correct error in block service_change_description

Author: Florian Gaultier

external/source/shellcode/windows/x86/src/block/block_service_change_description.asm

@@ -7,7 +7,7 @@
 [BITS 32]
 ; Input: EBP must be the address of 'api_call'.
 
-push 0x000F01FF
+push 0x000F003F
 push 0x00000000
 push 0x00000000
 push 0x7636F067
@@ -24,7 +24,11 @@ call ebp 		;OpenServiceA
 mov esi, eax
 push 0x00464349
 push 0x56524553
+mov ecx, esp
+push 0x00000000
+push ecx
 mov ecx, esp	;SVCDESCRIPTION
+push ecx
 push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION
 push eax
 push 0xED35B087

lib/msf/util/exe.rb

@@ -545,12 +545,12 @@ def self.to_win32pe_service(framework, code, opts={})
         pushed_service_description = string_to_pushes(opts[:servicedescription])
 
         code_service_description = 
-          "\x68\xFF\x01\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" +
+          "\x68\x3F\x00\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" +
           "\x76\xFF\xD5\x89\xC7"+pushed_service_name+"\x89\xE1\x68" +
           "\xFF\x01\x0F\x00\x51\x50\x68\x56\x28\x4B\x40\xFF\xD5\x89\xC6" +
-          pushed_service_description+"\x89\xE1\x6A\x01\x50\x68\x87\xB0\x35" +
-          "\xED\xFF\xD5\x56\x68\xDE\xEA\x77\xAD\xFF\xD5\x57\x68\xDE\xEA\x77" +
-          "\xAD\xFF\xD5"
+           pushed_service_description+"\x89\xE1\x6A\x00\x51\x89\xE1\x51" +
+          "\x6A\x01\x50\x68\x87\xB0\x35\xED\xFF\xD5\x56\x68\xDE\xEA\x77" +
+          "\xAD\xFF\xD5\x57\x68\xDE\xEA\x77\xAD\xFF\xD5"
       end
 
       precode_size = 0x42