GNU Inetutils telnetd remote authentication bypass via USER argument injection

This repository is a small standalone Python exploit/scanner project centered on a single executable script, telnetd_scanner.py, plus a README and license. The script is not part of a larger exploit framework. Its purpose is to scan one or more Telnet targets and actively attempt exploitation of the claimed CVE-2026-24061 affecting GNU InetUtils telnetd. Core exploit logic is implemented in probe(). The script opens a TCP connection to the target, reads the Telnet banner, sends a WILL NEW-ENVIRON negotiation, then transmits a crafted NEW-ENVIRON subnegotiation containing USER=-f root. It interprets returned text for shell-like indicators such as '#', '$', 'root@', or 'uid=0', and for login failure prompts such as 'login:' or 'Password:'. If exploitation appears successful, it sends 'id' to verify command execution and marks the host as exploited when uid output is observed. Operationally, the tool supports scanning single hosts, hostnames, or CIDR ranges via expand(), and uses ThreadPoolExecutor for concurrent scanning. It includes progress display, verbose logging, and report generation in text or JSON. The report function summarizes vulnerable and exploited hosts and includes remediation guidance. Fingerprintable observables are limited and mostly target-side: TCP port 23, the Telnet NEW-ENVIRON negotiation, the injected string USER=-f root, and the verification command id. There are no hardcoded external C2 servers, callback URLs, or third-party network services. Overall, this is an operational active exploit scanner: it does not merely detect exposure, but attempts the bypass and validates shell access.

This repository is a small exploit toolkit targeting GNU InetUtils telnetd with two pre-authentication issues: CVE-2026-24061 and CVE-2026-32746. It contains 10 files total, primarily Python plus one Bash scanner wrapper. The main structure is: two primary exploit implementations in exploits/exploit_cve_2026_24061.py and exploits/exploit_cve_2026_32746.py; three focused PoC/support scripts for CVE-2026-32746 (exploit_heap_ptr.py, exploit_rce.py, exploit_slctab_crash.py); a bulk scanner in exploits/scanner.py; and a shell-based parallel scanner in scan_telnetd.sh. CVE-2026-24061 exploit: a network Telnet exploit against TCP/23 that abuses Telnet NEW-ENVIRON negotiation. The code negotiates Telnet options, responds to NEW-ENVIRON requests, and injects USER="-f root" (or a custom string) so telnetd passes it into /usr/bin/login as a command-line argument. The intended result is authentication bypass and an immediate pre-auth root shell. The script supports at least check mode and interactive shell mode, making it more than a detector. CVE-2026-32746 exploit: a more advanced Telnet LINEMODE/SLC overflow exploit framework. It crafts malicious SLC triplets in Telnet subnegotiation to overflow slcbuf and corrupt adjacent BSS state. Repository descriptions indicate multiple capabilities: crash verification, probing, pointer corruption, arbitrary-write style primitives, and target-specific RCE by overwriting GOT/function pointers. The main exploit file exposes multiple modes such as crash, probe, rce, and verify-rce, and requires target-specific offsets or profiles for reliable code execution. This makes it operational but not fully weaponized. The auxiliary CVE-2026-32746 scripts document and demonstrate exploitation stages: exploit_slctab_crash.py aims for controlled SIGSEGV via slctab corruption; exploit_heap_ptr.py demonstrates corruption of I/O buffer pointers to redirect writes; exploit_rce.py chains several primitives and explicitly assumes a fixed target layout (GNU inetutils telnetd 2.5, ASLR disabled, known binary/libc bases). These files are useful for exploit development and validation rather than generic one-click exploitation. The scanner.py script performs bulk scanning of targets from a file or stdin, checks TCP connectivity, invokes the exploit classes directly, and records whether CVE-2026-24061 yields RCE and whether CVE-2026-32746 appears vulnerable/crashable or RCE-capable. The Bash script scan_telnetd.sh wraps the two main Python exploits for parallelized scanning and CSV output. Overall, the repository’s purpose is offensive security research and validation of pre-auth Telnet daemon vulnerabilities, with both exploitation and scanning workflows centered on GNU inetutils telnetd over TCP port 23.

This repository is not a standalone exploit implementation but a vulnerable lab environment for practicing exploitation of CVE-2026-24061 against GNU InetUtils telnetd. The repo contains four files: a README describing the vulnerability and exploit syntax, a Vagrantfile that provisions a Debian Bookworm VM on a private host-only network (192.168.56.10), and a Bash provisioning script that installs and configures the vulnerable service. The main operational logic is in provision/setup.sh. The provisioning script updates packages, installs build dependencies and openbsd-inetd, removes existing secure telnet packages, downloads and compiles GNU InetUtils 2.7 from source, verifies the tarball with GPG via keyserver.ubuntu.com, creates weak credentials (student/student123 and root/toor), weakens PAM by commenting out pam_securetty protections in /etc/pam.d/login, and registers /usr/local/libexec/telnetd with openbsd-inetd in /etc/inetd.conf so the service listens on TCP port 23. It also plants /root/flag.txt and a hint file for the student account. The exploit capability described by the repository is an unauthenticated network-based authentication bypass over Telnet. By running USER='-f root' telnet -a 192.168.56.10, the client sends a USER environment variable during Telnet negotiation; the vulnerable telnetd forwards this unsanitized value to /usr/bin/login, which interprets -f root as a pre-authenticated login request and grants a root shell. Because the repository primarily sets up a target rather than shipping a reusable exploit program, its maturity is best classified as POC.

