Code 501, message Unsupported method ('HEAD')

[bokandbok]

Hi, i have tested pywus on kali. The windows platform is windows 7.The pysus python server responded with the following error message:

192.168.124.160 - - [10/Sep/2020 04:51:09] code 501, message Unsupported method ('HEAD') 192.168.124.160 - - [10/Sep/2020 04:51:09] "HEAD /selfupdate/wuident.cab?2009100851 HTTP/1.1" 501 - INFO:root:Requested: /selfupdate/wuident.cab?2009100851 192.168.124.160 - - [10/Sep/2020 04:51:09] "GET /selfupdate/wuident.cab?2009100851 HTTP/1.1" 200 -

Exception happened during processing of request from ('192.168.124.160', 49164) Traceback (most recent call last): File "/usr/lib/python2.7/SocketServer.py", line 293, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib/python2.7/SocketServer.py", line 321, in process_request self.finish_request(request, client_address) File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib/python2.7/SocketServer.py", line 657, in init self.finish() File "/usr/lib/python2.7/SocketServer.py", line 716, in finish self.wfile.close() File "/usr/lib/python2.7/socket.py", line 283, in close self.flush() File "/usr/lib/python2.7/socket.py", line 307, in flush self._sock.sendall(view[write_offset:write_offset+buffer_size]) error: [Errno 32] Broken pipe

[obilodeau]

Can you try with Python 3 instead of Python 2 please?

[bokandbok]

Good morning, I have tested again running pywsus server with python3 on Windows platform(instead of KALI). There is no exception on pywsus this time, but I still couldn't seem to get it to work with Windows 7 (which is the wsus client). The pywsus server does not respond to the "GET /selfupdate/wuident.cab" and immediately disconnect the http session. What is the expected behaviour? Can wsus support targerting windows 7 wsus client?

[MaxNad]

Hi,

Our initial goal was to make to tool work on Windows 10 targets. Currently, pywsus doesn't support Windows 7 targets at the moment. I have found the problem and started looking into it.

However, due to Microsoft licensing issues, it will require a bit more configurations on your end.

[bokandbok]

Hi,

1) Noted on the limitation. It will be great if the tool can be extended to support windows 7 & above.

2) On a side note, i have tested with windows 10x64 build 14393. I have managed to trigger and intercepted the "GetExtendedUpdateInfo" call from the WSUS client. Pywsus correctly returned the tampered metadata, and subsequently the win10 WSUS client attempt to download the payload (psexec) with HTTP HEAD method. The pywsus server replied with HTTP error code 501, and the win10 wsus client does not seem to switch to the HTTP GET method to download the payload (status: Seemed to have hanged at KB1234567).

1.1.1.1 - - [12/Sep/2020 23:47:06] "HEAD /039ec661-e303-460a-b42a-36ac566069 8f/psexec.exe HTTP/1.1" 501 - 1.1.1. - - [12/Sep/2020 23:47:06] code 501, message Unsupported method ('HEAD')

[MaxNad]

Thank you for the info.

I made some changes in the https://github.com/GoSecure/pywsus/tree/win7_support branch. It should make it work with Windows 7 + partially fix your HEAD problem.

I had very little time to test it and will merge it whenever I can get through a whole round of testing successfully. So if you need to use it in the meantime, keep in mind that it is a work in progress.

[bokandbok]

Hi, thanks for the quick follow ups. The new version still doesn't fix the HTTP HEAD problem. The pywsus server responded HTTP 200, but does not serve the content of the requested payload. The wsus client somehow keep sending HTTP HEAD request repetitively. In your test, does the WSUS client uses HTTP GET to request for the payload?

[MaxNad]

I tried debugging a bit more, but the machines I have setup in my lab either accept the HEAD requests and keep the process going or simply do not do any HEAD requests.

Would you mind giving a bit more information (exact Windows target version, MitM tool used, is the traffic redirected via an HTTP proxy or TCP proxy, have you applied KB4577049 on the target, etc.) so we can try to recreate the problem ?

[bokandbok]

Hi, below are the details of my testcase:

1) My windows 10 build is 10.0.18362 N/A Build 18362 2) For the MITM portion, i actually use the windows HOST file to point the Windows 10 machine (wsus client) to the pywsus server 3) Can the test windows 10 machine a fresh install without any updates, or does it need to have some prior updates installed before it can work properly with the pywsus server?

[obilodeau]

You say a fresh install but is it a fresh install domain-joined with WSUS activated? These vulnerabilities require WSUS, not just regular Windows Updates. Thanks for clarifying.

[bokandbok]

Hi, yes. the workstations is joined to domain, and configured with a internal WSUS server