Unauthenticated RCE in Windows Server Update Services (WSUS)

Repository contains a 4-step PowerShell exploit chain for CVE-2025-59287 (WSUS unauthenticated RCE) plus a README and gitignore. The workflow is: 1) 1-check.ps1 (vulnerability validation): Sends SOAP requests to WSUS endpoints to confirm (a) SimpleAuthWebService issues authorization cookies to anonymous clients and (b) ReportingWebService is reachable. If both succeed, target is considered vulnerable. 2) 2-generate.ps1 (payload generation): Uses a local ysoserial.net binary (ysoserial.exe) to generate a .NET BinaryFormatter deserialization payload using the RolePrincipal gadget chain, output as base64. Two modes are supported: - filedrop: executes cmd to write a proof file to C:\Windows\Temp\wsus_pwned.txt. - shell: builds a PowerShell TCP reverse shell to LHost:LPort, base64-encodes it, and wraps it in a hidden powershell.exe invocation. The resulting blob is saved to .\blob.txt. 3) 3-deliver.ps1 (unauthenticated delivery/injection): Performs the exploitation chain over SOAP: - Requests an anonymous auth token from /SimpleAuthWebService/SimpleAuth.asmx (GetAuthorizationCookie). - Exchanges it for a reporting session cookie via /ClientWebService/Client.asmx (GetCookie), extracting Expiration and EncryptedData. - Injects the serialized payload by calling /ReportingWebService/ReportingWebService.asmx (ReportEventBatch), embedding the base64 blob into the ReportingEvent ExtendedData MiscData field as SynchronizationUpdateErrorsKey. The script notes execution is triggered when WSUS console is opened or a sync runs. 4) 4-verify.ps1 (post-exploitation verification/cleanup): Confirms execution by checking for the proof file locally or via \\WSUS\C$ admin share. It also connects to the WSUS Windows Internal Database (SUSDB) via the named pipe np:\\.\pipe\MICROSOFT##WID\tsql\query to count injected events (EventID=389) and optionally deletes them and removes artifacts (proof file and blob.txt). Overall purpose: provide purple-team exercise scripts that demonstrate an unauthenticated network-based RCE against WSUS by abusing anonymously accessible SOAP services to plant a malicious BinaryFormatter payload into WSUS’s database, which later deserializes during console load/synchronization.

Repository is a small “PoC CVE collection” with 3 CVE folders referenced, but only CVE-2025-11953 contains actual exploit code in the provided archive (Python + Bash). The other two CVEs (CVE-2025-59287 WSUS deserialization RCE and CVE-2025-8941 Linux-PAM pam_namespace privesc) are documentation-only here (READMEs describe additional scripts like wsus-exploit.py/pam-exploit.c, but those files are not present in the provided file list). CVE-2025-11953 exploit purpose/structure: - Target: React Native Community CLI Metro development server exposing an `open-url` HTTP endpoint. - Primitive: unauthenticated network OS command injection by POSTing JSON to `/open-url` with a crafted `url` value. - Files: - `CVE-2025-11953/exploit-basic.sh`: minimal PoC that checks reachability (GET /) then POSTs to `$TARGET/open-url` with `{"url":"$COMMAND"}`; treats HTTP 200/204 as success. - `CVE-2025-11953/exploit-advanced.py`: a more featureful exploitation tool using `requests.Session()`. - `test_connectivity()` performs GET to base target URL. - `execute_command()` posts to `{target}/open-url` and supports OS selection; Windows wraps commands with `cmd /c`. - `upload_file()` reads a local file, base64-encodes it, and writes it to an arbitrary remote path via an inlined PowerShell `WriteAllBytes` command (Windows-only). - `get_reverse_shell()` sends an inlined PowerShell reverse shell that connects back to attacker-supplied `--lhost` and `--lport` (default 4444). Output is effectively blind (no command output parsing), consistent with the README warning. Notable fingerprintable network targets/endpoints: - HTTP endpoint `/open-url` on the Metro server (commonly port 8081) is the key exploit surface. - Reverse shell callback is to attacker-controlled TCP `lhost:lport` (default port 4444). Overall, this repo is primarily an operational RCE PoC/tooling for CVE-2025-11953, packaged alongside documentation for two additional CVEs that are not actually implemented in the provided code snapshot.

