cve-2026-32746/detect.py at main · jeffaf/cve-2026-32746 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/usr/bin/env python3
"""
CVE-2026-32746 - Non-destructive telnetd version detection
============================================================

Connects to a telnet service, negotiates options, and checks whether
the service supports LINEMODE (indicating GNU InetUtils telnetd,
which is affected by CVE-2026-32746).

Does NOT send any exploit payload. Safe for production scanning.

Usage:
    python3 detect.py <target_ip> [port]
"""

import argparse
import socket
import sys
import time

IAC  = 0xFF
DO   = 0xFD
WILL = 0xFB
WONT = 0xFC
DONT = 0xFE
SB   = 0xFA
SE   = 0xF0

OPT_TTYPE    = 0x18
OPT_TSPEED   = 0x20
OPT_LINEMODE = 0x22


def recv_all(s, timeout=2):
    """Receive all available data with a timeout."""
    s.settimeout(timeout)
    chunks = []
    try:
        while True:
            chunk = s.recv(4096)
            if not chunk:
                break
            chunks.append(chunk)
    except socket.timeout:
        pass
    return b''.join(chunks)


def detect(host, port, timeout):
    """Check if target appears to run vulnerable telnetd."""

    print(f"[*] Checking {host}:{port} for GNU InetUtils telnetd")
    print(f"    (CVE-2026-32746 - LINEMODE SLC Buffer Overflow)\n")

    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(timeout)
        s.connect((host, port))
    except (socket.error, OSError) as e:
        print(f"[-] Connection failed: {e}")
        return

    # Round 1: Read initial negotiation
    time.sleep(1)
    data = recv_all(s)
    if not data:
        print("[-] No data received")
        s.close()
        return

    # Parse initial options
    options = []
    i = 0
    while i < len(data) - 2:
        if data[i] == IAC:
            cmd = data[i + 1]
            opt = data[i + 2]
            if cmd in (DO, WILL):
                options.append((cmd, opt))
            i += 3
        else:
            i += 1

    print(f"  Port {port}/tcp open")
    print(f"  Initial options: {len(options)}")

    # Respond to everything + offer WILL LINEMODE
    resp = bytearray()
    for cmd, opt in options:
        if cmd == DO:
            resp.extend([IAC, WILL, opt])
        elif cmd == WILL:
            resp.extend([IAC, DO, opt])

    # Proactively offer LINEMODE
    resp.extend([IAC, WILL, OPT_LINEMODE])

    # Send TTYPE and TSPEED suboptions (server expects these)
    resp.extend([IAC, SB, OPT_TTYPE, 0x00])
    resp.extend(b'xterm')
    resp.extend([IAC, SE])

    resp.extend([IAC, SB, OPT_TSPEED, 0x00])
    resp.extend(b'38400,38400')
    resp.extend([IAC, SE])

    s.send(resp)

    # Round 2: Check for DO LINEMODE
    time.sleep(1)
    data2 = recv_all(s)

    got_linemode = False
    got_slc = False
    if data2:
        i = 0
        while i < len(data2) - 2:
            if data2[i] == IAC:
                if data2[i + 1] == DO and data2[i + 2] == OPT_LINEMODE:
                    got_linemode = True
                elif data2[i + 1] == SB and i + 3 < len(data2) and data2[i + 2] == OPT_LINEMODE:
                    if i + 4 < len(data2) and data2[i + 3] == 0x03:  # LM_SLC
                        got_slc = True
                i += 3 if data2[i + 1] not in (SB,) else 1
            else:
                i += 1

    print(f"  LINEMODE accepted: {'Yes' if got_linemode else 'No'}")
    print(f"  SLC negotiation:   {'Yes' if got_slc else 'No'}")

    if got_linemode:
        print(f"\n[!] LIKELY VULNERABLE to CVE-2026-32746")
        print(f"    Server supports LINEMODE with SLC negotiation")
        print(f"    GNU InetUtils telnetd through 2.7 is affected")
        print(f"    CVSS: 9.8 (Critical) | No patch available")
        print(f"\n    Run exploit.py to confirm (crashes the service)")
    else:
        print(f"\n[*] LINEMODE not accepted")
        print(f"    Likely not GNU InetUtils telnetd, or LINEMODE disabled")

    # Clean disconnect
    s.close()


def main():
    parser = argparse.ArgumentParser(
        description="CVE-2026-32746 - Non-destructive telnetd detection",
        epilog="Safe for production use. Does not send exploit payload."
    )
    parser.add_argument("host", help="Target IP address")
    parser.add_argument("port", type=int, nargs="?", default=23,
                        help="Target port (default: 23)")
    parser.add_argument("-t", "--timeout", type=int, default=10,
                        help="Socket timeout in seconds (default: 10)")
    args = parser.parse_args()

    detect(args.host, args.port, args.timeout)


if __name__ == "__main__":
    main()