This repository is a small standalone Python exploit/scanner project, not part of a larger framework. It contains one executable code file, `telnet_scan.py`, plus a README and license. The script is an interactive Telnet assessment tool targeting two claimed GNU InetUtils telnetd vulnerabilities: CVE-2026-24061 and CVE-2026-32746. Repository structure is simple: `telnet_scan.py` is the main and only code artifact; `README.md` documents installation, menu-driven usage, batch scanning, expected output, and mitigation guidance. The Python script uses standard library modules only (`socket`, `select`, `termios`, `tty`, `signal`, etc.), indicating a self-contained network tool. Core capabilities observed in the code and documentation: - Validates whether a target Telnet service is reachable before testing. - Supports single-target and file-based batch scanning. - Attempts CVE-2026-24061 by negotiating Telnet NEW_ENVIRON and sending a subnegotiation that sets `USER` to `-f root`. - Detects likely shell access by checking returned banner/output for shell-like prompts such as `#`, `$`, `>`, or `root@`. - If successful, drops the operator into an interactive shell over the existing socket using raw terminal mode. - Tests CVE-2026-32746 by negotiating LINEMODE and sending an oversized SLC-style payload intended to trigger a pre-authentication buffer overflow; success is inferred from connection drop/crash behavior rather than code execution. The exploit is best characterized as OPERATIONAL rather than a mere PoC because it includes working network logic, target validation, batch processing, and an interactive post-exploitation shell path for the auth-bypass case. However, it is not obviously weaponized or framework-integrated. Fingerprintable network/protocol indicators are limited because targets are user-supplied at runtime rather than hardcoded. The main identifiable target surface is TCP/23 (Telnet). Protocol-level indicators include Telnet option 39 (NEW_ENVIRON), option 34 (LINEMODE), and the injected string `USER=-f root`. The README also references `/usr/bin/login` as the downstream component affected by the environment injection. No hardcoded external C2, callback URLs, domains, or IP addresses are present in the code.

This repository is a small, focused exploit PoC for CVE-2026-24061, an authentication bypass in GNU InetUtils telnetd caused by unsafe use of the client-supplied USER value from Telnet NEW-ENVIRON negotiation. The repository contains only two files: a README describing the vulnerability, affected versions, exploitation logic, and patch history; and main.py, a standalone Python exploit client. The exploit works over the network against a Telnet service. It connects to a target host, defaults to TCP port 23, participates in Telnet option negotiation, accepts NEW-ENVIRON, and when the server requests environment variables, sends USER="-f root". According to the repository description, vulnerable telnetd passes this unsanitized value into login(1), effectively causing an invocation equivalent to '/usr/bin/login -p -h <host> -f root'. Because '-f' requests passwordless login for the named user, successful exploitation yields an unauthenticated interactive root shell. main.py is a minimal but functional exploit. Its structure includes: protocol constants for Telnet and NEW-ENVIRON; negotiate() to respond to Telnet DO/WILL/WONT handling; send_environ() to send the malicious USER variable; parse_stream() to separate Telnet IAC control sequences from application data and strip ANSI escapes; reader() to continuously receive and print server output; and main() to parse arguments, connect to the target, set the hardcoded payload '-f root', and provide an interactive session. The code is operational rather than a mere detector: it attempts exploitation directly and, on success, gives the operator a live shell. No external C2 or third-party infrastructure is used. The only network endpoint is the operator-supplied Telnet target. Fingerprintable artifacts include the default Telnet port 23, use of Telnet NEW-ENVIRON option 39, the USER environment variable, the hardcoded payload '-f root', and the vulnerable server-side binary path '/usr/bin/login' referenced in the documentation.

Repository contains a short Python exploit (telnetd.py) and a detailed README describing CVE-2026-24061, an unauthenticated remote authentication bypass in GNU Inetutils telnetd <= 2.7. Structure & purpose: - README.md: Explains the vulnerability mechanism (Telnet NEW-ENVIRON allows setting USER to "-f root"; telnetd forwards it unsanitized to /bin/login, which interprets '-f root' as pre-authenticated root), impact, affected versions, and remediation steps. - telnetd.py (~1 KB): Implements the exploit by opening a Telnet connection to a user-supplied host (default port 23), sending basic Telnet negotiation bytes, then sending a crafted NEW-ENVIRON subnegotiation payload that sets USER to "-f root". After a short delay, it drops into tn.interact() to provide an interactive session (intended to be a root shell). Exploit capabilities: - Remote, unauthenticated compromise of vulnerable telnetd via protocol-level environment injection. - Achieves authentication bypass/privilege escalation to root (interactive shell over the same Telnet session). - Minimal configuration: only requires network reachability to TCP/23 and a vulnerable inetutils telnetd configuration/behavior that forwards USER to login. Notable observables: - Network target is arbitrary <host> with default TCP port 23. - Protocol payload includes Telnet IAC SB NEW-ENVIRON ... IAC SE with USER value "-f root".

