Add exploit for Cisco Data Center Network Manager file upload

[pedrib]

  DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
  An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
  directory and achieve remote code execution as root.
  This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
  versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
  directory for the WAR file upload.
  This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
  work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
  (see References to understand why).

Tested and working on 10.4(2) up to 11.1(1).
See
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-infodiscl

I will also have a full disclosure post soon with more details about the vulns, and will add the link here.

[acammack-r7]

Looks cool @pedrib! I think this module would be more at home in modules/exploits/multi/http/ than in the root Metasploit directory.

[pedrib]

@acammack-r7 sorry mate, I must have been half asleep when I submitted the module, it deifnitely should be in modules/exploits/multi/http

[pedrib]

@acammack-r7 @wvu-r7 give me some time to address your points, I'm currently busy with other work! I don't like to make changes without testing locally with all the versions I have here (10.4.2, 11.0.1, 11.1.1), so need to downtime to address them. Please be patient!

[pedrib]

@acammack-r7 @wvu-r7 all done, good to go!

[pedrib]

ping!

[pedrib]

yo guys!

[wvu]

Hey, why don't I handle this!

[wvu]

Note to committers: please handle #12059 as well.

[pedrib]

dcnm_uploadp.pcap.zip

Pcap attached

[wvu]

Would appreciate it if you applied the review from #12059, too.

[pedrib]

done! should be good to go!

[pedrib]

all good!

[pedrib]

all good?

[wvu]

I'm fine with the code, but we do require a module doc per module now. If you are unable to provide, I can handle it.

You can at least copy the module description, setup notes, and example output into a Markdown file. Usually takes me five minutes.

[wvu]

Here's the last one I wrote for reference: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/webapp/webmin_backdoor.md.

[wvu]

I'm going to sleep, but I'll check in on this and the other PR tomorrow.

[wvu]

@pedrib: This one has an f-d reference. Okay to land?

[wvu]

Release Notes

The Cisco Data Center Network Manager File Upload module has been added to the framework. It targets a vulnerability in DCNM that exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root.