # Assemble the payload from the assembly
    648:     a = self.arch
    649:     if a.kind_of? Array
    650:       a = self.arch.first
    651:     end
 => 652:     cpu = case a
    653:       when ARCH_X86    then Metasm::Ia32.new
    654:       when ARCH_X64    then Metasm::X86_64.new
    655:       when ARCH_PPC    then Metasm::PowerPC.new
    656:       when ARCH_ARMLE  then Metasm::ARM.new
    657:       when ARCH_MIPSLE then Metasm::MIPS.new(:little)
    658:       when ARCH_MIPSBE then Metasm::MIPS.new(:big)
    659:       else
    660:         elog("Broken payload #{refname} has arch unsupported with assembly: #{module_info["Arch"].inspect}")
    661:         elog("Call stack:\n#{caller.join("\n")}")
    662:         return ""
    663:       end
    664:     sc = Metasm::Shellcode.assemble(cpu, asm).encoded

[10] pry(#<#<Class:0x00007fe1cfc73928>>)> self.arch
=> ["cmd"]

Verification

Verify that the steps in #18607 work

[adfoster-r7]

It looks like the original adapted arch is passed in from opts, so this is:

[1] pry(#<#<Class:0x00007fab4c96f308>>)> opts
=> {:arch=>"x86"}

But I also had this line as this previously, similar to the pattern over here

    a = module_info["AdaptedArch"] || self.arch

Does anyone have any preferences on the chosen approach here?

From a quick look, it seems like there's other references in this file too that use self.arch, which might also be wrong

The other places (compatible_encoders and compatible_nops) seem like they're (probably) fine, as it feels like it should be using cmd as the arch

[smcintyre-r7]

I think the way it is currently is correct. self.arch is the architecture of the over all payload which would be ARCH_CMD in the case of cmd/windows/powershell/download_exec but at this point, it needs to be ARCH_X86 as specified in the options from the caller. This is the pattern I took in #16597. 👍

[smcintyre-r7]

Release Notes

This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.

[smcintyre-r7]

I was able to reproduce the original issue and validate that the proposed changes fix it 👍