Pre-auth OS Command Injection RCE in BeyondTrust Remote Support and PRA

This repository is a small Python proof-of-concept exploit for BeyondTrust Remote Support CVE-2026-1731, described in the README as a pre-auth RCE. The repository contains only two files: a README with usage notes and a single executable script, poc.py, which is the main entry point. The exploit workflow is straightforward: it loads target hosts from d0mains.txt, queries each host at /get_portal_info over HTTPS first and HTTP second, and parses the returned content for a company identifier using the regex company=([^;]+). That extracted value is then inserted into an X-Ns-Company header for a WebSocket connection to wss://<target>:443/nw. The script uses an external websocat binary, launched through /bin/bash, to send a crafted multi-line message containing hax[$(<payload>)] where the default payload is nslookup XXXXXXXXXXXXXXXXXXX.oast.fun. This indicates the exploit is attempting command injection leading to pre-auth remote code execution, with success verified through an out-of-band DNS lookup. Structurally, the code is minimal but functional: start_audit() orchestrates target iteration, get_meta() performs endpoint discovery, grab_id() extracts the organization/company token, trigger_ws() builds and sends the malicious WebSocket request, and load_list() reads the target file. The script disables TLS verification warnings and uses requests for HTTP(S) discovery, asyncio for orchestration, and subprocess to invoke websocat. Because it includes an actual command payload and performs exploitation rather than mere detection, it is best classified as an operational PoC rather than a simple scanner.

This repository is a small standalone Python exploit project with 2 files: a README and a single executable script, exploit.py. It targets CVE-2026-1731, described as a pre-auth command injection / RCE issue in BeyondTrust Remote Support and Privileged Remote Access. The exploit is not part of a larger framework. Repository structure and purpose: - README.md: documents the vulnerability, affected versions, setup steps, example payloads, and expected usage flow. - exploit.py: main exploit implementation and likely sole entry point. Exploit workflow in the Python script: 1. Checks local dependencies, especially the presence of the external websocat binary and the requests Python module. 2. Reads targets from domains.txt. 3. For each target, probes both HTTPS and HTTP versions of /get_portal_info. 4. Parses the response body to extract a company identifier using regex patterns. 5. Performs a quick vulnerability check (the code is truncated, but the script clearly includes such a step). 6. Launches a WebSocket-based exploitation action using asyncio and websocat to deliver the attacker-controlled command. 7. Processes multiple targets concurrently with a ThreadPoolExecutor. Main exploit capabilities: - Unauthenticated network targeting of multiple hosts. - Automatic target probing over HTTP/HTTPS. - Extraction of target-specific metadata needed for exploitation. - WebSocket-driven command execution path. - Configurable payload via the CMD variable. - Supports blind OOB verification, exfiltration, or reverse shell style commands depending on operator customization. Notable implementation details: - SSL verification is disabled, which helps against self-signed appliance certificates. - Default payload is a DNS lookup to an OAST domain, indicating the author expects blind RCE validation. - The script includes operator confirmation before launching attacks and basic colored console output. - Because exploitation depends on an external binary and target-specific WebSocket behavior, this is best classified as an operational PoC rather than a highly polished weaponized tool. Overall, this is a real exploit script intended to achieve pre-auth remote command execution against vulnerable BeyondTrust RS/PRA deployments, not merely a detector or README-only repository.

Repository is a Rust-based, concurrent “Blind RCE PoC” for CVE-2026-1731 targeting BeyondTrust Privileged Remote Access (<= 24.3.4) and BeyondTrust Remote Support (<= 25.3.1) per README. Structure: - Cargo.toml: Rust project config; uses tokio async runtime, reqwest for HTTP, tokio-tungstenite for WebSockets, native-tls for TLS, clap for CLI, tracing for logging. - src/main.rs: CLI parsing and orchestration. Reads targets from a file (default `targets.txt`), normalizes to https:// if no scheme, deduplicates by scheme/host/port, and runs exploitation concurrently (default 50). Initializes a reqwest client with invalid certs accepted and a fixed 10s timeout. - src/target.rs: Implements Target logic. 1) Recon/priming step: HTTP GET to `/get_portal_info` and regex extraction of `company=([^;]+)` from the response body. This “company” value is stored and used as a required identifier. 2) Exploitation step: Opens a raw TCP connection to host:port (TLS-wrapped if scheme is https), performs a manual WebSocket handshake to `GET /nw` including headers `X-Ns-Company: <company>` and `Sec-WebSocket-Protocol: ingredi support desk customer thin`. After receiving `101 Switching Protocols`, it sends a crafted binary WebSocket message containing `hax[$(<command>)]...` which is intended to trigger command execution on the server via command substitution. The tool then reads and prints any returned WebSocket data until close/error. Overall capability: network-based remote command execution against vulnerable servers, with a preliminary HTTP request used to extract a required tenant/company identifier before sending the WebSocket payload.

Repository purpose: a Python proof-of-concept exploit for CVE-2026-1731 (BeyondTrust RS/PRA) achieving pre-auth remote command execution via a WebSocket-reachable endpoint. Structure: - README.md: explains the vulnerability mechanism (bash arithmetic/expression evaluation on attacker-controlled remoteVersion during WebSocket handshake), setup steps, and how to set the command payload. - DISCLAIMER.md: legal/ethical use disclaimer. - exploit.py: the actual exploit automation. Exploit flow (exploit.py): 1) Reads targets from `domains.txt`. 2) For each domain, requests `/get_portal_info` over HTTP then HTTPS (3s timeout, TLS verification disabled) and, on HTTP 200, parses `company=...` from the response. 3) Builds a command string that pipes a crafted multi-line payload into `websocat` connecting to `wss://<domain>:443/nw` using the subprotocol string `ingredi support desk customer thin` and header `X-Ns-Company: <company>`. 4) The crafted payload embeds `hax[$(CMD)]0`-style bash expression injection (implemented as `hax[\$({CMD})]`) intended to trigger command execution on the server during evaluation. 5) Runs the websocat invocation via `bash -c` and prints stdout/stderr. Key capabilities: - Pre-auth RCE against the BeyondTrust WebSocket service. - Batch targeting via a domains list. - OAST-friendly verification by default (nslookup to an oast.fun domain), with user-configurable command via the `CMD` constant. Notable operational details/risks: - Uses `subprocess.Popen(["bash","-c", ...])` to run a shell pipeline locally; `CMD` is interpolated into that string (intended for operator control). - Requires `websocat` present locally (either in the same directory as `./websocat` or adjusted by the user). - The script is exploitative (not merely detection) because it actively sends the injection payload to the WebSocket endpoint.