
       Name: HTTP Fetch, Windows x64 Bind TCP Stager
     Module: payload/cmd/windows/http/x64/vncinject/bind_tcp
   Platform: Windows
       Arch: cmd
Needs Admin: No
 Total size: 125
       Rank: Normal

Provided by:
    Brendan Watters
    sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name                  Current Setting  Required  Description
----                  ---------------  --------  -----------
AUTOVNC               true             yes       Automatically launch VNC viewer if present
DisableCourtesyShell  true             no        Disables the Metasploit Courtesy shell
EXITFUNC              process          yes       Exit technique (Accepted: '', seh, thread, process, none)
FETCH_COMMAND         CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
FETCH_DELETE          false            yes       Attempt to delete the binary after execution
FETCH_FILENAME        lTqNNKuvH        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_SRVHOST                          yes       Local IP to use for serving payload
FETCH_SRVPORT         8080             yes       Local port to use for serving payload
FETCH_URIPATH                          no        Local URI to use for serving payload
FETCH_WRITABLE_DIR    %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
LPORT                 4444             yes       The listen port
RHOST                                  no        The target address
VNCHOST               127.0.0.1        yes       The local host to use for the VNC proxy
VNCPORT               5900             yes       The local port to use for the VNC proxy
ViewOnly              true             no        Runs the viewer in view mode


When FETCH_COMMAND is one of CURL:

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.

Description:
    Fetch and execute an x64 payload from an HTTP server.
    Listen for a connection (Windows x64)


    Name                       Current Setting  Required  Description
    ----                       ---------------  --------  -----------
    DisableSessionTracking     false            no        Disables the VNC payload from following the active session as users log in an out of the input desktop
    EXE::Custom                                 no        Use custom exe instead of automatically generating a payload exe
    EXE::EICAR                 false            no        Generate an EICAR file instead of regular payload exe
    EXE::FallBack              false            no        Use the default template in case the specified one is missing
    EXE::Inject                false            no        Set to preserve the original EXE function
    EXE::OldMethod             false            no        Set to use the substitution EXE generation method.
    EXE::Path                                   no        The directory in which to look for the executable template
    EXE::Template                               no        The executable template file name.
    EnableStageEncoding        false            no        Encode the second stage payload
    FetchHandlerDisable        false            yes       Disable fetch handler
    FetchHttpServerName        Apache           yes       Fetch HTTP server name
    FetchListenerBindAddress                    no        The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST
    FetchListenerBindPort                       no        The port to bind to if different from FETCH_SRVPORT
    MSI::Custom                                 no        Use custom msi instead of automatically generating a payload msi
    MSI::EICAR                 false            no        Generate an EICAR file instead of regular payload msi
    MSI::Path                                   no        The directory in which to look for the msi template
    MSI::Template                               no        The msi template file name
    MSI::UAC                   false            no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
    PayloadUUIDName                             no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                              no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                             no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking        false            yes       Whether or not to automatically register generated UUIDs
    PingbackRetries            0                yes       How many additional successful pingbacks
    PingbackSleep              30               yes       Time (in seconds) to sleep between pingbacks
    PrependMigrate             false            yes       Spawns and runs shellcode in new process
    PrependMigrateProc                          no        Process to spawn and run shellcode in
    StageEncoder                                no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                   no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback      true             no        Fallback to no encoding if the selected StageEncoder is not compatible
    VERBOSE                    false            no        Enable detailed status messages
    WORKSPACE                                   no        Specify the workspace for this module