Repository contains a single PowerShell exploit script (WSUS-CVE-2025-59287.ps1) plus a minimal README. Core capability: network-based RCE against a WSUS server by interacting with WSUS SOAP .asmx services to obtain required identifiers/cookies and then delivering a .NET BinaryFormatter deserialization payload. The payload ultimately runs a hidden PowerShell command that establishes an interactive TCP reverse shell to an operator-controlled host/port. High-level flow implemented in the script: - New-Payload: builds a PowerShell TCP reverse shell one-liner, base64-encodes it (Unicode), and uses a local ysoserial.net binary (./ysoserial/ysoserial.exe) to wrap it into a BinaryFormatter payload using the RolePrincipal gadget chain. - Get-ServerId: POSTs SOAP to /ReportingWebService/ReportingWebService.asmx (GetRollupConfiguration) and parses the ServerId from the XML response. - Get-AuthCookie: POSTs SOAP to /SimpleAuthWebService/SimpleAuth.asmx (GetAuthorizationCookie) using ServerId and a provided dnsName/computer object, extracting CookieData. - Get-ReportingCookie: POSTs SOAP to /ClientWebService/Client.asmx (GetCookie) using the authorization cookie to obtain another cookie used for subsequent actions. - Invoke-Exploit (present but truncated in provided content): uses the reporting cookie and serialized payload to deliver the exploit; Invoke-Script orchestrates the full chain and prints success indicators including eventInstanceId and targetSid. Notable observables/endpoints: - WSUS SOAP endpoints: /ReportingWebService/ReportingWebService.asmx, /SimpleAuthWebService/SimpleAuth.asmx, /ClientWebService/Client.asmx over HTTP (default port 8530). - Reverse shell callback: configurable $ncHost/$ncPort (example 10.0.0.100:4444). - Local dependency: ./ysoserial/ysoserial.exe. Overall purpose: provide an operational PoC-style exploit that automates pre-exploitation SOAP interactions and delivers a deserialization-based payload to gain a remote shell on a WSUS server.

Repository contains a single Python exploit script (CVE-2025-59287.py) plus a short README with references. The script is an operational remote-code-execution exploit targeting Microsoft WSUS/SCCM WSUS web services via SOAP. It (1) generates a .NET deserialization payload on the fly by invoking a local ysoserial.net binary (ysoserial.exe) using the DataSet gadget and SoapFormatter, embedding an attacker-supplied command; (2) interacts with WSUS SOAP endpoints to obtain required identifiers/cookies (ServerId via ReportingWebService.asmx, AuthorizationCookie via SimpleAuth.asmx, then a reporting cookie via Client.asmx); and (3) submits a malicious event (function shown as send_malicious_event in the script, truncated in provided content) that carries the serialized payload, resulting in command execution on the WSUS server. The exploit is network-based, uses requests with TLS verification disabled, and is driven via CLI arguments: target URL, command, and optional ysoserial.exe path.

This repository is a proof-of-concept exploit for CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS) due to unsafe .NET deserialization. The repository contains four files: a README.md with usage and vulnerability details, encypt.py (helper for preparing payloads), exp.py (the main exploit script), and payload.txt (for user-supplied payloads). The main exploit logic is in exp.py, which checks for the presence of WSUS SOAP endpoints on a target server, loads a .NET BinaryFormatter payload (either from payload.txt or a default benign payload), crafts a malicious SOAP request embedding the payload, and sends it to the WSUS server's /ApiRemoting30/WebService.asmx endpoint. If the server is vulnerable, the payload is deserialized and executed as SYSTEM. The exploit is network-based and requires only the target's URL and network access. The payload is customizable, allowing arbitrary code execution. The code is a proof-of-concept and does not include weaponized features such as automated callback verification or post-exploitation modules.

