Musings on download_exec.rb
This is not anything new and exciting<a href="/content/fireeye-www/en_US/blog/threat-research/2010/08/download_exec_notes.html#Footnote1">¹</a>, and should hopefully be familiar to some of you reading this. Some time ago I reversed the shellcode from <a href="https://www.metasploit.com/redmine/projects/framework/repository/revisions/7550/entry/modules/payloads/singles/windows/download_exec.rb">Metasploit's download_exec module</a>. It's a bit different from the rest of the stuff in MSF, because there's no source code with it, and it lacks certain features that the other shellcode[s] have (like being able to set the exit function).