Newest Post: Ner'zhul.Seraphim: More Speed and Defense / Patch Note No. 1A

Good evening, readers. I see Ner'zhul.Seraphim got a nice reception a fter having released her some weeks ago, but  the VoidShell library's CPU intensive use makes her nearly unusable, even for high-end computers.  ... Therefore, I have plans on releasing an optimization update that improves the character's average framerate, while trying to reduce the general CPU average used by the main library. General code optimization in the character's state files and a new version of VoidShell are featured in this patch update, so do not expect visible visual improvements in her skill set, but you will see them smoothly now. Cool, right? Art asset created by SlenderFreak17 This character update can be downloaded by clicking on the main thumbnail, and  the download link of her main entry will eventually be updated, so no worries. After seeing the current state of VoidShell, I really never thought that single Eikidankai Framework module would be finally completed, so I do not know ...
0

M.U.G.E.N Engine Researches: State Filepath Overflow

Good evening, readers. 
It has been a while since the last blog entry was created, but well, life things.

For this occassion, we are going to talk about the latest vulnerability discovered in M.U.G.E.N Engine, which has been used by SuperNull characters like "On The Verge of Death" or "Qvorda", so let's begin.

State Filepath Overflow, also known as "STBOF" or "ST.Path", is an engine vulnerability that allows for arbitrary code execution during character selection, making it a good alternative to use for SuperNull characters.

The discovery of this vulnerability was born out of Nomi's ideas about trying to overflow the ST Filepath textline in WinMUGEN, which was impossible to perform, as only 255 bytes can be used per text string.

However, it could feasibly be used on the 1.xx engine versions due to their increased textline size limit(4095 bytes), so I decided to investigate it further.

"St" is the entry filepath the engine uses to load Constants/States before St0 ~ St9, so it cannot be omitted, as doing so will cause the engine to raise an error message.

The most interesting detail about this filepath section is that when any state file except for the character's definition file is placed, the engine will copy the source filepath into a buffer with no max size limit before loading, which renders it vulnerable to buffer overflow.

M.U.G.E.N Engine being debugged

After investigating the possibilities of a buffer overflow attack, I have finally noticed 0xB04 bytes(1.1b only) were necessary to overwrite the parser's return address, resulting in arbitrary code execution.

Yet, a ROP chain is required in order to make your shellcode executable before jumping into it, as the NX Bit is enabled by default in these engine versions, so reusing the stack region for pivoting is a good idea.

At this point, shellcode should be executed with no problem, as this character was used as Proof-of-Concept for it:

Qvorda's Exploit
A code template that uses the engine vulnerability can be downloaded via this blog entry.
Well, this is all for today. Have a nice day.

Comments

Post a Comment