The Last Early Summer Rain
HyperNull is a coding term that refers to exploits that use engine vulnerabilities to allow for arbitrary code execution during character initialization stage.
This type of exploit is executed at the moment the characters list file, select.def, is loaded by the engine, making them among the most powerful forms of internal exploitation, being capable of defeating SuperNull characters.
In WinMUGEN, the most commonly used methods for this type of exploit are Definition Data Overflow (also known as DEF Overflow) and ZLib Exploit. Elecbyte eventually patched this exploit in later versions of the engine, such as MUGEN 1.x, so the Sprite Filepath Overflow serves as a functional equivalent to these earlier techniques.
Exploit Details[]
Early HyperNull exploits were based on a heap overflow attack triggered through crafted .def files. These exploits allowed authors to manipulate specific engine instructions, effectively redirecting the main thread’s control flow to their shellcode, resulting in arbitrary code execution. However, this early method was highly OS-dependent, as it exploited a vulnerability specific to Windows XP, which was later patched, rendering the technique obsolete on newer systems.
A more "robust" variant was discovered in 2020 by ydccdy, targeting a long-known vulnerability first found in 2003 within the ZLib 1.1.4 library version used by WinMUGEN. This vulnerability stems from improper memory management: while the ZLib library correctly frees input parameters stored on the stack, the engine mistakenly attempts to deallocate the same memory again. This double-free vulnerability creates an opportunity for arbitrary code execution when paired with a specially crafted ZIP file. Furthermore, the exploit also uses a buffer overflow in ZLib’s gzprintf function, as Elecbyte compiled the library without vsnprintf safeguards, allowing cheap authors to effectively run their own shellcode.
This exploit is OS-independent and remains the most widely used technique among authors developing HyperNull characters, as it is effective across all builds of WinMUGEN.
1.0/1.1[]
Unfortunately, this vulnerability is limited to WinMUGEN, as previously mentioned. During the development of MUGEN 1.0 and later, Elecbyte upgraded the ZLib library to version 1.2.3, compiling it with proper safeguards, including the use of the vsnprintf function. This function enforces buffer size limits and ensures a null terminator is added, allowing the buffer to be truncated. These protections effectively mitigate the buffer overflow condition that earlier builds were vulnerable to. As a result, the ZLib-based HyperNull exploit is no longer viable in MUGEN 1.0 and newer versions.
However, it is still possible to create HyperNull characters in MUGEN 1.x through alternative methods. One approach exploits a vulnerability in the Definition File Text Parser, allowing for arbitrary code execution during character initialization. Another method, exclusive to MUGEN 1.1, involves modifying the init.lua script automatically, which is executed at engine startup and can be used to execute the character's code before any character is loaded.