New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add QNAP Transcode Server Command Execution exploit module #8827
Conversation
Awesome, thank you sir. Do we have a shell payload option for the arch? Meterp transport is in flux right now, so might be nice to add that. Maybe also an openssl double or a plain shell rev_tcp? |
@sempervictus I decided against supporting unix/cmd style payloads. I believe meterpreter is preferred over CMD payloads where possible. A lot of the modules for embedded devices only support meterpreter. There's also a whole bunch of characters which are filtered which makes parsing CMD payloads annoying. That said, I know reverse bash CMD works on QNAP from shellsheck days. The There's no Also worth noting that there's also no base64 binary. |
As an aside, it would be nice if there was a way to determine when the payload has been downloaded, rather than using
I know it's possible to detect the connect back with |
Fun. Agreed it's a waste of effort to deal with char filter bypass. Python meterp however, should be doable, and we can use it as our base64 -d equivalent.
|
What does the Python meterpreter give us that the native compiled ARMLE meterpreter does not? |
awesome |
Thanks!! |
Release NotesAn exploit that targets an unauthenticated remote command injection vulnerability in QNAP NAS devices has been added to framework. The transcoding server listens on port 9251 by default and is vulnerable to command injection using the 'rmfile' command. |
This PR adds an unauthenticated remote root command injection exploit for the transcoding server enabled by default on QNAP NAS devices.
Verification
msfconsole
use exploit/linux/misc/qnap_transcode_server
set RHOST [IP]
set LHOST [IP]
run
Example Output