The way the exploit works is it hides escape/control sequences in a ICMP echo request packet (it contains the string +++ATH0) the +++ sends the modem into escape mode (and if the guard time on the modem is set ridiculously low) it will go into command mode.