Repository contains a single Python proof-of-concept exploit and a README. - Files: - CVE-2026-24061.py: Async Python exploit using telnetlib3 to connect to a target telnetd service (default TCP/23). It sends a crafted Telnet ENVIRON subnegotiation that sets the USER environment variable to a malicious value of the form "-f<target_user>" (default "-froot"). The script then checks the server response; if it does not see a login/password prompt, it assumes the authentication bypass succeeded and drops into an interactive loop that lets the operator run arbitrary commands over the established telnet session. - README.md: Describes the vulnerability as an authentication bypass in GNU Inetutils telnetd versions 1.9.3–2.7, provides usage examples, and suggests mitigations. - Exploit capability: - Unauthenticated remote auth bypass via Telnet option negotiation (ENVIRON) to inject a crafted USER value intended to be interpreted as a login option, resulting in a remote shell as the specified user (root by default). - Notable implementation details: - Uses telnetlib3.open_connection with timeouts. - Constructs raw IAC/ENVIRON bytes and writes them as latin1-decoded text. - Provides an interactive pseudo-shell by sending user-entered commands and printing server output.

Repository contains a single Perl proof-of-concept exploit script for CVE-2026-24061 against telnetd, plus a minimal README, GPLv3 LICENSE, and a Perl-oriented .gitignore. Key file: `CVE-2026-24061.pl` (entry point). It: - Opens a TCP connection to a user-supplied target host and port (default 23). - Implements basic Telnet option negotiation stripping/handling (`negotiate`) and responds with WONT/DONT to most options. - Sends a crafted Telnet NEW-ENVIRON (option 39) subnegotiation payload that sets the variable name `USER` to the value `-f root` (suggesting argument/flag injection into telnetd’s handling of environment/user fields). - Forks into a reader process (prints server output to stdout after negotiation cleanup) and a writer loop (forwards stdin to the socket), effectively acting like a minimal interactive telnet client after delivering the payload. - Performs a simple vulnerability heuristic: if the reader child exits immediately after payload delivery, it prints that the target does not seem vulnerable. No additional modules, scanners, or multi-target automation are present; it is a single-target, interactive PoC focused on triggering the vulnerable code path via Telnet protocol messages rather than delivering a full post-exploitation payload (e.g., reverse shell).

Repository contains a single Python proof-of-concept exploit for CVE-2026-24061 plus README and MIT license. Structure & purpose: - README.md: Describes an alleged critical telnetd authentication bypass via improper handling of the USER environment variable, claims impact is RCE as root, and provides usage/mitigation/references. - cve-2026-24061-poc.py: Implements a minimal Telnet client that performs Telnet option negotiation and sends a crafted NEW-ENVIRON (option 39) subnegotiation setting USER to "-f root". It then starts a background reader thread to print server output and forwards stdin lines to the socket, effectively giving the operator an interactive session if the bypass succeeds. Exploit capabilities (from code): - Remote network exploitation over TCP against a Telnet service. - Sends a specific Telnet negotiation sequence and environment variable injection payload. - Provides an interactive post-exploitation channel (stdin->socket, socket->stdout) rather than dropping a separate reverse shell. - Includes a basic liveness/vulnerability heuristic: if the reader thread dies shortly after sending the payload, it reports the target likely not vulnerable. Notable implementation details: - negotiate() strips/handles Telnet IAC sequences and responds to DO/WILL with WONT/DONT for most options, while allowing option 39 (NEW-ENVIRON) to proceed. - Hardcoded payload bytes: b'\xff\xfb\x27\xff\xfa\x27\x00\x00USER\x01-f root\xff\xf0'. - Default port is positional optional argument with default 23. Overall, this is a small, single-file PoC intended to demonstrate an auth bypass in inetutils telnetd by abusing Telnet environment option handling, yielding an interactive session that is expected to run with elevated privileges if the target is vulnerable.

Repository purpose: a small Docker-based lab demonstrating a Telnet negotiation-based auto-login/username injection technique described as CVE-2026-24061, using the Telnet NEW-ENVIRON option (RFC1572). Structure (5 files): - exploit.py: Python Telnet client PoC. Connects to a user-supplied host on TCP/23, performs minimal Telnet option negotiation, and when the server requests NEW-ENVIRON it replies WILL NEW_ENVIRON and sends a subnegotiation that sets USERVAR "USER" to the local environment variable $USER. It then enters an interactive relay loop (socket <-> stdin/stdout). As a fallback, it detects "login:" or "username:" in server output and sends the username followed by CRLF. - compose.yaml: Defines two containers (node1 client, node2 server) on an isolated bridge network (labnet) with Docker DNS name resolution (e.g., target host "node2"). No host ports are exposed. - Dockerfile.node1: Builds a Python 3.12 slim client container, installs telnet, copies exploit.py, and idles (sleep infinity) for interactive use. - Dockerfile.node2: Builds a Python 3.12 slim server container, downloads and installs a specific inetutils-telnetd .deb from a Debian mirror, enables telnet in /etc/inetd.conf, and runs inetutils-inetd in debug mode. - readme.md: Walkthrough and explanation; shows example usage USER="-f root" python exploit.py node2, indicating the intended effect is to pass a crafted USER value via NEW-ENVIRON. Exploit capabilities: - Network-based interaction with Telnet servers. - Telnet option negotiation handling (DO/WILL) sufficient to respond to NEW-ENVIRON. - Sends a crafted NEW-ENVIRON payload to set USER, enabling username injection/auto-login behavior on vulnerable servers. - Provides an interactive session and a prompt-detection fallback that submits the username when a login prompt appears. Notable observables: - Hardcoded Telnet port 23. - Debian mirror URL used to fetch inetutils-telnetd package for the lab. - Service/hostnames: node1, node2; network: labnet; inetd/telnetd configuration paths and binaries.

