There’s a series of blog posts that’ve been happening since April, zcutlip just posted part 13. There is a github project with the sample code. Here’s excerpt from part 1:

Broken, Abandoned, and Forgotten Code, Part 1

This series of posts describes how abandoned, partially implemented functionality can be exploited to gain complete, persistent control of Netgear wireless routers. I’ll describe a hidden SOAP method in the UPnP stack that, at first glance, appeared to allow unauthenticated remote firmware upload to the router. After some reverse engineering, it became apparent this functionality was never fully implemented, and could never work properly given a well formed SOAP request and firmware image. If it could work at all, it would be with only the most contrived of inputs. Someone may have thought shipping dead code was okay because an exploit scenario would be so contrived. Someone may not have considered that contrived inputs are the stock-in-trade of vulnerability researchers. In this series, I’ll describe the process of specially crafting a malicious firmware image and a SOAP request in order to route around the many artifacts of incomplete implementation in order to gain persistent control of the router. I’ll discuss reverse engineering the proper firmware header format, as well as the the improper one that will work with the broken code. Together, we’ll go from discovery to complete, persistent compromise.

More information:
https://github.com/zcutlip/broken_abandoned
http://shadow-file.blogspot.com/2015/10/abandoned-part-13.html
http://shadow-file.blogspot.com/2015/04/abandoned-part-01.html