So I pulled off an arbitrary execution exploit for ZZT, here: https://github.com/kristomu/zzt-matrix/ ... ematrx.zzt
Apparently I was too slow doing it; Asie said that GreaseMonkey has already constructed one. But mine draws pictures and figures out the system it's running on, so try it anyway! And stuff.
I haven't added much documentation, but the code that I wrote to get it running is here: https://github.com/kristomu/zzt-matrix/tree/master.
Arbitrary code execution in ZZT 3.2
Moderators: Commodore, Zenith Nadir
-
- newcomer
- Posts: 18
- Joined: Wed Mar 25, 2020 12:59 pm
- Dr. Dos
- OH YES! USE VINE WHIP! <3
- Posts: 1772
- Joined: Tue Mar 11, 2003 12:00 am
- Location: Washington
Re: Arbitrary code execution in ZZT 3.2
That was really cool to see! I managed to get it running by booting off an MS-DOS 6.22 boot disk on an old 2001(ish?) Dell laptop flawlessly.
Visit the Museum of ZZT
Follow Worlds of ZZT on Twitter
Apologies for the old post you may have just read.
Follow Worlds of ZZT on Twitter
Apologies for the old post you may have just read.
-
- newcomer
- Posts: 2
- Joined: Thu Jun 17, 2021 10:48 pm
Re: Arbitrary code execution in ZZT 3.2
Hi, just registered to reply here. I'm not really part of the ZZT community, only stumbled on the source code release via Hacker News, but I found a different exploit using the centipede code :)
Made this some weeks ago actually but didn't feel like releasing it in this raw state. And now it's no longer impressive, serves me right for being shy I guess.
https://museumofzzt.com/file/p/portalz_demo.zip
Made this some weeks ago actually but didn't feel like releasing it in this raw state. And now it's no longer impressive, serves me right for being shy I guess.
https://museumofzzt.com/file/p/portalz_demo.zip
Re: Arbitrary code execution in ZZT 3.2
Well, you are now!Some Random Nerd wrote: ↑Thu Jun 17, 2021 11:02 pm Hi, just registered to reply here. I'm not really part of the ZZT community
It's still impressive - your method seems to be distinct from both GreaseMonkey's and kristomu's, has unique properties, and also you found a hole in Zeta that I had to quickly patch :D
Zeta was always meant to emulate two specific 8086 binaries, so I didn't really think too much about making it 100% accurate - the focus was more on size and speed, as it was intended first and foremost as a WebAssembly emulator core for the Museum of ZZT.
-
- newcomer
- Posts: 18
- Joined: Wed Mar 25, 2020 12:59 pm
Re: Arbitrary code execution in ZZT 3.2
Maybe we need a "99 ways to break ZZT" world now :-)asie wrote:It's still impressive - your method seems to be distinct from both GreaseMonkey's and kristomu's, has unique properties, and also you found a hole in Zeta that I had to quickly patch :D
Where can I find GreaseMonkey's exploit? It doesn't seem to be in the museum.
I'm surprised that Nerd's "quick version" (the tell-me-everything board) exploit doesn't work if I run the fill.com countermeasure from Matrix, but the full exploit (the one activated by going north) does. I also suspect that it's possible to do the exploit without requiring an extra board for activation, unlike Hack the Matrix's. (Just jump to tile board space instead of display memory, and use a number strategically placed JMP NEAR commands with the EA byte as the color of the tile, to trampoline out of the tile space into object metadata space; and then put the LES and far jump in the xstep/ystep/cycle parameters.)
-
- newcomer
- Posts: 2
- Joined: Thu Jun 17, 2021 10:48 pm
Re: Arbitrary code execution in ZZT 3.2
No idea why it wouldn't work, but the quick version doesn't do anything other than "int 3 ; retf". If you run it under a debugger you should get a breakpoint. Also one black spot appears on the board because it tries to redraw stat $E0.The Mysterious KM wrote: ↑Fri Jun 18, 2021 7:18 pmI'm surprised that Nerd's "quick version" (the tell-me-everything board) exploit doesn't work if I run the fill.com countermeasure from Matrix, but the full exploit (the one activated by going north) does. I also suspect that it's possible to do the exploit without requiring an extra board for activation, unlike Hack the Matrix's. (Just jump to tile board space instead of display memory, and use a number strategically placed JMP NEAR commands with the EA byte as the color of the tile, to trampoline out of the tile space into object metadata space; and then put the LES and far jump in the xstep/ystep/cycle parameters.)asie wrote:It's still impressive - your method seems to be distinct from both GreaseMonkey's and kristomu's, has unique properties, and also you found a hole in Zeta that I had to quickly patch :D
The extra board is needed so it activates immediately on entering. If you put the exploit on the first board, it starts off paused, not sure if this is what you meant? Maybe it could be made to work on the title screen, but the rest of the game world isn't loaded at that point so it couldn't simply change to a new board...
I used the video memory trick because that is always at the same segment, unlike ZZT. The exploit simply writes StepX and StepY over the far pointer of the ammo tick proc, getting it to jump to the ZZT data segment didn't seem possible at the time. Also the step values must be both a valid pointer, and wrap around in such a way that it hits the player element:
Code: Select all
...
end else if Board.Tiles[X + StepX][Y + StepY].Element = E_PLAYER then begin
if Follower <> -1 then begin
Board.Tiles[Board.Stats[Follower].X][Board.Stats[Follower].Y].Element := E_CENTIPEDE_HEAD;
Board.Stats[Follower].StepX := StepX;
Board.Stats[Follower].StepY := StepY;
BoardDrawTile(Board.Stats[Follower].X, Board.Stats[Follower].Y);
end;
BoardAttack(statId, X + StepX, Y + StepY);
end else begin
...