Lucene search

K
kitploitKitPloitKITPLOIT:7878925794695346590
HistoryJan 24, 2021 - 8:30 p.m.

WSuspicious - A Tool To Abuse Insecure WSUS Connections For Privilege Escalations

2021-01-2420:30:00
www.kitploit.com
2064

7.5 High

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

33.7%

This is a proof of concept program to escalate privileges on a Windows host by abusing WSUS. Details in this blog post: <https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/&gt; It was inspired from the WSuspect proxy project: <https://github.com/ctxis/wsuspect-proxy&gt;

Acknowledgements

Privilege escalation module written by Maxime Nadeau from GoSecure

Huge thanks to:

  • Julien Pineault from GoSecure and Mathieu Novis from ‎SecureOps for reviving the WSUS proxy attack
  • Romain Carnus from GoSecure for coming up with the HTTPS interception idea
  • Paul Stone and Alex Chapman from Context Information Security for writing and researching the original proxy PoC

Usage

The tool was tested on Windows 10 machines (10.0.17763 and 10.0.18363) in different domain environments.

Usage: WSuspicious [OPTION]...  
Ex. WSuspicious.exe /command:"" - accepteula - s - d cmd / c """"echo 1 &gt; C:\\wsuspicious.txt"""""" /autoinstall  
  
Creates a local proxy to intercept WSUS requests and try to escalate privileges.  
If launched without any arguments, the script will simply create the file C:\\wsuspicious.was.here  
  
/exe                The full path to the executable to run  
				    Known payloads are bginfo and PsExec. (Default: .\PsExec64.exe)  
/command            The command to execute (Default: -accepteula -s -d cmd /c ""echo 1 &gt; C:\\wsuspicious.was.here"")  
/proxyport          The port on which the proxy is started. (Default: 13337)  
/downloadport       The port on which the web server hosting the payload is started. (Sometimes useful    for older Windows versions)  
				    If not specified, the server will try to intercept the request to the legitimate server instead.  
/debug              Increase the verbosity of the tool  
/autoinstall        Start Windows updates automatically after the proxy is started.  
/enabletls          Enable HTTPS interception. WARNING. NOT OPSEC SAFE.   
				    This will prompt the user to add the certificate to the trusted root.  
/help               Display this help and exit  

Compilation

The ILMerge dependency can be used to compile the application into a standalone .exe file. To compile and compile the application, simply use the following command:

dotnet msbuild /t:Restore /t:Clean /t:Build /p:Configuration=Release /p:DebugSymbols=false /p:DebugType=None /t:ILMerge /p:TrimUnusedDependencies=true  

Download WSuspicious

7.5 High

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

33.7%

Related for KITPLOIT:7878925794695346590