Command Trigger Overflow, technically known as Command Trigger's Buffer Overflow Attack or CTBOF, is a vulnerability in all the M.U.G.E.N Engine versions that allows for arbitrary code execution at the time of character selection.
As a part of the SuperNull exploit series, it is executed when a character is loaded during the character selection, making it a good alternative to the StateDef Overflow vulnerability as the latter is usually sealed by other characters.
Exploit Details
As implied by the vulnerability's technical name, it takes advantage of a Buffer Overflow type vulnerability in the Command Trigger's text parser. Text parser's buffer size is assigned to 64 bytes by default, and when a Command Trigger string line exceeds the assigned size, it will cause the parser's return address to be overwritten, resulting in a potential arbitrary code execution.
Example of a Command trigger with the required string length to overflow the parser's buffer memory:
[StateDef 255]
[State ]
Type = Null
Trigger1 = Command = "U‰å¸ß×´ÿ÷ЉÁQ�Ç�ÉçððÇA�èïõòÇA�íçÄÚÇA�ãûõú‰PðɃ�FƒÄ�¸d¸ÿ÷ÐÿàÔ�@"
1.0/1.1
Although the vulnerability still functions in these engine builds, shellcodes cannot be directly used but ROP chains, as stated in the exploit series article. It is not one of the best options to use, as it has a lot of data limitations that make exploits difficult to create. Non functional in 1.1b as the length of Command text strings will be truncated to the parser's buffer size; Use the AssertSpecial Overflow vulnerability instead.