From bb4e9e2d4d8a4bba6bfb34171dbdc4ed64d5681c Mon Sep 17 00:00:00 2001
From: Florian Gaultier <florian@scrt.ch>
Date: Mon, 6 Jan 2014 19:49:52 +0100
Subject: [PATCH] correct error in block service_change_description

---
 .../x86/src/block/block_service_change_description.asm    | 6 +++++-
 lib/msf/util/exe.rb                                       | 8 ++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
index 5f6b939222..cdd1ba61bc 100644
--- a/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
+++ b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
@@ -7,7 +7,7 @@
 [BITS 32]
 ; Input: EBP must be the address of 'api_call'.
 
-push 0x000F01FF
+push 0x000F003F
 push 0x00000000
 push 0x00000000
 push 0x7636F067
@@ -24,7 +24,11 @@ call ebp 		;OpenServiceA
 mov esi, eax
 push 0x00464349
 push 0x56524553
+mov ecx, esp
+push 0x00000000
+push ecx
 mov ecx, esp	;SVCDESCRIPTION
+push ecx
 push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION
 push eax
 push 0xED35B087
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 6526bfde06..c03e02dc7f 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -545,12 +545,12 @@ require 'msf/core/exe/segment_injector'
         pushed_service_description = string_to_pushes(opts[:servicedescription])
 
         code_service_description = 
-          "\x68\xFF\x01\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" +
+          "\x68\x3F\x00\x0F\x00\x6A\x00\x6A\x00\x68\x67\xF0\x36" +
           "\x76\xFF\xD5\x89\xC7"+pushed_service_name+"\x89\xE1\x68" +
           "\xFF\x01\x0F\x00\x51\x50\x68\x56\x28\x4B\x40\xFF\xD5\x89\xC6" +
-          pushed_service_description+"\x89\xE1\x6A\x01\x50\x68\x87\xB0\x35" +
-          "\xED\xFF\xD5\x56\x68\xDE\xEA\x77\xAD\xFF\xD5\x57\x68\xDE\xEA\x77" +
-          "\xAD\xFF\xD5"
+           pushed_service_description+"\x89\xE1\x6A\x00\x51\x89\xE1\x51" +
+          "\x6A\x01\x50\x68\x87\xB0\x35\xED\xFF\xD5\x56\x68\xDE\xEA\x77" +
+          "\xAD\xFF\xD5\x57\x68\xDE\xEA\x77\xAD\xFF\xD5"
       end
 
       precode_size = 0x42