Vulnerability & Exploit Database

Back to search

QNAP NAS/NVR Administrator Hash Disclosure

This module exploits combined heap and stack buffer overflows for QNAP NAS and NVR devices to dump the admin (root) shadow hash from memory via an overwrite of __libc_argv[0] in the HTTP-header-bound glibc backtrace. A binary search is performed to find the correct offset for the BOFs. Since the server forks, blind remote exploitation is possible, provided the heap does not have ASLR.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • bashis
  • wvu <wvu [at]>
  • Donald Knuth



  • Automatic
  • x86
  • ARM



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/gather/qnap_backtrace_admin_hash msf auxiliary(qnap_backtrace_admin_hash) > show actions ...actions... msf auxiliary(qnap_backtrace_admin_hash) > set ACTION <action-name> msf auxiliary(qnap_backtrace_admin_hash) > show options and set options... msf auxiliary(qnap_backtrace_admin_hash) > run