Squidbleed

This repository is a compact standalone proof-of-concept exploit for CVE-2026-47729 ('Squidbleed'), targeting Squid's FTP handling to trigger an information disclosure condition. The repository contains only two files: a README and a single Python exploit script, making CVE-2026-47729.py the clear entry point. The exploit has two tightly integrated components in one script. First, it starts an attacker-controlled FTP server that emulates enough FTP behavior to satisfy a client: USER/PASS, SYST, PWD, TYPE, EPSV, LIST/NLST, and QUIT. The key malicious behavior is in the LIST/NLST handling, where it sends a crafted truncated directory listing line and closes the data connection, intended to trigger the vulnerable memory over-read behavior in Squid. Second, the script acts as a poller/harvester against a target Squid proxy. It repeatedly opens a TCP connection to the configured proxy (default 127.0.0.1:3128) and sends an HTTP GET request for an ftp:// URL pointing to the attacker FTP server (default ftp://anon:x@127.0.0.1:2222/). It then reads the proxy response body and searches for leaked data embedded in HTML href content. The script URL-decodes the leaked bytes and applies regex extraction for Basic and Bearer tokens. Basic tokens are additionally Base64-decoded and printed as username:password when possible. Operationally, the exploit is multithreaded: one background thread runs the FTP server, multiple worker threads continuously poll the proxy, and a status thread reports polling rate, hit count, and distinct token counts. This is not merely a detector; it actively attempts exploitation and harvests sensitive material from leaked memory. There is no post-exploitation shell or code execution payload—its purpose is credential and token disclosure from a vulnerable Squid instance.