This is a proof of concept program to escalate privileges on a Windows host by abusing WSUS. Details in this blog post: https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/ It was inspired from the WSuspect proxy project: https://github.com/ctxis/wsuspect-proxy
AcknowledgementsPrivilege escalation module written by Maxime Nadeau from GoSecure
Huge thanks to:
Julien Pineault from GoSecure and Mathieu Novis from SecureOps for reviving the WSUS proxy attack
Romain Carnus from GoSecure for coming up with the HTTPS interception idea
Paul Stone and Alex Chapman from Context Information Security for writing and researching the original proxy PoC
UsageThe tool was tested on Windows 10 machines (10.0.17763 and 10.0.18363) in different domain environments.
Usage: WSuspicious [OPTION]...Ex. WSuspicious.exe /command:"" - accepteula - s - d cmd / c """"echo 1 > C:\wsuspicious.txt"""""" /autoinstallCreates a local proxy to intercept WSUS requests and try to escalate privileges.If launched without any arguments, the script will simply create the file C:\wsuspicious.was.here/exe The full path to the executable to runKnown payloads are bginfo and PsExec. (Default: .PsExec64.exe)/command The command to execute (De ..
Support the originator by clicking the read the rest link below.
