Add exploit for IBM DRM RCE (CVE-2020-4427, CVE-2020-4428, CVE-2020-4429)

[pedrib]

This PR adds an exploit for an unauthenticated remote code execution as root in IBM Data Risk Manager. This is a 0day at the time of this PR, check:
https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md

See also: #13301 and #13304.

[pedrib]

I am waiting on the CVE IDs, but please go ahead with the review while we wait.

[gwillcox-r7]

Added needs-testing label as from looks of things, only those with an active service contract can download the IBM DRM software.

[pedrib]

@gwillcox-r7 I can send pcaps if needed, same for PR #13301

[gwillcox-r7]

@gwillcox-r7 I can send pcaps if needed, same for PR #13301

If you can send PCAPs for both this PR and for #130001 to msfdev[at]metasploit.com this would greatly assist our team in helping to confirm info. Thanks!

[gwillcox-r7]

@pedrib If you could also send a demo of both of the modules to the same email address this would also be helpful.

[pedrib]

@gwillcox-r7 a demo? Like an asciinema cast?

[acammack-r7]

Thanks for bringing us to the 0-day party! Detection seems a bit wobbly, though, and I think we would want to properly parse the JSON responses instead of just using regexes. I think there are also some code styling things that rubocop -a can help fix.

[pedrib]

@acammack-r7 all done, and thanks for showing me rubocop, will use it from now on on all my submissions.

I'm still waiting for those CVE, do you mind waiting or want to merge these PR now? If so I can send you the pcaps

[wvu]

Are you still waiting for CVEs?

[pedrib]

@wvu-r7 all done. Yes I am still waiting, there's emails back and forth between myself and MITRE. Seems like IBM are the ones that have to issue CVE for their own product, and they are making me wait... I wonder why

[pedrib]

Guys, I have removed all CVE and other TODO-links from these modules to get them ready for merging.
I will add all the info later (CVE, more advisory / vendor links, confirm affected versions). IBM is not responding to me at the moment, so once they do I'll send another PR.

I have sent pcaps to your email address.
This comment also applies to PR #13301 and #13304 .

[pedrib]

@wvu-r7 finally we have CVE! Added them to this module and PR #13301 + PR #13304

[wvu]

Reviewed module doc.

[wvu]

Code reviewed. If I missed anything, apply comments everywhere they apply.

[pedrib]

ok all done!

[wvu]

Squashed and rebased!

[wvu]

Release Notes

This adds a remote root exploit for IBM Data Risk Manager versions 2.0.3 and below. Version 2.0.6 might also be vulnerable. The exploit covers:

• CVE-2020-4427
• CVE-2020-4428
• CVE-2020-4429