Repository purpose: a Python 3.10+ Telnet scanner and exploitation framework for CVE-2026-24061 (Telnet NEW_ENVIRON USER variable injection leading to authentication bypass and potential root access). Core exploit capability: - Implements Telnet option negotiation and NEW_ENVIRON subnegotiation. - Exploit path (terminus/core/terminus_engine.py:TerminusNegotiator.exploit): sends a crafted NEW_ENVIRON IS VAR USER VALUE <payload> sequence (default payload "-f root"), then checks for absence of login/password prompts to infer auth bypass, and runs `id` to confirm root (uid=0/root). - Exploiter wrapper (terminus/core/exploit.py:TerminusExploiter) enforces safety controls: explicit authorization required and (by default) single-target-only exploitation; supports evidence collection and an interactive telnet shell mode. Scanning/detection: - High-concurrency async scanner (terminus/core/scanner.py) with rate limiting (TokenBucket), retries/backoff, and optional active verification. - Fingerprinting (terminus/detection/fingerprint.py) parses banners and can also infer daemon type from telnet option negotiation sequences. - Heuristics (terminus/detection/heuristics.py) provide non-destructive probing of NEW_ENVIRON support/USER var acceptance and risk scoring. - Signature DB (signatures.db + terminus/detection/signatures.py) encodes vulnerable version patterns and exploitation metadata for CVE-2026-24061. Reporting/CLI: - CLI entry point: `terminus` script -> terminus/cli.py:main; module entry: terminus/__main__.py. - Outputs: terminal tables (rich), JSON/CSV/HTML/Markdown reports using Jinja2 templates (terminus/reporting/*). - Helper scripts: terminus_helper.sh and terminus_helper.ps1 provide convenience wrappers and shell completion setup. Notable endpoints/targets: - Network target is generic: user-supplied hosts/IPs, default TCP port 23. - No hardcoded C2 or exfil endpoints observed; only reference URLs in signatures/license and local output paths (logs/reports/signatures.db). Overall structure: - terminus/core/: telnet protocol parsing/state machine, handshake/exploit negotiator, scanner, exploiter. - terminus/detection/: banner fingerprinting, heuristic probing, signature database loader. - terminus/reporting/: formatters, pydantic models, HTML/MD templates. - terminus/utils/: config loading (config.yaml), logging, target parsing (CIDR/ranges/DNS resolution). - tests/: extensive unit/integration tests covering exploit, protocol parsing, scanner behavior, reporting, and utilities.

Repository contains a single Python exploit script: cve-2026-24061.py (~17 KB). It implements a network-based exploit against GNU InetUtils telnetd (claimed affected versions 1.9.3–2.7) for CVE-2026-24061. Core technique: the script speaks raw Telnet protocol and performs option negotiation to use NEW_ENVIRON (0x27). It sets the USER environment variable to a value beginning with a dash (default payload: "-f root"). The script’s banner explains that GNU telnetd interpolates USER into a /bin/login command template using %U, allowing the attacker-controlled USER string to be treated as command-line arguments to /bin/login. With "-f root", /bin/login is coerced into a no-auth/forced login path, yielding a root session. Capabilities exposed via CLI: - Exploit and obtain an interactive shell over the telnet session (default behavior). - Execute a single command non-interactively (--cmd) and print output. - Check-only mode (--check) to determine if the target appears vulnerable without dropping into a shell. - Customization of target port (-p/--port) and injected USER payload (--user), plus verbose/debug output (-v). Notable observables/targets: - Network target is a telnet service on TCP port 23 by default. - Protocol fingerprint: Telnet NEW_ENVIRON negotiation and setting USER. - Server-side execution target: /bin/login (argument injection).

Repository contains a Python-based network exploit targeting GNU inetutils-telnetd, claiming CVE-2026-24061 (remote authentication bypass via telnet NEW_ENVIRON). Structure is minimal: main.py (exploit), README.md (usage/download marketing), pyproject.toml (packaging metadata), and .python-version. main.py implements a telnet client that performs option negotiation (IAC DO/WILL, subnegotiations for TTYPE=24, TSPEED=32, NEW_ENVIRON=39). When the server requests NEW_ENVIRON (SEND), it sends a crafted NEW_ENVIRON payload setting the USER variable to "-f <user>" (default "root"), intending to abuse telnetd/login behavior to bypass authentication and drop into an interactive session. The script supports single-target mode (-u) and a list mode (-l) that reads hosts from a file and runs exploitation attempts concurrently using threads; port is configurable with -p and username with -usr. Notable observations: the README heavily emphasizes downloading a prebuilt binary from GitHub Releases, while the actual exploit logic is in Python. The provided main.py content is truncated in the middle of Exploit.run(), but enough code is present to confirm the core capability: network-based telnet negotiation leading to sending the NEW_ENVIRON USER='-f <user>' payload and then handling interactive I/O.

