Metasploit Weekly Wrap-Up


## Exchange RCE ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/02/metasploit-ascii-1-2.png) Exchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as [CVE-2021-42321](<https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog>). The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticated vulnerability, a standard user has sufficient permissions to trigger it which likely encompasses most users within an organization that uses Exchange. The vulnerability affects Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2. ## Chrome Password Decryption Community member [timwr](<https://github.com/timwr>) updated the existing Chrome enumeration module to support decrypting passwords from modern versions of Chrome. The module can now decrypt both the new and old formats of passwords. This is helpful because when Chrome is updated, passwords in the old format are not updated to the new format. ## New module content (2) * [Microweber CMS v1.2.10 Local File Inclusion (Authenticated)](<https://github.com/rapid7/metasploit-framework/pull/16156>) by Talha Karakumru - Adds a new module `auxiliary/gather/microweber_lfi` which targets Microweber CMS v1.2.10 and allows authenticated users to read arbitrary files on disk. * [Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE](<https://github.com/rapid7/metasploit-framework/pull/16164>) by Grant Willcox, Microsoft Security Response Center, Microsoft Threat Intelligence Center, peterjson, pwnforsp, testanull, and zcgonvh, which exploits [CVE-2021-42321](<https://attackerkb.com/topics/4JMe2Y1WSY/cve-2021-42321?referrer=blog>) \- This adds an exploit for CVE-2021-42321 which is an authenticated RCE in Microsoft Exchange. The vulnerability is related to a misconfigured deny-list that fails to properly prevent malicious serialized objects from being loaded, leading to code execution. ## Enhancements and features * [#16061](<https://github.com/rapid7/metasploit-framework/pull/16061>) from [shoxxdj](<https://github.com/shoxxdj>) \- The `wordpress_scanner` module has been updated to support enumerating WordPress users using the `wp-json` API. * [#16200](<https://github.com/rapid7/metasploit-framework/pull/16200>) from [timwr](<https://github.com/timwr>) \- This updates post/windows/enum_chrome to support decrypting stored passwords for Chrome versions greater than 80. ## Bugs fixed * [#16197](<https://github.com/rapid7/metasploit-framework/pull/16197>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This fixes an edge case when reading files on Windows, and fixes Ruby 3 crashes when reading files. * [#16215](<https://github.com/rapid7/metasploit-framework/pull/16215>) from [bwatters-r7](<https://github.com/bwatters-r7>) \- This updates payloads version to 2.0.75, taking in the changes landed in <https://github.com/rapid7/metasploit-payloads/pull/542> and fixes a bug in Windows Meterpreter `getsystem` command where a failed attempt to elevate can result in a partially-broken session. * [#16093](<https://github.com/rapid7/metasploit-framework/pull/16093>) from [h00die](<https://github.com/h00die>) \- A number of broken URL references have been fixed in Metasploit modules. In addition, the `tools/modules/module_reference.rb` code has been updated to log redirects so that they can be appropriately triaged later and to support saving results to a CSV file. Finally, several modules had their code adjusted to conform to RuboCop standards. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.1.30...6.1.31](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-16T23%3A31%3A40-06%3A00..2022-02-24T11%3A00%3A46-06%3A00%22>) * [Full diff 6.1.30...6.1.31](<https://github.com/rapid7/metasploit-framework/compare/6.1.30...6.1.31>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).