Share
## https://sploitus.com/exploit?id=98624DFB-C9FB-5171-A18F-2863ECB0C5DD
# CVE-2025-5688 โ€“ FreeRTOS-Plus-TCP Out-of-Bounds Write Exploit

[![CVE-2025-5688](https://img.shields.io/badge/CVE-2025--5688-red?style=for-the-badge&logo=cve)](https://nvd.nist.gov/vuln/detail/CVE-2025-5688)
[![CVSS 8.4 High](https://img.shields.io/badge/CVSS-8.4-red?style=for-the-badge)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H)
[![Python 3](https://img.shields.io/badge/python-3.6+-blue?style=for-the-badge&logo=python)](https://www.python.org/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](https://opensource.org/licenses/MIT)
[![Tested on IoT](https://img.shields.io/badge/Tested%20on-Sonoff%20RF%20Bridge-orange?style=for-the-badge)](https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-5x4f-fvv8-wr65)

**Remote memory corruption / DoS / potential RCE trigger** in FreeRTOS-Plus-TCP when processing overly long DNS names in LLMNR or mDNS queries (Buffer Allocation Scheme 1).

> **Exploit Author:** Mohammed Idrees Banyamer  
> **Country:** Jordan  
> **Instagram:** [@banyamer_security](https://www.instagram.com/banyamer_security/)  
> **Date:** December 26, 2025

## Overview

This PoC sends a specially crafted UDP multicast packet containing an excessively long DNS name to trigger an **out-of-bounds write (CWE-787)** in vulnerable versions of **FreeRTOS-Plus-TCP** (v2.3.4 โ€“ v4.3.1 with LLMNR/mDNS + Scheme 1).

Common symptoms on affected devices:
- Immediate crash / reboot
- Watchdog reset
- LED blink loop / freeze
- In rare memory-layout cases โ†’ possible code execution

**Affected Devices (examples)**  
- Sonoff RF Bridge (unpatched firmware)  
- Many cheap IoT gateways, bridges, embedded controllers using FreeRTOS-Plus-TCP

**Fixed in:** FreeRTOS-Plus-TCP 4.3.2 (strict length validation added)

**References**  
- [AWS Security Bulletin AWS-2025-012](https://aws.amazon.com/security/security-bulletins/AWS-2025-012/)  
- [GitHub Advisory GHSA-5x4f-fvv8-wr65](https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/security/advisories/GHSA-5x4f-fvv8-wr65)  
- [NVD CVE-2025-5688](https://nvd.nist.gov/vuln/detail/CVE-2025-5688)

## Attack Flow Diagram
```mermaid
graph TD
    A[Attacker on same LAN] -->|"1. Craft oversized DNS name"| B["`UDP Packet
long QNAME (~500+ bytes)`"]
    B -->|"2. Send to multicast"| C{Target Protocol}
    C -->|LLMNR| D[224.0.0.252:5355]
    C -->|mDNS| E[224.0.0.251:5353]
    D --> F["`FreeRTOS-Plus-TCP
LLMNR/mDNS Parser`"]
    E --> F
    F -->|"No length check + Scheme 1"| G[Fixed-size buffer overflow]
    G --> H["`Out-of-bounds Write
CWE-787`"]
    H --> I{Outcome}
    I -->|"Common"| J[Crash / Reboot / Watchdog]
    I -->|"Memory layout dependent"| K[Potential RCE / Code Execution]
    I -->|"Data after buffer"| L[Memory corruption / Info leak]

```
## Requirements

- Python 3.6+
- Standard library only (`socket`, `sys`) โ€“ no external packages

## Usage

```bash
# LLMNR attack (default multicast)
python3 exploit.py LLMNR

# mDNS attack
python3 exploit.py mDNS

# Custom multicast IP (rarely needed)
python3 exploit.py LLMNR 224.0.0.252
python3 exploit.py mDNS 224.0.0.251
```

**Expected output:**
```
[+] Sending 523-byte LLMNR query โ†’ target 224.0.0.252:5355
[+] Sent. Watch for immediate crash, reboot, LED blink loop, or freeze.
```

## How to Test Safely

1. Use a **vulnerable** Sonoff RF Bridge or custom FreeRTOS device in an **isolated lab network**.
2. Confirm LLMNR/mDNS is enabled (UDP 5355 or 5353 open).
3. Run the script from another machine on the same LAN.
4. Observe crash/reboot within seconds.

## Disclaimer โ€“ Legal & Ethical Notice

> This code is provided **for educational, research, and vulnerability demonstration purposes only**.  
> Do **NOT** use this exploit against any system or network without explicit written permission from the owner.  
> Unauthorized use may violate laws (computer fraud & abuse acts, etc.).  
> The author is **not responsible** for any misuse or damage.

## License

MIT License โ€“ see [LICENSE](LICENSE) file (or add one if missing).

---