Repository contains a Python proof-of-concept exploit for an alleged GNU inetutils-telnetd authentication bypass (CVE-2026-24061) plus a Dockerfile to stand up a test target. Structure: - cve_2026_24061_telnetd.py: Main exploit. Implements a minimal telnet client that performs option negotiation and, when the server requests NEW_ENVIRON (option 39), sends a crafted subnegotiation setting environment variable USER to "-f <user>" (default root). The script then relays data between the user (interactive TTY or piped stdin) and the telnet socket, effectively providing an interactive session/command execution channel if the bypass succeeds. - Dockerfile.vulnerable: Builds an Ubuntu 20.04 container with inetutils-telnetd and xinetd, enables telnet service on TCP/23, sets root password to "toor", and adjusts /etc/securetty to permit root logins on pseudo-terminals. Intended for local testing. - README.md: Describes the vulnerability concept (NEW_ENVIRON USER value interpreted as a login flag like "-f root"), provides usage examples (including piping commands), and points to a GitHub releases page. Notable exploit behavior: - Network-only attack against a telnet service; no scanning/detection logic. - Handles telnet negotiations for TTYPE (24), TSPEED (32), and NEW_ENVIRON (39) and responds with basic values (xterm, 38400,38400). - Payload is fixed to the NEW_ENVIRON injection; user can choose target host, port, and username, but there is no modular payload framework. Overall purpose: provide an operational PoC that attempts to bypass telnetd authentication and obtain a remote session as a chosen user (default root), with a containerized environment to reproduce/test the issue.

Repository contains a single Python exploit script and a README describing CVE-2026-24061 (GNU Inetutils telnetd auth bypass). The exploit is a network-based Telnet protocol abuse: it connects to a target telnetd (user supplies host/port, typically TCP/23), negotiates Telnet options NEW_ENVIRON (39) and ENVIRON (36), and injects an environment variable `USER` with the value `-f root`. This is intended to influence the server-side login invocation so that `/bin/login -f root` is executed, skipping password verification and yielding a root shell. Key code structure (CVE-2026-24061.py): - `TelnetNegotiator`: Implements minimal Telnet IAC parsing and option negotiation (DO/DONT/WILL/WONT, SB/SE). Tracks whether env payload was sent (`self.sent`) and whether server agreed to ECHO (`echo_ok`). - `send_env(opt)`: Crafts and sends subnegotiation `IAC SB <opt> ENV_IS ENV_VAR "USER" ENV_VALUE "-f root" IAC SE` (default user string is "-f root"). - `exploit(host, port)`: Connects via TCP, sends `WILL NEW_ENVIRON` and `WILL ENVIRON`, reads server responses, forces env injection if not requested, then sends a blank line to trigger login flow. It performs basic vulnerability checks: if output contains a login/password prompt (`has_login`) it assumes not vulnerable; it also requires seeing `WILL ECHO` as a heuristic. It then sends `id` and checks for `uid=` to confirm shell access. - `shell(conn, neg)`: Provides an interactive session, with a background thread parsing and printing server output while the user types commands. Overall purpose: provide an operational PoC that attempts unauthenticated remote root access on vulnerable GNU Inetutils telnetd instances by abusing Telnet environment option handling. No scanning, worming, or C2 behavior is present; the only network activity is the direct TCP connection to the specified target.

Repository contains a standalone Python Telnet scanner/exploit PoC for CVE-2026-24061 affecting GNU InetUtils telnetd. The core class (TelnetExploiter) opens a TCP connection to the target (default port 23), manually processes Telnet IAC negotiation, and when the server requests RFC1572 NEW-ENVIRON (DO NEW-ENVIRON followed by SB NEW-ENVIRON SEND), it replies with a crafted subnegotiation payload that sets the environment variable USER to "-f root" (IAC SB NEW-ENVIRON IS VAR USER VALUE -f root IAC SE). This is intended to trigger an unauthenticated root shell/auth bypass condition on vulnerable telnetd. A MassScanner wrapper expands targets from a single IP, CIDR ranges, or a file, and uses ThreadPoolExecutor for multithreaded scanning. Results are printed with colorized status (via colorama) and can be written to a CSV output file. Dependencies are minimal (colorama, netaddr). Overall structure: README with usage/disclaimer, requirements.txt, and a single main script entry point (cve_2026_24061_poc.py) implementing both exploitation logic and mass-scanning orchestration.

Repository purpose: a minimal Docker-based lab environment to demonstrate an authentication bypass in GNU inetutils telnetd (claimed CVE-2026-24061). It is not a full exploit toolkit; it provides a reproducible vulnerable service and a one-liner payload to obtain a root shell. Structure and key files: - Dockerfile: Builds a Debian 11 slim image, installs inetutils-telnetd (and telnet client), creates a non-root user (user1), and modifies /etc/inetd.conf to enable the telnet service. Copies in an entrypoint script. - docker-entrypoint.sh: Starts inetutils-inetd in debug mode in the background, prints instructions, then drops the interactive session to user1. - README.md: Documents the vulnerability mechanics and provides the exploit command: setting USER='-f root' and connecting via telnet (-a) to localhost. The described primitive is argument injection into /usr/bin/login, leveraging login's '-f' option to skip authentication. Exploit capability: - Remote (network) authentication bypass against telnetd leading to immediate root access, assuming the service is exposed and vulnerable. In this lab, the attack is demonstrated locally against localhost, but the same technique would apply to a reachable telnet service. Notable observables: - Service endpoint: telnet on port 23 (implicit), demonstrated as telnet to localhost. - Configuration touchpoints: /etc/inetd.conf enabling telnet; inetd binary /usr/sbin/inetutils-inetd; login binary /usr/bin/login as the injection sink.

