============================================================================================================================================= | # Title : Linux v 4.9 up to 6.1.139 Scheduling Flaw in dm‑bufio Kernel Panic | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : System built‑in component.No standalone download available | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/200892/ & CVE-2025-37928 [+] Summary : CVE‑2025‑37928 is a vulnerability in the Linux Kernel, specifically in the dm‑bufio component. The issue occurs because the kernel performs scheduling inside an atomic context, which is not allowed and leads to a kernel BUG. [+] Impact Kernel Panic Denial of Service (DoS) Local exploitation only (requires local access) [+] Affected Versions All Linux kernel versions: From 4.9 up to 6.1.139 [+] Fixed Versions The patch was applied starting from: Linux kernel 6.1.140 and later Example: Debian Bookworm patched kernel 6.1.140‑1 [+] Root Cause The dm‑bufio subsystem calls functions that may sleep or schedule inside an atomic or tasklet context, which triggers a kernel BUG and crashes the system. [+] POC : dryRun = $options['dry-run'] ?? false; $this->force = $options['force'] ?? false; $this->cleanupOnly = $options['cleanup-only'] ?? false; $this->verbose = $options['verbose'] ?? false; } public function run() { $this->showBanner(); // Check platform compatibility $this->checkPlatform(); // Check if running as admin (Windows) or root (Linux) $this->checkAdmin(); if ($this->cleanupOnly) { $this->cleanup(); return; } // Detect kernel vulnerability $vulnerable = $this->detectKernel(); // Detect drone type $droneDetected = $this->detectDroneType(); if (!$vulnerable && !$this->force) { $this->error("Kernel not identified as vulnerable. Use --force to override."); return; } if ($this->dryRun) { $this->info("Dry run mode. Exiting before exploitation."); $this->showExploitDetails(); return; } $this->executeExploitSimulation(); } private function checkPlatform() { $os = PHP_OS_FAMILY; $this->info("Detected OS: " . $os); if ($os !== 'Linux') { $this->warning("⚠️ WARNING: This exploit is designed for Linux-based drone OS"); $this->warning(" Running on $os - Only simulation mode available"); $this->warning(" Actual kernel panic requires Linux environment"); } } private function checkAdmin() { if (PHP_OS_FAMILY === 'Windows') { // Windows admin check $output = []; exec('net session 2>&1', $output, $returnCode); if ($returnCode !== 0) { $this->error("Must be run as Administrator on Windows"); exit(1); } $this->success("Running with Administrator privileges"); } else { // Linux root check if (posix_geteuid() !== 0) { $this->error("Must be run as root (sudo required)"); exit(1); } $this->success("Running with root privileges"); } } private function detectKernel() { if (PHP_OS_FAMILY === 'Windows') { $this->info("Windows detected - Kernel version check not applicable"); $this->info("This exploit requires Linux kernel 5.10, 5.15, or 6.0 series"); return false; } $kernelVersion = php_uname('r'); $this->info("Kernel version: " . $kernelVersion); $vulnerable = false; foreach ($this->vulnerableVersions as $version) { if (strpos($kernelVersion, $version) !== false) { $vulnerable = true; break; } } $status = $vulnerable ? "VULNERABLE" : "UNKNOWN/SAFE"; $this->info("Kernel status: " . $status); return $vulnerable; } private function detectDroneType() { $this->info("Detecting drone environment..."); if (PHP_OS_FAMILY === 'Windows') { $this->warning("Windows environment - No drone hardware detected"); $this->info("This exploit targets:"); $this->info(" • Parrot QRD, Parrot Alpha-M drones"); $this->info(" • DJI QRD, DJI Alpha-M drones"); return false; } $checkFiles = [ "/etc/drone_type", "/proc/device-tree/model", "/sys/firmware/devicetree/base/model", "/etc/os-release" ]; $found = []; foreach ($checkFiles as $file) { if (file_exists($file)) { $content = @file_get_contents($file); if ($content && preg_match('/(parrot|dji|drone|quadcopter)/i', $content)) { $found[] = [ 'file' => $file, 'content' => trim($content) ]; } } } if (!empty($found)) { foreach ($found as $detection) { $this->success("Found drone indicator: " . $detection['file']); $this->info(" Content: " . substr($detection['content'], 0, 100)); } return true; } else { $this->warning("No specific drone identifiers found"); return false; } } private function executeExploitSimulation() { $this->warning("🚨 EXPLOIT SIMULATION MODE 🚨"); $this->info("Actual kernel panic requires:"); $this->info(" • Linux-based drone operating system"); $this->info(" • Vulnerable kernel (5.10, 5.15, 6.0)"); $this->info(" • Physical or emulated drone hardware"); if (PHP_OS_FAMILY === 'Windows') { $this->error("❌ CANNOT EXECUTE: Windows not supported for actual exploitation"); $this->showWindowsAlternative(); return; } $this->info("Starting exploitation simulation..."); // Simulate the exploit steps $steps = [ "Checking kernel vulnerability..." => true, "Allocating kernel memory..." => true, "Creating tasklet structure..." => true, "Scheduling atomic context..." => true, "Triggering schedule() in atomic context..." => true, "KERNEL PANIC TRIGGERED - System should crash now" => false ]; foreach ($steps as $step => $success) { $this->info($step); sleep(1); if (!