This repository is a Python-based exploitation toolkit for CVE-2025-59287, a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS). The toolkit consists of two main modules: 1. cve-2025-59287-encr.py: An encryption utility that generates AES-encrypted, .NET-serialized payloads containing arbitrary system commands. It supports both legacy and secure encryption modes and allows for custom keys and output files. 2. cve-2025-59287-exp.py: The main exploit module, which targets a specified WSUS server (typically on port 8530) and delivers the encrypted payload via a crafted SOAP request to the WSUS ReportingWebService endpoint. It includes robust error handling, retry logic, and user-agent rotation to evade detection. The exploit can use a default or custom payload and provides options for timeout and retries. The exploit achieves remote code execution on the WSUS server by leveraging the vulnerability to execute arbitrary commands provided by the attacker. The README provides detailed usage instructions, including example commands and options. The repository is structured with clear separation between payload generation and exploitation logic, and includes a requirements.txt for dependencies. No hardcoded IPs or domains are present in the code, but several example endpoints are provided in the documentation. The exploit is operational and suitable for authorized penetration testing or research in controlled environments.

This repository provides a Python proof-of-concept (PoC) exploit for CVE-2023-35317 and CVE-2025-59287, which are deserialization vulnerabilities in Microsoft Windows Server Update Services (WSUS). The main exploit logic is contained in 'PoC.py', which orchestrates a multi-step SOAP-based attack against a target WSUS server. The exploit works by first obtaining a ServerId and authorization cookie from the WSUS server using crafted SOAP requests to specific endpoints. It then sends a malicious payload (either built-in or user-supplied, generated via ysoserial.net) to the server, exploiting the deserialization flaw to achieve remote code execution. The payload is typically a .NET gadget chain that can execute arbitrary commands on the server. The exploit can be triggered automatically or manually (e.g., when the WSUS console is opened), depending on the CVE targeted. The repository includes a README with detailed usage instructions and example commands. No hardcoded IPs or domains are present, but the exploit targets specific WSUS SOAP endpoints, making them fingerprintable. The code is a functional PoC and not weaponized for mass exploitation.

This repository is a PoC collection for several recent critical CVEs, with a focus here on CVE-2025-11953 (React Native Community CLI Metro Development Server RCE). The exploit targets the '/open-url' HTTP endpoint exposed by the Metro server, which is vulnerable to OS command injection due to unsanitized input passed to the Node.js 'open' package. The repository includes both a simple Bash PoC (exploit-basic.sh) and a full-featured Python exploitation framework (exploit-advanced.py). The Python tool supports single command execution, interactive mode, reverse shell deployment (PowerShell for Windows), and file upload (Windows). The exploit is operational and can be used against Windows, Linux, and MacOS targets, provided the vulnerable Metro server is accessible over the network. The main attack vector is unauthenticated network access to the Metro server's '/open-url' endpoint (typically on port 8081). The repository is well-documented, with detailed usage instructions, mitigation advice, and detection guidance. No hardcoded IPs or domains are present; the exploit is designed to be used against user-specified targets.

This repository is a proof-of-concept exploit for CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS) due to unsafe deserialization of .NET objects. The repository contains four files: README.md (usage and background), encypt.py (prepares/encrypts payloads to mimic WSUS expected format), exp.py (main exploit script that crafts and sends SOAP requests to WSUS endpoints), and payload.txt (holds the base64-encoded .NET payload). The exploit works by sending a specially crafted SOAP request containing a malicious serialized object to the WSUS ReportingWebService endpoint, which, if vulnerable, will deserialize and execute the payload as SYSTEM. The code is written in Python and is structured for educational and demonstration purposes, with clear separation between payload preparation and exploitation logic. The endpoints targeted are typical WSUS SOAP web services, and the exploit is network-based, requiring only access to the WSUS server's HTTP(S) interface.