Repository purpose: a Python-based scanner + exploitation toolchain for CVE-2026-24061 (Telnet NEW_ENVIRON USER-variable injection leading to authentication bypass and potential root access). Core exploit capabilities: - Network-based Telnet handshake and option negotiation parsing (IAC/DO/WILL/SB/SE) to detect NEW_ENVIRON (option 39) support. - Passive detection: banner grabbing + daemon/version fingerprinting (netkit-telnetd, BSD telnetd, inetutils telnetd, generic) and matching against a local signature DB (signatures.db). - Heuristic probing (optional): sends a non-destructive NEW_ENVIRON SEND/VAR probe to see if USER is accepted; computes risk score and a numeric vulnerability score. - Active verification mode: attempts the actual CVE primitive and confirms impact by sending `id` and checking for uid=0/root. - Exploitation mode: sends a crafted NEW_ENVIRON subnegotiation setting USER to an attacker-controlled value (default "-f root"), optionally collects evidence (initial output, id output, banner, payload) and can provide an interactive session. Notable safety controls: - Exploitation requires explicit authorization (ExploitConfig.authorized / CLI confirmation). - Default restriction to single-target exploitation (blocks batch exploitation unless configured otherwise). Network/targeting details: - Primary target is TCP port 23 (configurable). The exploit is protocol-specific to Telnet RFC 854/1572 negotiation and NEW_ENVIRON. - No hardcoded victim IPs/domains; targets are user-supplied via CLI, file, CIDR, or IP range. Hostnames can be resolved via DNS (aiodns). Repository structure: - terminus/cli.py: Click-based CLI entry point (scan/verify/exploit/report output). Uses rich for progress/UI. - terminus/core/protocol.py: Telnet state machine and session abstraction; parses IAC sequences and subnegotiations. - terminus/core/terminus_engine.py: Handshake logic and the actual exploit primitive (builds NEW_ENVIRON IS VAR USER VALUE <payload>), plus post-exploit command sending. - terminus/core/scanner.py: Async high-concurrency scanner with rate limiting (token bucket), retries, optional probing and verification. - terminus/detection/*: BannerAnalyzer (fingerprinting), heuristics (risk scoring, probe), signatures (loads signatures.db). - terminus/reporting/* + templates: terminal/JSON/CSV/HTML/Markdown reporting. - terminus/utils/*: config loading (config.yaml), logging (JSON/colored, rotating file), network target parsing (CIDR/range/hostname resolution). - tests/: extensive pytest suite including mocked telnet sessions and CLI tests. Overall: this is an operational, end-to-end network scanner with an integrated proof-of-exploit and interactive exploitation path for CVE-2026-24061, rather than a single minimal PoC.

Repository purpose: provides (1) a Dockerized vulnerable lab environment and (2) a pure-Go Telnet client scanner/exploit for CVE-2026-24061 (InetUtils telnetd authentication bypass). Key exploit capability: - Network-based unauthenticated authentication bypass against telnetd by injecting USER="-f root" via Telnet NEW-ENVIRON option negotiation. - Scan mode: connects to target, performs Telnet negotiation, injects payload when server requests NEW-ENVIRON (DO 0x27), then sends "id" to confirm uid=0(root). - Exploit mode: establishes the same Telnet negotiation/payload injection and then provides an interactive shell loop (stdin->socket, socket->stdout), effectively enabling arbitrary command execution as root. How it works (code-level): - exp/main.go implements a minimal Telnet protocol handler: - Detects IAC sequences and responds to DO/WILL/DONT/WONT. - On receiving DO NEW_ENVIRON, replies WILL NEW_ENVIRON and sends SB NEW_ENVIRON subnegotiation containing variable USER with value "-f root". - Filters printable output and checks for "uid=0" to confirm root. Repository structure: - Root: - Dockerfile + docker-compose.yml: builds Ubuntu 24.04-based container, installs inetutils-inetd and inetutils-telnetd .deb packages, enables telnetd via /etc/inetd.conf, exposes port 23 and maps host 2323->23 for testing. - README.md / README.zh-cn.md: vulnerability description, manual reproduction using system telnet (env USER='-f root' telnet -a ...), and tool usage. - exp/: - main.go: Go scanner/exploit (entry point). - go.mod: module definition. - targets.txt: sample batch scan input. - exp/README(.zh-cn).md: detailed tool usage and payload bytes. Notable observations: - The Go module name in exp/go.mod is "cve-2026-20461-go" (likely a typo) while the repo consistently references CVE-2026-24061. - No external C2 infrastructure is present; all network activity is direct TCP to the specified target/port.

Repository contains a small Python batch exploitation tool targeting the claimed CVE-2026-24061 “Telnet Authentication Bypass”. Structure: (1) README.md documents batch scanning from `ip_list.txt`, connectivity pre-check, and interactive shell handoff; (2) exploit.py is the only code file and implements target parsing, TCP reachability checks, and a pexpect-driven Telnet session; (3) requirements.txt lists `logfy` and `requests` (requests is not used in the code). Core behavior in exploit.py: - Reads targets from a file (default `ip_list.txt`), supporting `IP` or `IP:port` lines and ignoring comments. - For each target, performs a TCP connect check (socket.create_connection) with a 7s timeout. - If reachable, spawns a local telnet client via pexpect using the command: `env USER='-f root' telnet -a ip port`. - Determines success by waiting for prompts: if it sees login/password/username prompts it treats the host as not exploitable and skips; if it sees `#` or `>` it assumes a shell and enters interactive mode (pexpect.interact), giving the operator direct command execution. Notable implementation issues/observations: - Argument parsing bug: main() defines `--file` but later references `args.target_file` (nonexistent). As written, the script will raise an AttributeError unless corrected to `args.file`. - The exploit relies on the presence/behavior of the system `telnet` client and whatever Telnet server interprets the `USER='-f root'` environment variable in a vulnerable way; no HTTP/DNS endpoints are used. Overall purpose: batch scan a list of hosts for an exposed Telnet service and attempt an authentication bypass leading to an interactive session, intended to yield root-level access when successful.

