Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Add QNAP Transcode Server Command Execution exploit module #8827
This PR adds an unauthenticated remote root command injection exploit for the transcoding server enabled by default on QNAP NAS devices.
@sempervictus I decided against supporting unix/cmd style payloads.
I believe meterpreter is preferred over CMD payloads where possible. A lot of the modules for embedded devices only support meterpreter.
There's also a whole bunch of characters which are filtered which makes parsing CMD payloads annoying.
That said, I know reverse bash CMD works on QNAP from shellsheck days. The
Also worth noting that there's also no base64 binary.
As an aside, it would be nice if there was a way to determine when the payload has been downloaded, rather than using
I know it's possible to detect the connect back with
An exploit that targets an unauthenticated remote command injection vulnerability in QNAP NAS devices has been added to framework. The transcoding server listens on port 9251 by default and is vulnerable to command injection using the 'rmfile' command.