Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add QNAP NAS/NVR administrator hash disclosure #7956

Merged
merged 10 commits into from
Mar 15, 2017
Merged

Add QNAP NAS/NVR administrator hash disclosure #7956

merged 10 commits into from
Mar 15, 2017

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Feb 14, 2017
edited
Loading 

msf auxiliary(qnap_backtrace_admin_hash) > info 

       Name: QNAP NAS/NVR Administrator Hash Disclosure
     Module: auxiliary/gather/qnap_backtrace_admin_hash
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-01-31

Provided by:
  bashis
  wvu <wvu@metasploit.com>
  Donald Knuth

Available actions:
  Name       Description
  ----       -----------
  ARM        ARM target
  Automatic  Automatic targeting
  x86        x86 target

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  OFFSET_END    5000             yes       Ending offset (no backtrace)
  OFFSET_START  2000             yes       Starting offset (backtrace)
  Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
  RETRIES       10               yes       Retry count for the attack
  RHOST                          yes       The target address
  RPORT         443              yes       The target port (TCP)
  SSL           true             no        Negotiate SSL/TLS for outgoing connections
  VHOST                          no        HTTP server virtual host

Description:
  This module exploits combined heap and stack buffer overflows for 
  QNAP NAS and NVR devices to dump the admin (root) shadow hash from 
  memory via an overwrite of __libc_argv[0] in the HTTP-header-bound 
  glibc backtrace. A binary search is performed to find the correct 
  offset for the BOFs. Since the server forks, blind remote 
  exploitation is possible, provided the heap does not have ASLR.

References:
  http://seclists.org/fulldisclosure/2017/Feb/2
  https://en.wikipedia.org/wiki/Binary_search_algorithm

msf auxiliary(qnap_backtrace_admin_hash) >

@wvu wvu force-pushed the feature/qnap branch 8 times, most recently from 6420559 to dabe4f3 Compare February 14, 2017 13:43
@wvu wvu added the blocked Blocked by one or more additional tasks label Feb 14, 2017
@wvu wvu force-pushed the feature/qnap branch 5 times, most recently from 6990055 to 12576c6 Compare February 14, 2017 17:41
@wvu wvu changed the title Add QNAP admin hash "disclosure" Add QNAP NAS/NVR administrator hash disclosure Feb 14, 2017
@wvu wvu force-pushed the feature/qnap branch 12 times, most recently from 0d77a0a to 0ed557c Compare February 14, 2017 22:50
@wvu wvu force-pushed the feature/qnap branch 6 times, most recently from b6c8ca9 to a1bc03e Compare February 25, 2017 01:11
@wvu wvu removed the blocked Blocked by one or more additional tasks label Feb 25, 2017
@busterb busterb self-assigned this Mar 8, 2017
@busterb
Copy link
Member

busterb commented Mar 8, 2017

I've seen this in action, nice module @wvu !

@busterb
Copy link
Member

busterb commented Mar 8, 2017

I don't think print_debeug is a thing. If we want to bring back the actual print_debug, I'm fine with it.

@busterb
Copy link
Member

busterb commented Mar 8, 2017

Also, module docs please, and then I think this is landable.

wvu added 5 commits March 12, 2017 21:01
@wvu
Remove DEBEUG/print_debeug :(
e7c920d
@wvu
Change default RPORT to 443 with SSL
9f76b4d 
I never really tested port 80, so I wonder why I didn't change this.
Turns out 80 isn't even the vuln service. Welp. Hat tip @bcoles.
@wvu
Bump RETRIES to 10
a0bff5c 
3 was a bit too low. I was using 10 and had more success with it.
@wvu
Fix whitespace and clarify options
86d2217
@wvu
Add module doc to appease the @h00die god
559e426
@wvu wvu removed the needs-docs label Mar 15, 2017
@busterb
Copy link
Member

busterb commented Mar 15, 2017

LTGM, thanks for the updates!

@busterb busterb merged commit 94d445f into rapid7:master Mar 15, 2017
busterb pushed a commit that referenced this pull request Mar 15, 2017
Land #7956, Add QNAP NAS/NVR administrator hash disclosure
b65919e
@wvu wvu deleted the feature/qnap branch March 15, 2017 16:36
@busterb
Copy link
Member

busterb commented Mar 15, 2017
edited by tdoan-r7
Loading

Release Notes

The QNAP NAS/NVR Administrator Hash Disclosure exploit has been added to the framework. It exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@busterb busterb

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@wvu @wchen-r7 @h00die @busterb @tdoan-r7