Proof-of-Concept character, created by Cyber.x64 and Nomi, to show the existence of this vulnerability in 1.1b.
State Filepath Overflow, also known as STBOF or ST Path, is a vulnerability in M.U.G.E.N 1.0 and higher that allows for arbitrary code execution at the time of character selection.
As a part of the SuperNull exploit series, it is executed when a character is loaded during the character selection, making it a good alternative to the StateDef Overflow vulnerability as the latter is no longer functional in these engine builds.
Vulnerability exploitation is unstable on 1.0, as due to a side heap corruption, it may cause the engine to stop working.
Exploit Details[]
As implied by the vulnerability's technical name, it takes advantage of a Buffer Overflow type vulnerability in the State Filepath text line (St = Common.St), which is rarely used by most authors. The subject parser's buffer size is assigned to 2,820 bytes (1.1b) by default, and when a faulty Filepath string exceeds the assigned size, it will cause the parser's return address to be overwritten, resulting in a potential arbitrary code execution.
Example of a State Filepath text line filled with arbitrary data to overflow the parser's buffer memory:
NX Bit[]
As stated in the exploit series article, shellcodes cannot be directly executed in the program due to the NX Bit protection, so a ROP chain is required in order to make your shellcode executable before jumping to it.