MUGEN Cheap Wiki
Advertisement
MUGEN Cheap Wiki
MUGEN Cheap Wiki
98
pages
in: Engine Exploits, Buffer Overflow Type Vulnerabilities

StateDef Overflow

Sign in to edit
E3304cc2d5628535361ed16894ef76c6a6ef6359

StateDef Overflow, also known as Def Buffer Overflow or DBOF, is a vulnerability in WinMUGEN that allows for arbitrary code execution at the time of character selection.
While often referred to this vulnerability as SuperNull, the latter is actually an exploit series that allows for arbitrary code execution during the character selection, which should not be confused with this.

As it is executed as a character is loaded, rather than during the match, it is one of the most powerful forms of code execution internal characters are capable of. Until the discovery of HyperNull exploit series, it was considered to be unstoppable by other internal characters if executed first.

Usage Examples[]

Offensive Utility[]

As you'd expect from a vulnerability with such advantageous timing, there are countless authors that have created exploits that take advantage of this vulnerability for offensive purposes. The offensive usage of those exploits is largely that of polymorphism, which replaces the entire character select screen with characters that do nothing, allowing the character to have free reign. dsrugal and certain guanyin variants are the most well-known examples of this. An alternate approach, involving closing the MUGEN window and opening one's own copy (similar to the Omed method), has seen use in edits like Ashes Princess ZERO Requiem.

Defensive Utility[]

In a similar vein, there are also characters that use said vulnerability to defend themselves against similar exploits and potentially retaliate accordingly. This is often done by modifying the engine's code to either disable undesired exploits almost completely (Code.Crashed.Killer), ensure that the engine is in a consistent, desired state (Void-Schmelze), or constantly restoring information in case of tampering (Mainyu). This second method, when applied solely to information like the character's folder name, is the method commonly referred to as TTSN (Top-Tier SuperNull) Defense, as it counters the offensive utility mentioned above if executed before the attack.

Miscellaneous Utility[]

Because this timing occurs during character loading, there are also uses for this vulnerability that don't fall into the category of offense or defense. Old versions of DarknessSevenNight used it to remove the variable limit, allowing for greater information storage and a more direct, lighter form of %n. Various edits use it to allow for animated select portraits, known as DynamicPortrait, like Beyond Reason. A DBOF exploit file has been released that backports MUGEN 1.1b's rotatable Explod functionality to WinMUGEN, which is even seen in more standard characters like Yeen.

Exploit Details[]

As implied by the vulnerability's technical name, this takes advantage of a Buffer Overflow type vulnerability in the StateDef parser. When the text within a StateDef header is at least 64 characters long, the return address from this parser is overwritten, resulting in the potential for arbitrary code execution. Note that this is at least 64 characters long, as all strings are null terminated; a 64-character long string is technically 65 if you account for this null terminator.

For example, a StateDef structured like this: 

[StateDef 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrsF2@]
[State ]
Type     = Null
Trigger1 = 1

will return to the address corresponding to the text F2@ (0x00403246) after StateDef processing.

Creation Tips[]

There are plenty of templates online for use cases such as TTSN, DynamicPortrait execution, Explod Rotation, and more. Chances are, you don't have to actually make a DBOF exploit on your own. However, if you want to create an exploit that actually does something novel, you need to know x86 assembly before even continuing. The process of creation is relatively simple if you do know it, and simply involves treating your entire state file, starting at the return point, as a list of x86 instructions. With that in mind, here are some tips for novices.

  • This is a file-based exploit, rather than a clipboard-based exploit, which means there are some bytes that simply cannot be used that you otherwise would be able to with %c. Notably,
  • You cannot use the 0x0A byte anywhere in your code. This is automatically converted to a 00 byte; this does mean that you can use 00 bytes in your code, but only one at a time. Mind trailing/leading spaces when doing so.
  • As per standard MUGEN fare, you cannot use the 0x3B byte (;) anywhere in your code, as this will mark the remainder of the line as a comment. The 0x1A byte is considered an EoF, and also cannot be used.
  • In the StateDef header itself, you cannot use the 0x5D byte (]), as this will prematurely terminate the StateDef number and nullify the exploit. Afterwards is fair game.
  • While any return address can be used, the ideal is one that contains an ADD ESP, 0x10; RET; instruction set, which executes code from the StateDef number. Examples are F2@ (0x00403246), v-@ (0x00402D76), and HvH (0x00487648).
  • It's commonplace to use a jmp instruction by writing something akin to ë:. An alternate option is using a jne instruction such as u:, which preserves ASCII compatibility while accomplishing the same thing due to the ADD ESP, 0x10 instruction executed before entry.

1.0/1.1[]

In newer engine versions, the StateDef Header parser's buffer size is increased to 255 bytes and all strings longer than this threshhold will be truncated, making this vulnerability completely ineffective.

Community content is available under CC-BY-SA unless otherwise noted.
Advertisement