From c7649c95e234fa71ad68a8fcecaff920e0793d8d Mon Sep 17 00:00:00 2001
From: Chris Yuen <chris@kizzx2.com>
Date: Thu, 14 Dec 2023 23:39:36 +0800
Subject: [PATCH] Make sure winexec shellcode is 16 byte aligned and add
 nCmdShow option (#2308)

* Make sure winexec is 16 byte aligned and add nCmdShow option

* fix typo and add changelog

* Update pwnlib/shellcraft/templates/amd64/windows/winexec.asm

Co-authored-by: peace-maker <peacemakerctf@gmail.com>

* tidied up winexec 16-byte alignment

* fix stack alignment on return

* Use stable alignment

* Avoid null-bytes in `add` instruction for long commands

---------

Co-authored-by: peace-maker <peacemakerctf@gmail.com>
Co-authored-by: Arusekk <arek_koz@o2.pl>
---
 CHANGELOG.md                                      |  2 ++
 .../templates/amd64/windows/winexec.asm           | 15 ++++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d708f76c4..b60a9a9dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -77,6 +77,7 @@ The table below shows which release corresponds to each branch, and what date th
 - [#1763][1763] Allow to add to the existing environment in `process` instead of replacing it
 - [#2307][2307] Fix `pwn libcdb file` crashing if "/bin/sh" string was not found
 - [#2309][2309] Detect challenge binary and libc in `pwn template`
+- [#2308][2308] Fix WinExec shellcraft to make sure it's 16 byte aligned
 
 [2242]: https://github.com/Gallopsled/pwntools/pull/2242
 [2277]: https://github.com/Gallopsled/pwntools/pull/2277
@@ -85,6 +86,7 @@ The table below shows which release corresponds to each branch, and what date th
 [1763]: https://github.com/Gallopsled/pwntools/pull/1763
 [2307]: https://github.com/Gallopsled/pwntools/pull/2307
 [2309]: https://github.com/Gallopsled/pwntools/pull/2309
+[2308]: https://github.com/Gallopsled/pwntools/pull/2308
 
 ## 4.12.0 (`beta`)
 
diff --git a/pwnlib/shellcraft/templates/amd64/windows/winexec.asm b/pwnlib/shellcraft/templates/amd64/windows/winexec.asm
index d6805201b..eb82eb433 100644
--- a/pwnlib/shellcraft/templates/amd64/windows/winexec.asm
+++ b/pwnlib/shellcraft/templates/amd64/windows/winexec.asm
@@ -7,15 +7,24 @@
 
 Args:
     cmd (str): The program to execute.
+    cmd_show (int): nCmdShow parameter.
 </%docstring>
-<%page args="cmd"/>
+<%page args="cmd, cmd_show = 0"/>
 <%
 cmd = _need_bytes(cmd)
+stack_frame = 0x30 + align(8, len(cmd)+1)
+stack_frame_align = 8 & ~stack_frame
 %>
 
     ${amd64.windows.getprocaddress(b'WinExec', b'kernel32.dll', 'rsi')}
     ${amd64.pushstr(cmd)}
     mov rcx, rsp
-    sub rsp, 0x30
+    sub rsp, ${pretty(0x30 + stack_frame_align)}
+    ${amd64.mov('rdx', cmd_show)}
     call rsi
-    add rsp, ${pretty(0x30+align(8, len(cmd)))}
+% if stack_frame + stack_frame_align < 0x80:
+    add rsp, ${pretty(stack_frame + stack_frame_align)}
+% else:
+    ${amd64.mov('rcx', stack_frame + stack_frame_align)}
+    add rsp, rcx
+% endif