This is an exploit script written in C# to aid gaining a reverse shell on targets with Windows Server Update Service(WSUS) CVE-2025-59287. We will deliver a reverse shell payload through encrypted SOAP req.# WSUS-CVE-2025-59287-RCE
CVE-2025-59287 is a **critical (CVSS 9.8)** remote code execution vulnerability affecting ALL Microsoft Windows Server Update Services aka (WSUS), and has been exploited in the wild. The vulnerability exploits insecure deserialization in the GetCookie() endpoint, allowing unauthenticated attackers to execute arbitrary code with FULL SYSTEM privileges.
## Usage
This rev shell poc is pretty easy to use! It accepts target URL, attacker IP, and port parameters, then constructs, encrypts, and sends a malicious payload. To intercept the reverse shell, use a listener like netcat, as an example `nc -lvnp 4444`.
1. Compile, you can use https://github.com/mono/mono
2. Start listener; example via netcat: `nc -lvnp 4444`
3. Run executable
4. Follow prompts to input: Target, LIP, LPORT
5. Profit.
## Exploitation workflow
1. **Payload Gen.**: A PowerShell rev shell cmd is generated.
2. **Serialization**: The payload is serialized via [ysoserial.net](https://github.com/pwntester/ysoserial.net) using the `TypeConfuseDelegate` gadget.
3. **Encryption**: The serialized payload is encrypted using AES-128-CBC with a fixed key and randomly gen salt.
4. **Encoding**: The encrypted bytes are base64-encoded.
5. **SOAP Request Construction**: The encoded payload is embedded in a SOAP envelope within the `AuthorizationCookie` field..
6. **Transmission**: The SOAP request is sent to the target's WSUS GetCookie endpoint.
7. **Outcome(Hopefully)**: If everything went well, the server decrypts and deserializes the payload, resulting in remote code execution thus providing a SYSTEM rev shell to us!
# Disclaimer
Always MAKE SURE YOU HAVE **WRITTEN** authorization before testing exploits like this. Use responsibly and legally!
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view