Repository contains a minimal Bash proof-of-concept for CVE-2026-24061 targeting a Telnet service. Structure: (1) CVE-2026-24061.sh: a 1-line exploit pipeline that uses printf to emit specific raw bytes (0xff 0xfa ... 0xff 0xf0) consistent with Telnet IAC SB ... IAC SE framing, embedding the ASCII string "USER" and an argument-like sequence "\x01-f ${root}". It then connects to the target using netcat (nc) on TCP port 23, sleeps briefly, and keeps the session interactive by forwarding stdin via cat. (2) README.md: a short note stating it is a bash telnet exploit for CVE-2026-24061. No scanning, detection logic, or post-exploitation payload (e.g., reverse shell) is included; the only capability is sending the crafted Telnet payload to a specified endpoint.

This repository is a minimal Docker-based lab/PoC environment for demonstrating CVE-2026-24061 (GNU inetutils telnetd argument injection leading to authentication bypass). Repository structure: - Dockerfile: Builds a Debian 11 image, installs build tools plus telnet/xinetd, downloads and compiles GNU inetutils 2.7 from ftp.gnu.org, configures xinetd to run /usr/local/libexec/telnetd as root, creates a demo user (user1/user1), and exposes TCP/23 with xinetd as the container CMD. - README.md (Portuguese): Explains the vulnerability and provides reproduction steps. The exploit is performed by setting the client-side environment variable USER to an injected value (USER="-f root") and connecting via telnet (example: telnet -a localhost 2323). The described root impact comes from telnetd incorporating USER via a %U placeholder into the /usr/bin/login invocation without sanitization; login’s -f option bypasses password authentication. Exploit capabilities: - Remote (network) authentication bypass against a vulnerable telnetd service. - Privilege gain to root shell/session when telnetd runs with elevated privileges. Notable endpoints/targets: - Network service: TCP/23 in-container; typical lab access via host localhost:2323 -> container:23. - External download: https://ftp.gnu.org/gnu/inetutils/inetutils-2.7.tar.gz. - Key files/binaries: /etc/xinetd.d/telnet, /usr/local/libexec/telnetd, /usr/bin/login, /usr/sbin/xinetd. Overall, this is not a full exploit toolkit; it is a reproducible lab setup plus a one-liner PoC command demonstrating the argument-injection authentication bypass.

Repository purpose: a standalone Python 3 tool (tscan.py) to scan IPs/CIDRs/target lists for GNU Inetutils telnetd instances vulnerable to CVE-2026-24061, and to attempt exploitation of an authentication bypass described as using a crafted USER environment value ("-f root"), with the stated goal of obtaining root shell access. Structure: - tscan.py (~43KB): main implementation. Implements multi-threaded network scanning (ThreadPoolExecutor), progress reporting, CLI argument parsing, safe Ctrl+C handling, optional verbose logging, and an auto-discovery mode that enumerates local subnets by executing system routing commands ("ip route list" or "route -n"). The scanner targets a configurable TCP port (default 23) and then performs a vulnerability check/exploit attempt against reachable telnetd services. - README.md: extensive usage documentation, legal disclaimers, and CVE context; describes features like port scanning, exploitability testing, multithreading, CIDR/file inputs, and auto-detection. - LICENSE: GPLv3. Exploit capabilities (as implemented/advertised): - Network reconnaissance: checks for open telnet ports on provided targets (single IPs, multiple IPs, CIDR ranges, or file-based lists). - Vulnerability verification/exploitation attempt: attempts to trigger CVE-2026-24061 auth bypass by manipulating the USER environment value ("-f root") during telnet interaction, aiming to reach an unauthenticated privileged session. - Operational features: concurrency controls (threads), timeouts, progress bar/statistics, and graceful interruption with partial results. Notable observables: - Primary target endpoint is TCP port 23 (or user-specified). - Executes local OS commands for route enumeration in --auto mode ("ip route list" / "route -n"). Assessment: - Not part of a larger exploit framework. - More than a pure detector: it is explicitly designed to attempt exploitation/auth bypass, though the provided excerpt is truncated so exact session-driving details are not fully visible here.

