#!/usr/bin/env python3 """ Safe Vulnerability Checker for CVE-2026-12485 (GeoVision GV-I/O Box 4E DVRSearch) This script sends a benign UDP probe to port 10001 to: 1. Detect if the DVRSearch service is running. 2. Check basic response behavior. 3. Perform a **safe** length test (does NOT trigger the overflow). WARNING: - This is for authorized testing only on systems you own/control. - Do not use on production systems without permission. - The real vulnerability can lead to RCE/crash with longer payloads. """ import socket import sys import argparse import time def send_probe(target_ip, port=10001, timeout=3): """Send a safe probe and observe response.""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(timeout) # Safe probe: CMD_IP_SET like structure with short/normal data # Based on public vulnerability details (small payload) probe = bytearray([0x00, 0x00, 0x00, 0x01]) # Example command header (CMD_IP_SET guess) probe += b"192.168.1.100" # Short IP probe += b"\x00" * 20 # Padding print(f"[+] Sending safe probe to {target_ip}:{port} ...") sock.sendto(probe, (target_ip, port)) try: data, addr = sock.recvfrom(2048) print(f"[+] Received response ({len(data)} bytes) from {addr}") print(f"[+] Service appears active. Response preview: {data[:64]}...") return True, data except socket.timeout: print("[-] No response received (timeout). Service may not be listening or filtered.") return False, None except Exception as e: print(f"[-] Error: {e}") return False, None finally: sock.close() def safe_length_test(target_ip, port=10001, timeout=3): """Send incrementally larger but still safe payloads (well below overflow threshold).""" print("\n[+] Performing safe length test (non-crashing)...") sizes = [50, 100, 200, 400] # Conservative sizes for size in sizes: try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(timeout) payload = b"A" * size header = bytearray([0x00, 0x00, 0x00, 0x01]) probe = header + payload print(f" Testing payload size: {len(probe)} bytes...") sock.sendto(probe, (target_ip, port)) try: data, _ = sock.recvfrom(2048) print(f" [+] Size {len(probe)} -> Response received ({len(data)} bytes)") except socket.timeout: print(f" [-] Size {len(probe)} -> No response") time.sleep(0.5) except Exception as e: print(f" [!] Error on size {size}: {e}") finally: sock.close() def main(): parser = argparse.ArgumentParser(description="Safe CVE-2026-12485 Checker") parser.add_argument("target", help="Target IP address") parser.add_argument("-p", "--port", type=int, default=10001, help="UDP port (default: 10001)") parser.add_argument("--length-test", action="store_true", help="Run safe length test") args = parser.parse_args() print("=" * 60) print("Safe CVE-2026-12485 (GV-I/O Box 4E DVRSearch) Checker") print("=" * 60) print(f"Target: {args.target}:{args.port}") print("This script does NOT exploit the vulnerability.\n") active, _ = send_probe(args.target, args.port) if active and args.length_test: safe_length_test(args.target, args.port) print("\n" + "=" * 60) print("Recommendation:") print("- If service responds → Update firmware immediately (GV-IOBOX_2026-06-01).") print("- Block UDP/10001 from untrusted sources.") print("- Full advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377") print("=" * 60) if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 CVE-2026-12485-check.py [--length-test]") sys.exit(1) main()