$success) { $this->warning("💥 SIMULATION: Kernel panic would occur here"); $this->warning("💥 SIMULATION: System would become unresponsive"); break; } } $this->showMitigationInfo(); } private function showExploitDetails() { $this->info("📋 EXPLOIT TECHNICAL DETAILS:"); $this->info("──────────────────────────────────────────────────"); $this->info("CVE: CVE-2025-37928"); $this->info("CVSS Score: 7.3 (Important)"); $this->info("Vulnerability: Improper Access Control (CWE-284)"); $this->info("Attack Vector: Local"); $this->info("Impact: Kernel Panic → Denial of Service"); $this->info("──────────────────────────────────────────────────"); $this->info("Exploit Mechanism:"); $this->info(" • Loads malicious kernel module"); $this->info(" • Calls schedule() inside atomic context"); $this->info(" • Triggers kernel panic via NULL pointer dereference"); $this->info("──────────────────────────────────────────────────"); } private function showWindowsAlternative() { $this->info("💡 WINDOWS TESTING ALTERNATIVES:"); $this->info(" • Use Linux VM with vulnerable kernel"); $this->info(" • Test on actual drone hardware in lab"); $this->info(" • Use drone emulation software"); $this->info(" • Set up QEMU with drone OS image"); } private function showMitigationInfo() { $this->info("🛡️ MITIGATION RECOMMENDATIONS:"); $this->info(" • Update drone firmware to latest version"); $this->info(" • Restrict kernel module loading (modprobe.blacklist)"); $this->info(" • Use kernel hardening features"); $this->info(" • Monitor for suspicious kernel module activity"); $this->info(" • Implement drone security best practices"); } private function cleanup() { $this->info("Cleanup mode activated"); $this->info("In real environment, this would:"); $this->info(" • Remove kernel module if loaded"); $this->info(" • Clean up temporary build files"); $this->info(" • Restore system state"); $this->success("Cleanup simulation completed"); } private function showBanner() { echo " ┌─────────────────────────────────────────────────────────────┐ │ CVE-2025-37928 - Drone OS Exploit │ │ Linux v 4.9 to 6.1.139 Scheduling Flaw in dm‑bufio │ │ │ │ Affected Systems: │ │ • Parrot QRD, Parrot Alpha-M │ │ • DJI QRD, DJI Alpha-M │ │ │ │ Kernel Panic │ │ Author: indoushka │ │ PHP CLI Version - SIMULATION MODE │ └─────────────────────────────────────────────────────────────┘\n\n"; } private function info($message) { echo "ℹ️ [INFO] " . $message . "\n"; } private function success($message) { echo "✅ [SUCCESS] " . $message . "\n"; } private function warning($message) { echo "⚠️ [WARNING] " . $message . "\n"; } private function error($message) { echo "❌ [ERROR] " . $message . "\n"; } } function showHelp() { echo " 📖 CVE-2025-37928 - Drone OS Kernel Panic Exploit (SIMULATION) ────────────────────────────────────────────────── 🛠️ Usage: php drone_exploit.php [OPTIONS] 📋 Options: --dry-run Show exploit details without execution --force Force simulation even if environment not suitable --cleanup-only Show cleanup simulation --verbose Enable detailed logging --help Show this help information 🎯 Examples: php drone_exploit.php --dry-run php drone_exploit.php --force php drone_exploit.php --cleanup-only ⚠️ IMPORTANT NOTES: • This is a SIMULATION only on Windows • Actual exploit requires Linux-based drone OS • Real exploitation causes kernel panic and system crash • Use only in controlled lab environments 🔧 Supported Platforms for Actual Exploitation: • Parrot QRD/Alpha-M drones (Linux) • DJI QRD/Alpha-M drones (Linux) • Systems with vulnerable kernels (5.10, 5.15, 6.0) \n"; } function parseArguments($argv) { $options = [ 'dry-run' => false, 'force' => false, 'cleanup-only' => false, 'verbose' => false ]; foreach ($argv as $arg) { switch ($arg) { case '--dry-run': $options['dry-run'] = true; break; case '--force': $options['force'] = true; break; case '--cleanup-only': $options['cleanup-only'] = true; break; case '--verbose': $options['verbose'] = true; break; case '--help': showHelp(); exit(0); } } return $options; } // Main execution if (php_sapi_name() !== 'cli') { die("❌ This script must be run from command line\n"); } try { global $argv; $options = parseArguments($argv); $exploit = new DroneKernelPanicExploit($options); $exploit->run(); } catch (Exception $e) { echo "❌ Fatal error: " . $e->getMessage() . "\n"; exit(1); } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================