IP spoofed telnet session?

I have this proxy firewall that's poorly set up, the TCP session sequence number always starts at 0, I know the trusted IP range, and there's no ingress control. What's the easiest way to blindly spoof a telnet session and set up a backdoor? I've got 2 days to demonstrate an attack and it would take me much longer to write a program from scratch.

>>4
I could do that, but someone without access to one of the trusted hosts wouldn't be able to do that. Still that's better than nothing. And I suppose in the real world internal attacks are more viable than external ones.

What are some other types of attacks I could try and demonstrate on a firewall? It's a proxy for a Telnet, HTTP, FTP, and SMTP server.