This repository is a comprehensive proof-of-concept (PoC) exploit for CVE-2025-59287, a critical unauthenticated remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS). The exploit targets a deserialization flaw in the GetCookie() SOAP endpoint, which processes attacker-controlled, encrypted AuthorizationCookie data using .NET's BinaryFormatter without proper validation. The repository contains: - `wsus_exploit.py`: The main exploit script, written in Python, which sends a malicious SOAP request to the vulnerable WSUS endpoint. It can either encrypt a provided payload or use a pre-encrypted AuthorizationCookie. - `BinaryFormatterPayloadGenerator.cs`: A C# tool that generates a BinaryFormatter payload using the ObjectDataProvider gadget chain to execute arbitrary commands on the target system. The payload is output as a binary file and optionally as base64. - `encrypt_payload.py`: A Python script to encrypt the generated payload to match the WSUS AuthorizationCookie format. The script uses a placeholder key; real-world exploitation requires extracting the actual key from the target WSUS binaries. - `compile_payload_generator.bat`: A Windows batch script to compile the C# payload generator. - `requirements.txt`: Lists Python dependencies (requests, pycryptodome, urllib3). - `README.md`: Extensive documentation covering vulnerability details, exploitation workflow, key extraction instructions, detection guidance, and legal notice. The exploit workflow is: (1) generate a malicious .NET payload, (2) encrypt it as a WSUS AuthorizationCookie, and (3) send it to the vulnerable GetCookie() endpoint on the target WSUS server (typically on ports 8530/8531). If successful, this results in unauthenticated SYSTEM-level code execution. The repository is well-structured, with clear separation of payload generation, encryption, and exploitation logic. No hardcoded IPs or domains are present; the exploit is designed to be used against arbitrary WSUS targets specified by the user. The PoC is not weaponized (encryption key must be extracted by the user), but demonstrates a full attack chain for authorized testing and research.

This repository provides an exploit for CVE-2025-59287, a vulnerability in Microsoft WSUS that allows remote code execution via a logic flaw in WSUS components. The exploit works by sending a crafted payload (using ysoserial.net) to the target WSUS server, which, when the WSUS management console is opened by an administrator, triggers the injection of a memory-resident webshell (WolfShell) or an ASPX webshell. The payloads are provided as serialized .NET objects in the files 'wolfshell.txt' (memory shell), 'wolfaspx.txt' (ASPX webshell), and 'allow7556.txt' (firewall rule to open port 7556). The README.md contains detailed usage instructions, example commands, and screenshots demonstrating successful exploitation and shell access. The exploit enables persistent remote access and arbitrary command execution on the target server. The repository is structured with a README and three payload files, and is intended for security research and defense purposes.

This repository contains a PowerShell proof-of-concept exploit for CVE-2025-59287, a remote code execution vulnerability in Microsoft WSUS (Windows Server Update Services). The main script, wsus-rce.ps1, automates the exploitation process by interacting with several WSUS SOAP web service endpoints to obtain necessary authentication tokens and then delivers a malicious serialized .NET payload (generated using ysoserial.net) to the server. The payload is a PowerShell-encoded reverse shell that connects back to the attacker's machine. The exploit is triggered when the WSUS console is opened, at which point the reverse shell is executed. The README provides usage instructions and notes that the exploit was tested on Windows Server 2022 with WSUS version 10.0.20348.1. The repository structure is simple, with the main exploit logic contained in a single PowerShell script, and no extraneous files beyond a README and .gitignore.

This repository contains a fully automated exploit for CVE-2025-59287, a critical unauthenticated remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS). The main file, CVE-2025-59287.py, is a Python 3 script that orchestrates the attack. It auto-downloads the ysoserial.NET tool (from a GitHub release) to generate a malicious .NET payload, which is then encrypted using hardcoded WSUS AES keys. The exploit crafts a SOAP request and sends it to the WSUS ClientWebService endpoint (typically at http://target:8530/ClientWebService/Client.asmx), triggering code execution on the server. The payload is a PowerShell reverse shell that connects back to the attacker's specified IP and port, granting SYSTEM-level access. The script includes a built-in listener for the reverse shell, but can also be used with an external listener (e.g., netcat). The repository also includes a README.md with detailed usage instructions and a requirements.txt listing Python dependencies. The exploit is operational and provides a working RCE chain, but is not part of a larger framework.

This repository contains a Python exploit for CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS). The exploit targets the GetCookie() endpoint, which is vulnerable to unsafe deserialization of AuthorizationCookie objects. The repository consists of two files: a README.md that explains the vulnerability and a Python script (cve-2025-59287-exp.py) that automates the exploitation process. The script interacts with several WSUS SOAP endpoints, including /SimpleAuthWebService/SimpleAuth.asmx, /ReportingWebService/ReportingWebService.asmx, and /ClientWebService/Client.asmx, to obtain necessary cookies and send a malicious payload. If successful, the exploit achieves remote code execution as SYSTEM on the target WSUS server. The code is operational and automates the full exploitation chain, requiring only the target URL as input.