Share
## https://sploitus.com/exploit?id=24772E43-EE2A-55D3-99AC-A13F5167D392
# All Telnet PoCs โ€” Consolidated

All proof-of-concept exploits and demonstrations from the audit, in one
place. Organized by target implementation.

```
ALL_POCS/
โ”œโ”€โ”€ utelnetd/         โ€” utelnetd bug PoCs (U-class)
โ”œโ”€โ”€ gnu_inetutils/    โ€” GNU InetUtils telnetd PoCs (G-class)
โ”œโ”€โ”€ netkit/           โ€” netkit-telnet 0.17 PoCs (N-class)
โ”œโ”€โ”€ freebsd/          โ€” FreeBSD telnetd standalone C demos (F-class)
โ””โ”€โ”€ round2_new/       โ€” Newly-discovered bugs from round 2 (NEW-class)
```

---

## Index by bug

### utelnetd
| File | Bug | Verified |
|------|-----|----------|
| `utelnetd/poc1_sigpipe_dos.py` | U5 โ€” no SIGPIPE handler | โŒ Not exploitable on Linux (kernel returns ECONNRESET) |
| `utelnetd/poc2_fork_killall.py` | U2 โ€” fork() failure โ†’ `kill(-1, SIGKILL)` | ๐ŸŸก Code path verified, sandboxed demo |
| `utelnetd/poc3_eintr_heap.py` | U1 โ€” EINTR fall-through โ†’ heap corruption | โœ… Daemon SIGABRT confirmed |

### GNU InetUtils
| File | Bug | Verified |
|------|-----|----------|
| `gnu_inetutils/poc_g1_xdisploc_overflow.py` | G1 โ€” XDISPLOC 1-byte BSS overflow | ๐ŸŸก Bug exists; lands in benign symbol |
| `gnu_inetutils/poc_g3_user_argv_injection.py` | G3 โ€” `USER=-f root` injection (CVE-2026-24061) | โœ… argv split confirmed |
| `gnu_inetutils/poc_g4_bashenv_injection.py` | G4 โ€” BASH_ENV bypass of `scrub_env` | โœ… Survival confirmed |
| `gnu_inetutils/poc_g4_endtoend.py` | G4 โ€” full RCE chain | โœ… End-to-end code execution confirmed |

### netkit-telnet
| File | Bug | Verified |
|------|-----|----------|
| `netkit/n1_check_a_hostname_test.c` | N1 โ€” hostname validator (`&&` vs `||`) | ๐ŸŸก Code defect verified |
| `netkit/n1_remote_inject.py` | N1 โ€” remote injection attempt | โš ๏ธ Blocked by upstream sanitizer |
| `netkit/n2_env_filter_test.sh` | N2 โ€” fail-open env filter | ๐ŸŸก Code-verified |
| `netkit/n3_user_dash_inject.py` | N3 โ€” USER first-character check | ๐ŸŸก Code-verified, mitigated by login |
| `netkit/n4_sigchld_race.txt` | N4 โ€” async-unsafe SIGCHLD | ๐ŸŸก Async-unsafe; NULL deref claim was wrong |
| `netkit/n5_subpointer_underflow.py` | N5 โ€” subpointer -= 2 | โŒ Not reproducible |

### FreeBSD
All standalone C demos that model the vulnerable function in isolation.
Build & run: `cd freebsd && make all && make run`

| File | Bug | Verified (code-level) |
|------|-----|--------|
| `freebsd/f1_sra_signed_cnt.c` | F1 โ€” SRA signed-cnt heap overflow | โœ… |
| `freebsd/f2_sizeof_pointer.c` | F2 โ€” `sizeof(char*)` truncation | โœ… |
| `freebsd/f3_auth_printsub.c` | F3 โ€” `auth_printsub` underflow | โœ… |
| `freebsd/f4_kerberos_memmove.c` | F4 โ€” kerberos memmove + 8B leak | โœ… |
| `freebsd/f5_krb4encpwd_nullderef.c` | F5 โ€” krb4encpwd NULL deref | โœ… |
| `freebsd/f6_krb4encpwd_memmove.c` | F6 โ€” krb4encpwd memmove ร—2 | โœ… |
| `freebsd/f7_rsaencpwd_cnt.c` | F7 โ€” rsaencpwd missing cnt guard | โœ… |

