is it a #0day ? yeah I guess?
The sub_455480 function is flawed. This function parses some data sent to boafrm/formWlanMultipleAP. Guess what it does with the submit-url parameter? Yep, printf to a stack var. We can't use null bytes, but libc is loaded at 0x3fd25000 so it's not a problem (and ASLR/PIE is nonexistent on those small routers), so everything can be hardcoded.