Handle existing service names

Author: Meatballs1

lib/msf/core/exploit/dcerpc_services.rb

@@ -119,6 +119,33 @@ def dce_createservicew(dcerpc, scm_handle, service_name, display_name, binary_pa
     return svc_handle, svc_status
   end
 
+  # Calls ChangeServiceConfig2() to change the service description.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param svc_handle [String] the service handle to change.
+  # @param service_description [String] the service description.
+  #
+  # @return [Integer] Windows error code
+  def dce_changeservicedescription(dcerpc, svc_handle, service_description)
+    svc_status = nil
+    stubdata =
+      svc_handle +
+      NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
+      NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
+      NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
+      NDR.long(0x04000200) +
+      NDR.wstring(service_description)
+    begin
+      response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
+      svc_status = response.unpack('V').first
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error changing service description : #{e}")
+    end
+
+    svc_status
+  end
+
+
   # Calls CloseHandle() to close a handle.
   #
   # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
@@ -147,7 +174,7 @@ def dce_closehandle(dcerpc, handle)
   # @param access [Fixnum] the level of access requested (default is maximum).
   #
   # @return [String, nil] the handle of the service opened, or nil on failure.
-  def dce_openservicew(dcerpc, scm_handle, service_name, access = 0xF01FF)
+  def dce_openservicew(dcerpc, scm_handle, service_name, access = SERVICE_ALL_ACCESS)
     svc_handle = nil
     svc_status = nil
     stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access)

lib/msf/core/exploit/smb/psexec.rb

@@ -61,25 +61,6 @@ def smb_read_file(smbshare, host, file)
     end
   end
 
-  def change_service_description(svc_handle, service_description)
-    svc_status = nil
-    stubdata =
-      svc_handle +
-      NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
-      NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
-      NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
-      NDR.long(0x04000200) +
-      NDR.wstring(service_description)
-    begin
-      response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
-      svc_status = response.unpack('V').first
-    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
-      print_error("#{peer} - Error changing service description : #{e}")
-    end
-
-    svc_status
-  end
-
   # Executes a single windows command.
   #
   # If you want to retrieve the output of your command you'll have to
@@ -105,13 +86,12 @@ def psexec(command, disconnect=true)
     if scm_status == ERROR_ACCESS_DENIED
       print_error("#{peer} - ERROR_ACCESS_DENIED opening the Service Manager")
     end
+
     return false unless scm_handle
 
     vprint_status("#{peer} - Creating the service...")
     svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, {})
 
-    return false unless svc_handle && svc_status
-
     case svc_status
     when ERROR_SUCCESS
       vprint_good("#{peer} - Successfully created the service")
@@ -131,7 +111,7 @@ def psexec(command, disconnect=true)
 
       if service_description
         vprint_status("#{peer} - Changing service description...")
-        change_service_description(svc_handle, service_description)
+        dce_changeservicedescription(dcerpc, svc_handle, service_description)
       end
 
       vprint_status("#{peer} - Starting the service...")