🔓 Proof-of-Concept exploit for command injection vulnerability on the JCG JIR-AC681M Router OS (Firmware version 92.10.2.4539)
This PoC demonstrates a critical unauthenticated command injection vulnerability in the JIR-AC681M router (manufactured by JCG). The flaw allows attackers to execute arbitrary shell commands and enable a Telnet backdoor, ultimately leading to full system compromise.
- Device: JCG JIR-AC681M Wireless Router
- Firmware Version: 92.10.2.4539
The JCG JIR-AC681M is a dual-band wireless broadband router offering combined wireless speeds up to 1200Mbps (300Mbps on 2.4GHz and 867Mbps on 5GHz). It supports multiple operation modes, including Wireless Router, Client, Access Point, and WISP. The router features a built-in firewall with filtering capabilities based on IP address, MAC address, and domain name. It also supports remote configuration via WAN, Telnet/CLI access, and firmware upgrades. (speedguide.net)
While connected to a friend's network, I began exploring the local network infrastructure. Identifying the gateway, I navigated to its web interface, commonly found at http://192.168.1.1. Using default credentials (admin:admin), I successfully gained access to the router's configuration panel. Curiosity led me to probe for potentially vulnerable pages beyond the standard interface.
Through further exploration, I discovered a diagnostic tool page located at http://192.168.1.1/adm/systools.asp. This page featured a ping utility, which often presents an opportunity for command injection if user-supplied input isn't properly sanitized.
I attempted to inject operating system commands into the ping utility's target field. By appending commands after a semicolon (;), I could execute arbitrary commands on the router's underlying operating system. For instance, the following payload allowed me to view the system's password file:
Example:
; cat /etc/passwd
By injecting the following command, attackers can spawn a telnet daemon exposing /bin/sh:
; telnetd -l /bin/shThis opens up remote shell access, bypassing normal authentication layers.
Username: admin
Password: admin
If successful, accessing the device on the assigned IP over Telnet (telnet 192.168.1.1) will provide a root shell:
- Full system compromise
- Credential extraction
- Lateral movement into connected devices
- Potential for persistent backdoor installation
- IMMEDIATE: Change the default credentials and disable WAN access to the admin interface.
- UPDATE: Contact vendor for firmware patch or security advisory.
- NETWORK: Place the device behind a firewall with restricted access.
This code is for educational and authorized penetration testing purposes only. Do not use this software in environments you do not own or have explicit permission to test.