Arbitrary code execution in ZZT 3.2

NOTE: I HATE A LOT OF YOUR ZZT GAMES, SO WATCH OUT!

Moderators: Commodore, Zenith Nadir

Post Reply
The Mysterious KM
newcomer
Posts: 18
Joined: Wed Mar 25, 2020 12:59 pm

Arbitrary code execution in ZZT 3.2

Post by The Mysterious KM »

So I pulled off an arbitrary execution exploit for ZZT, here: https://github.com/kristomu/zzt-matrix/ ... ematrx.zzt

Apparently I was too slow doing it; Asie said that GreaseMonkey has already constructed one. But mine draws pictures and figures out the system it's running on, so try it anyway! And stuff.

I haven't added much documentation, but the code that I wrote to get it running is here: https://github.com/kristomu/zzt-matrix/tree/master.
User avatar
Dr. Dos
OH YES! USE VINE WHIP! <3
Posts: 1772
Joined: Tue Mar 11, 2003 12:00 am
Location: Washington

Re: Arbitrary code execution in ZZT 3.2

Post by Dr. Dos »

:keen:

That was really cool to see! I managed to get it running by booting off an MS-DOS 6.22 boot disk on an old 2001(ish?) Dell laptop flawlessly.
Visit the Museum of ZZT
Follow Worlds of ZZT on Twitter

Apologies for the old post you may have just read.
Some Random Nerd
newcomer
Posts: 2
Joined: Thu Jun 17, 2021 10:48 pm

Re: Arbitrary code execution in ZZT 3.2

Post by Some Random Nerd »

Hi, just registered to reply here. I'm not really part of the ZZT community, only stumbled on the source code release via Hacker News, but I found a different exploit using the centipede code :)

Made this some weeks ago actually but didn't feel like releasing it in this raw state. And now it's no longer impressive, serves me right for being shy I guess.

https://museumofzzt.com/file/p/portalz_demo.zip
asie
1 full minit uv 1 secend mesiges
Posts: 67
Joined: Sun Mar 17, 2019 4:55 pm

Re: Arbitrary code execution in ZZT 3.2

Post by asie »

Some Random Nerd wrote: Thu Jun 17, 2021 11:02 pm Hi, just registered to reply here. I'm not really part of the ZZT community
Well, you are now!

It's still impressive - your method seems to be distinct from both GreaseMonkey's and kristomu's, has unique properties, and also you found a hole in Zeta that I had to quickly patch :D

Zeta was always meant to emulate two specific 8086 binaries, so I didn't really think too much about making it 100% accurate - the focus was more on size and speed, as it was intended first and foremost as a WebAssembly emulator core for the Museum of ZZT.
The Mysterious KM
newcomer
Posts: 18
Joined: Wed Mar 25, 2020 12:59 pm

Re: Arbitrary code execution in ZZT 3.2

Post by The Mysterious KM »

asie wrote:It's still impressive - your method seems to be distinct from both GreaseMonkey's and kristomu's, has unique properties, and also you found a hole in Zeta that I had to quickly patch :D
Maybe we need a "99 ways to break ZZT" world now :-)

Where can I find GreaseMonkey's exploit? It doesn't seem to be in the museum.

I'm surprised that Nerd's "quick version" (the tell-me-everything board) exploit doesn't work if I run the fill.com countermeasure from Matrix, but the full exploit (the one activated by going north) does. I also suspect that it's possible to do the exploit without requiring an extra board for activation, unlike Hack the Matrix's. (Just jump to tile board space instead of display memory, and use a number strategically placed JMP NEAR commands with the EA byte as the color of the tile, to trampoline out of the tile space into object metadata space; and then put the LES and far jump in the xstep/ystep/cycle parameters.)
Some Random Nerd
newcomer
Posts: 2
Joined: Thu Jun 17, 2021 10:48 pm

Re: Arbitrary code execution in ZZT 3.2

Post by Some Random Nerd »

The Mysterious KM wrote: Fri Jun 18, 2021 7:18 pm
asie wrote:It's still impressive - your method seems to be distinct from both GreaseMonkey's and kristomu's, has unique properties, and also you found a hole in Zeta that I had to quickly patch :D
I'm surprised that Nerd's "quick version" (the tell-me-everything board) exploit doesn't work if I run the fill.com countermeasure from Matrix, but the full exploit (the one activated by going north) does. I also suspect that it's possible to do the exploit without requiring an extra board for activation, unlike Hack the Matrix's. (Just jump to tile board space instead of display memory, and use a number strategically placed JMP NEAR commands with the EA byte as the color of the tile, to trampoline out of the tile space into object metadata space; and then put the LES and far jump in the xstep/ystep/cycle parameters.)
No idea why it wouldn't work, but the quick version doesn't do anything other than "int 3 ; retf". If you run it under a debugger you should get a breakpoint. Also one black spot appears on the board because it tries to redraw stat $E0.

The extra board is needed so it activates immediately on entering. If you put the exploit on the first board, it starts off paused, not sure if this is what you meant? Maybe it could be made to work on the title screen, but the rest of the game world isn't loaded at that point so it couldn't simply change to a new board...

I used the video memory trick because that is always at the same segment, unlike ZZT. The exploit simply writes StepX and StepY over the far pointer of the ammo tick proc, getting it to jump to the ZZT data segment didn't seem possible at the time. Also the step values must be both a valid pointer, and wrap around in such a way that it hits the player element:

Code: Select all

...
 end else if Board.Tiles[X + StepX][Y + StepY].Element = E_PLAYER then begin
     if Follower <> -1 then begin
         Board.Tiles[Board.Stats[Follower].X][Board.Stats[Follower].Y].Element := E_CENTIPEDE_HEAD;
         Board.Stats[Follower].StepX := StepX;
         Board.Stats[Follower].StepY := StepY;
         BoardDrawTile(Board.Stats[Follower].X, Board.Stats[Follower].Y);
     end;
     BoardAttack(statId, X + StepX, Y + StepY);
 end else begin
 ...
 
Post Reply