Started docs file

Author: jheysel-r7

documentation/modules/exploit/linux/http/zyxel_parse_config_rce.md

@@ -0,0 +1,38 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in order to obtain pre-auth command injection the multiple Zyxel device models.
+The exploit chain uses CVE-2023-33012 which is a command injection vulnerability which can be exploited when uploading a
+new configuration to /ztp/cgi-bin/parse_config.py by appending a command to the `option ipaddr ` field.
+
+The command injection is length limited to 0x14 bytes and is why this exploit chains a .qsr file write vulnerability as
+well in order to write the payload to a file which has no length limit and then call the payload with the command
+injection.
+
+Two caveats of this exploit chain were described by Jacob Baines in the following
+[blog post](https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot).
+1. In order for the target to be vulnerable Cloud Management Mode (SD-WAN mode) must be enable (it is not by default).
+2. The target can only be exploited once due to the order of operations in which the exploit functions.
+
+| Product                           | Affected Versions               |
+|-----------------------------------|----------------------------------|
+| ATP                               | V5.10 through V5.36 Patch 2      |
+| USG FLEX                          | V5.00 through V5.36 Patch 2      |
+| USG FLEX 50(W) / USG20(W)-VPN     | V5.10 through V5.36 Patch 2      |
+| VPN                               | V5.00 through V5.36 Patch 2      |
+
+### Setup
+
+This module was tested against USG Flex Version (???). To test this module you will need to acquire a hardware device
+running one of the vulnerable firmware versions listed above.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use zyxel_parse_config_rce`
+1. Set the `RHOST` and `LHOST`
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### USG Flex Version (???)
+