IP spoofed telnet session?

I have this proxy firewall that's poorly set up, the TCP session sequence number always starts at 0, I know the trusted IP range, and there's no ingress control. What's the easiest way to blindly spoof a telnet session and set up a backdoor? I've got 2 days to demonstrate an attack and it would take me much longer to write a program from scratch.

>>5
If you know sequencing starts at 0 the attacker could just set up a dummy router and telnet server to do the same, then record dropping the backdoor into that, then replay a spoofed version to the victim.