## https://sploitus.com/exploit?id=23F97CA6-ACC2-5A39-BF81-F5CD44698506
# PgBouncer Crash PoC
This repository contains a local proof of concept for a PgBouncer crash caused
by an integer overflow in vulnerable PgBouncer versions. The included Docker
setup builds PgBouncer `1.25.1`, starts a PostgreSQL backend, enables
SCRAM-SHA-256 authentication, and runs `poc.py` against PgBouncer.
This is intended for controlled lab testing only. Do not run this against
systems you do not own or have explicit permission to test.
## Contents
- `poc.py` - Python proof-of-concept client.
- `docker-compose.yml` - Local PostgreSQL, PgBouncer, and PoC runner services.
- `postgres/init.sql` - Creates the test database user.
- `pgbouncer/Dockerfile` - Builds vulnerable PgBouncer `1.25.1`.
- `pgbouncer/pgbouncer.ini` - PgBouncer configuration using SCRAM auth.
- `pgbouncer/gen_userlist.py` - Generates a deterministic SCRAM verifier.
## Requirements
- Docker
- Docker Compose
- Python 3, if running `poc.py` manually from the host
## Run With Docker Compose
Build and start the lab:
```sh
docker compose up --build
```
The compose file starts:
- PostgreSQL on the internal compose network.
- PgBouncer exposed on host port `6432`.
- A one-shot Python container that runs the PoC against PgBouncer.
To run only the services and execute the PoC manually:
```sh
docker compose up --build postgres pgbouncer
python3 poc.py 127.0.0.1 6432
```
## Expected Result
When the vulnerable PgBouncer process hits the malformed SASL initial response,
the client should report a reset connection or PgBouncer becoming unreachable.
The PoC checks for this condition and prints whether the crash was confirmed.
## Cleanup
Stop and remove the lab containers:
```sh
docker compose down
```
## Notes
The PoC defaults to:
- Host: `127.0.0.1`
- Port: `6432`
- User: `testuser`
- Database: `testdb`
Custom target:
```sh
python3 poc.py
```