### Round 2 โ€” newly-discovered bugs
| File | Bug | Type | Verified |
|------|-----|------|----------|
| `round2_new/poc_new1_revdns_injection/` | NEW-1 โ€” `%h` reverse-DNS argv injection | LD_PRELOAD + observer | ๐ŸŸก Chain code-verified; DNS half untested |
| `round2_new/poc_new2_encrypt_keyid.c` | NEW-2 โ€” `encrypt_keyid` signed-len memmove | standalone C + ASan | ๐ŸŸก Code-verified |
| `round2_new/poc_new3_authsendname.c` | NEW-3 โ€” `auth_sendname` truncation mid-IAC | standalone C | ๐ŸŸก Code-verified |
| `round2_new/poc_new4_log_poison.py` | NEW-4 โ€” `expand_line` log-poisoning | over-the-wire | ๐ŸŸก Code-verified |
| `round2_new/poc_new9_krb5_fmt.c` | NEW-9 โ€” `print_krb5_error` format-string | standalone C | ๐ŸŸก Latent (literals only today) |
| `round2_new/poc_new10_strcpy_chain.c` | NEW-10 โ€” strcpy chain from UserNameRequested | standalone C + ASan | ๐ŸŸก Code-verified |

---

## Build / run all

### Standalone C demos (FreeBSD + Round 2)
```bash
cd freebsd && make all && make run
cd ../round2_new && make all
./poc_new2_encrypt_keyid_asan
./poc_new3_authsendname
./poc_new9_krb5_fmt
./poc_new10_strcpy_chain_asan
```

### Live PoCs (need a running telnetd in the lab)
```bash
# utelnetd
cd /home/kali/Downloads/telnet-implementations/utelnetd
./utelnetd -p 2323 -l /bin/sh -n &
python3 /home/kali/Downloads/telnet-implementations/ALL_POCS/utelnetd/poc3_eintr_heap.py

# GNU InetUtils โ€” needs the mini_inetd wrapper from the lab
/tmp/mini_inetd 2326 /tmp/inetutils-2.5/telnetd/telnetd \
    --debug=netdata --exec-login=/tmp/login_wrapper.sh &
python3 /home/kali/Downloads/telnet-implementations/ALL_POCS/gnu_inetutils/poc_g4_endtoend.py 127.0.0.1 2326

# Round 2 NEW-1 (full %h chain)
/home/kali/Downloads/telnet-implementations/ALL_POCS/round2_new/poc_new1_revdns_injection/run.sh
```

## Verdict matrix

| Severity | Count | Examples |
|---|---|---|
| โœ… Live-verified | 5 | U1, G3, G4 (ร—2), G4-e2e |
| ๐ŸŸก Code-verified | 14 | All FreeBSD F-class, NEW-1..10, U2, G1 |
| โŒ False positive / mitigated | 5 | U3, U5, N5, N1 (mitigated), N4-NULL-deref |

**Most impactful:**
1. **G4** (BASH_ENV) โ€” full RCE, survives CVE-2026-24061 patch โ€” `gnu_inetutils/poc_g4_endtoend.py`
2. **G3** (USER `-f root`) โ€” the original CVE
3. **NEW-1** (`%h` reverse-DNS) โ€” bypasses CVE patch via different code path
4. **U1** (utelnetd EINTR) โ€” heap corruption confirmed via SIGABRT

## Original locations (for reference)

These files were copied from:
- `utelnetd/exploits/`
- `gnu-inetutils-telnetd/exploits/`
- `netkit-telnetd/exploits/`
- `freebsd-telnetd/exploits/`
- `round2_pocs/`

Originals are still in place. This folder is the consolidated working copy.