Repository contains a minimal PoC exploit for CVE-2026-24061 targeting inetutils-telnetd via Telnet NEW-ENVIRON option abuse. Structure: - README.md: Describes the vulnerability, provides a Docker image to run a vulnerable telnetd on port 23, and basic usage instructions. - exploit.py: Python network exploit that implements Telnet option negotiation and subnegotiation parsing. Exploit flow/capabilities (exploit.py): 1) Opens a TCP connection to the target Telnet service (default port 23). 2) Parses Telnet IAC negotiation. When the server requests NEW-ENVIRON (option 39) with DO, the client replies WILL NEW-ENVIRON; for other options it generally refuses (WONT) or disables (DONT). 3) When the server sends SB NEW-ENVIRON SEND, the script responds with SB NEW-ENVIRON IS and sets the environment variable USER to the value "-f root" (payload), attempting to trigger the vulnerable behavior. 4) Sends `id\n` blindly to check whether it obtained a root context; it looks for the string "uid=0(root)" in returned output. 5) If root is confirmed, it sends a bash reverse shell one-liner using /dev/tcp to connect back to a hardcoded placeholder listener (IP_OF_KALI_TELNET_LISTENER:9001), then keeps the connection alive. Overall purpose: provide a lab-focused, unauthenticated remote exploitation PoC demonstrating privilege escalation to root on vulnerable inetutils-telnetd by manipulating the USER environment variable through Telnet NEW-ENVIRON negotiation, with an optional reverse-shell payload.

Repository purpose: provides a network scanner and an interactive exploit client for a claimed Telnet daemon vulnerability labeled CVE-2026-24061, abusing Telnet NEW-ENVIRON option handling to achieve pre-auth root access by injecting a USER value of "-f root". Structure: - README.md: describes the vulnerability, usage examples, and a Docker lab. Note: the NVD link in the badge points to CVE-2025-14847, which appears inconsistent with the repository title/CVE. - exploit.py (Python): interactive Telnet client/exploit. It connects to a target host/port, parses Telnet IAC negotiation, and when it sees a NEW-ENVIRON subnegotiation opportunity, sends a crafted NEW-ENVIRON IS VAR USER VALUE "-f root" message. It then relays traffic to/from the user to provide an interactive shell-like session. Includes output filtering (ANSI escape stripping) and suppression of echoed commands. - scanner.py (Python): multi-target scanner using ThreadPoolExecutor. It connects to each target:port, checks for the presence of IAC DO NEW-ENVIRON in the initial server data (fingerprint for potential vulnerability), prints vulnerable findings, and optionally performs active exploitation by sending the crafted NEW-ENVIRON payload(s) and running "id" to confirm root (uid=0/root prompt markers). - lab/Dockerfile + lab/docker-compose.yml: builds an Ubuntu 24.04 container with inetutils-telnetd pinned to version 2:2.5-3ubuntu4 and xinetd configuration to expose telnetd. docker-compose maps host port 1903 to container port 23 for local testing. Main exploit capabilities: - Remote, pre-auth interaction with Telnet negotiation. - Injection of a crafted NEW-ENVIRON subnegotiation to coerce privileged login behavior ("-f root"). - Interactive session handling (exploit.py) and automated scanning/verification at scale (scanner.py).

Repository purpose: a PyQt5-based GUI tool to scan for and exploit CVE-2026-24061 (GNU Inetutils telnetd authentication bypass), providing batch scanning and interactive root shell sessions. Structure: - README.md: Chinese documentation describing features (single target/range/CIDR scanning, multithreading, export, and interactive root shell), defaults (port 23, timeouts 3s, threads up to 1000, default user value "-f root"). - cve_2026_24061_gui.py: main application combining Telnet protocol handling, vulnerability detection, exploitation, and GUI. - requirements.txt: PyQt5 dependency. Key exploit logic (from code): - Implements a Telnet negotiator that parses IAC sequences and handles option negotiation (DO/DONT/WILL/WONT) and subnegotiation (SB ... IAC SE). - Crafts and sends ENVIRON/NEW-ENVIRON subnegotiation payloads that set the USER environment variable to a supplied value (default "-f root"). This is consistent with abusing telnetd argument/environment handling to bypass authentication. - Detection heuristics: - Reads server banners/output and checks for login/password prompts using a regex covering English/Chinese prompts. - Confirms successful privilege by executing `id` and checking output for uid=0 and gid=0. - Capabilities exposed in the GUI: - Multi-target scanning (single IP, ranges, CIDR, file import) with configurable port and thread count. - Result table/logging and export. - Exploitation workflow that opens multiple concurrent interactive terminal sessions to vulnerable hosts and displays command output in real time. Fingerprintable targets/endpoints: - Network: TCP port 23 (Telnet) is the primary target endpoint; no hardcoded C2 or external callback endpoints were found beyond README image links.

Repository contains a Bash-based active scanner for CVE-2026-24061 affecting GNU Inetutils telnetd. Structure: (1) README.md describing features, dependencies, usage, and remediation; (2) telnet_scanner.sh implementing the scanner. Core capabilities: - Accepts a single IP or a subnet-like input (3 octets, .0 network ID, or explicit CIDR) and scans a /24 range (SUBNET.1–254) in parallel batches (10 concurrent jobs). - Performs a 3-stage workflow per host: (1) TCP port check via netcat (nc -z), (2) banner grabbing via netcat and filtering for indicators ("GNU" or "inetutils"), (3) active verification by attempting the auth bypass using environment variable injection `USER="-f root"` and running `telnet -a` to execute `id`. - Determines exploitation success by matching `uid=0(root)` in telnet output; logs results to telnet_exploit_results.txt and prints a short preview. This is not a pure passive detector: it includes an exploitation attempt (authentication bypass check) but does not deploy a persistent payload beyond confirming root access. No C2 infrastructure is present; the only external network reference is a Shodan CVE page link shown to the user.