Make sure winexec shellcode is 16 byte aligned and add nCmdShow option (

#2308) * Make sure winexec is 16 byte aligned and add nCmdShow option * fix typo and add changelog * Update pwnlib/shellcraft/templates/amd64/windows/winexec.asm Co-authored-by: peace-maker <peacemakerctf@gmail.com> * tidied up winexec 16-byte alignment * fix stack alignment on return * Use stable alignment * Avoid null-bytes in `add` instruction for long commands --------- Co-authored-by: peace-maker <peacemakerctf@gmail.com> Co-authored-by: Arusekk <arek_koz@o2.pl>
Gallopsled · Dec 14, 2023 · c7649c9 · c7649c9
1 parent 8367da6
commit c7649c9
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -77,6 +77,7 @@ The table below shows which release corresponds to each branch, and what date th
 - [#1763][1763] Allow to add to the existing environment in `process` instead of replacing it
 - [#2307][2307] Fix `pwn libcdb file` crashing if "/bin/sh" string was not found
 - [#2309][2309] Detect challenge binary and libc in `pwn template`
+- [#2308][2308] Fix WinExec shellcraft to make sure it's 16 byte aligned
 
 [2242]: https://github.com/Gallopsled/pwntools/pull/2242
 [2277]: https://github.com/Gallopsled/pwntools/pull/2277
@@ -85,6 +86,7 @@ The table below shows which release corresponds to each branch, and what date th
 [1763]: https://github.com/Gallopsled/pwntools/pull/1763
 [2307]: https://github.com/Gallopsled/pwntools/pull/2307
 [2309]: https://github.com/Gallopsled/pwntools/pull/2309
+[2308]: https://github.com/Gallopsled/pwntools/pull/2308
 
 ## 4.12.0 (`beta`)
 

diff --git a/pwnlib/shellcraft/templates/amd64/windows/winexec.asm b/pwnlib/shellcraft/templates/amd64/windows/winexec.asm
@@ -7,15 +7,24 @@
 
 Args:
     cmd (str): The program to execute.
+    cmd_show (int): nCmdShow parameter.
 </%docstring>
-<%page args="cmd"/>
+<%page args="cmd, cmd_show = 0"/>
 <%
 cmd = _need_bytes(cmd)
+stack_frame = 0x30 + align(8, len(cmd)+1)
+stack_frame_align = 8 & ~stack_frame
 %>
 
     ${amd64.windows.getprocaddress(b'WinExec', b'kernel32.dll', 'rsi')}
     ${amd64.pushstr(cmd)}
     mov rcx, rsp
-    sub rsp, 0x30
+    sub rsp, ${pretty(0x30 + stack_frame_align)}
+    ${amd64.mov('rdx', cmd_show)}
     call rsi
-    add rsp, ${pretty(0x30+align(8, len(cmd)))}
+% if stack_frame + stack_frame_align < 0x80:
+    add rsp, ${pretty(stack_frame + stack_frame_align)}
+% else:
+    ${amd64.mov('rcx', stack_frame + stack_frame_align)}
+    add rsp, rcx
+% endif